[Oisf-users] Suricata 1.4 Meta Files and Data Files produced from File Extraction
Victor Julien
lists at inliniac.net
Tue Jun 11 07:17:01 UTC 2013
On 06/10/2013 08:55 PM, Vincent Fang wrote:
> Ok that's good to know. I found one oddity with the file extraction with
> magic and md5 hash enabled in the Suricata.yaml file and I'm not sure if
> it's a bug or an issue on my end.
>
> The alert signature looks like this
>
> alert ip any any -> any any (msg:"file store all"; filestore; sid:5;)
>
> and I examined all the meta and data files in the files directory
> /usr/local/var/log/suricata/files
>
> and I ran the linux command after observing all meta data files had 16 lines
>
> wc -l *.meta | grep -v 16
>
> and I came across one meta file that only had 12 lines that was missing
> the last 4 lines MAGIC, STATE, MD5, and SIZE. The pcap file I was
> running Suricata against in offline mode was me visiting a
> businessweek.com <http://businessweek.com> site. Does anyone know why
> this oddity would have occurred?
Can you (privately) share this pcap?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list