[Oisf-users] File extraction problems (false positives)
Peter Manev
petermanev at gmail.com
Mon Feb 24 11:26:36 UTC 2014
On Mon, Feb 24, 2014 at 12:17 PM, Joakim Kunst Forsbakk
<forsbakk at mnemonic.no> wrote:
> Hi,
>
> I tried disabling all filestore rules, and tested the rule you suggested over one hour.
> The fast log shows that the rule triggered 256 times in one hour.
> Suricata however stored 1021 files. 248 of these are actual PDF files, but all the other files are ASCII text files, PNG image data, GIF image data, UTF-8 unicode text and XML-files.
>
> Any idea why Suricata does this?
>
How many rules in total do you load (what does suricata.log say)?(did
you clear the log directories)
If you tcpdump one pdf file transaction and then just read it with
Suricata (-r) would that have the expected result?
What would be the output of the detailed log?
As a last resort you could try Suricata 2.0rc1 (stable 2.0 will be out
soon), there are a lot of fixes in beta, however 1.4.7 should not have
issues.
thank you
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list