[Oisf-users] Suricata 1.4 Meta Files and Data Files produced from File Extraction
Vincent Fang
vincent.y.fang at gmail.com
Fri Jun 14 20:10:16 UTC 2013
So further investigation, I examined the files-json.log and the meta file
in question that is missing the last 4 lines, in the json log it has that
missing data. Was there any follow up on this being a bug or something else?
Vince
On Tue, Jun 11, 2013 at 4:16 AM, Vincent Fang <vincent.y.fang at gmail.com>wrote:
> Here's the pcap file. It's me visiting a businessweek site and the pcap
> packet number is 2713.
>
>
> On Tue, Jun 11, 2013 at 3:52 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:
>
>> On Tue, Jun 11, 2013 at 12:47 PM, Victor Julien <lists at inliniac.net>
>> wrote:
>> > On 06/10/2013 08:55 PM, Vincent Fang wrote:
>> >> Ok that's good to know. I found one oddity with the file extraction
>> with
>> >> magic and md5 hash enabled in the Suricata.yaml file and I'm not sure
>> if
>> >> it's a bug or an issue on my end.
>> >>
>> >> The alert signature looks like this
>> >>
>> >> alert ip any any -> any any (msg:"file store all"; filestore; sid:5;)
>> >>
>> >> and I examined all the meta and data files in the files directory
>> >> /usr/local/var/log/suricata/files
>> >>
>> >> and I ran the linux command after observing all meta data files had 16
>> lines
>> >>
>> >> wc -l *.meta | grep -v 16
>> >>
>> >> and I came across one meta file that only had 12 lines that was missing
>> >> the last 4 lines MAGIC, STATE, MD5, and SIZE. The pcap file I was
>> >> running Suricata against in offline mode was me visiting a
>> >> businessweek.com <http://businessweek.com> site. Does anyone know why
>> >> this oddity would have occurred?
>> >
>> > Can you (privately) share this pcap?
>> >
>>
>> Please add me to the CC if you can share the pcap.
>>
>> --
>> -------------------------------
>> Anoop Saldanha
>> http://www.poona.me
>> -------------------------------
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130614/47d54181/attachment-0002.html>
More information about the Oisf-users
mailing list