[Oisf-users] Suricata 1.4 Meta Files and Data Files produced from File Extraction

Victor Julien lists at inliniac.net
Fri Jun 7 08:05:35 UTC 2013

On 06/07/2013 09:41 AM, Vincent Fang wrote:
> We're trying to use the meta files and data files created by Suricata to
> send data to one of our servers. However, we're running into an issue
> where if we open a file too early that we get incomplete data either
> from the data file or meta file. Note that we also have force-magic, MD5
> hash, and file extraction as the enabled states in our Suricata.yaml file.
> What condition can we assume to be true so that we can open and read the
> meta file and the data file safely without it being incomplete?
> Using python as our scripting language to access those files, I assumed
> that if the data file was done, that all the data in the meta file would
> be complete as well, but I get scenarios where the MAGIC, STATE, MD5,
> and SIZE were missing. I'm assuming this is because Suricata is
> calculating those values from the data file, then reopening the meta
> file and adding those last values in?

I would recommend using the json output. It contains the same info, but
is written in one go.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list