[Oisf-users] Mismatch between .meta and eve log and other issues

Travel Factory S.r.l. mc8647 at mclink.it
Mon Mar 31 13:29:30 UTC 2014

In my quest for uncomplete filestored files I activated eve.log and 
run my tests (40 wget of the same executable file from an internet 
server). The file produced is here: http://pastebin.com/tiXsxdfN

40 downloads mean 80 log lines. For each download there is a http log 
and one filestore log.

8 filestore files are reported as TRUNCATED but
# grep TRUNCATED *.meta | wc -l
so clearly .meta files are not correctly updated.

Mine is a RSPAN setup. Several VLANs are "copied" into vlan 100. But 
in the logs not every line has the vlan tag:
grep -v '"vlan":100' eve.log
There are both http and fileinfo evebt_types. I don't think missing 
vlan tag in the logs can be a problem but it is something to think 

Reading in eve.log all 80 lines and the incomplete filestore flagged 
as TRUNCATED make me happy... it means that suricata keeps track of 
what is happening and can log it correctly.

Now, it would be really nice to understand *why* the file is flagged 
TRUNCATED. Becouse somewhere in the code, suricata decides the file 
isn't complete, or can't be completed, or some timeouts expire, or 
some buffers fill, or packets are out of order or .. or .. or ...... 
is there a way to understand why suricata flags a filestore as 

More information about the Oisf-users mailing list