[Oisf-users] Suricata 1.4 Meta Files and Data Files produced from File Extraction
Anoop Saldanha
anoopsaldanha at gmail.com
Tue Jun 11 07:52:24 UTC 2013
On Tue, Jun 11, 2013 at 12:47 PM, Victor Julien <lists at inliniac.net> wrote:
> On 06/10/2013 08:55 PM, Vincent Fang wrote:
>> Ok that's good to know. I found one oddity with the file extraction with
>> magic and md5 hash enabled in the Suricata.yaml file and I'm not sure if
>> it's a bug or an issue on my end.
>>
>> The alert signature looks like this
>>
>> alert ip any any -> any any (msg:"file store all"; filestore; sid:5;)
>>
>> and I examined all the meta and data files in the files directory
>> /usr/local/var/log/suricata/files
>>
>> and I ran the linux command after observing all meta data files had 16 lines
>>
>> wc -l *.meta | grep -v 16
>>
>> and I came across one meta file that only had 12 lines that was missing
>> the last 4 lines MAGIC, STATE, MD5, and SIZE. The pcap file I was
>> running Suricata against in offline mode was me visiting a
>> businessweek.com <http://businessweek.com> site. Does anyone know why
>> this oddity would have occurred?
>
> Can you (privately) share this pcap?
>
Please add me to the CC if you can share the pcap.
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-users
mailing list