[Oisf-users] Mismatch between .meta and eve log and other issues
Travel Factory S.r.l.
mc8647 at mclink.it
Mon Mar 31 13:29:30 UTC 2014
In my quest for uncomplete filestored files I activated eve.log and
run my tests (40 wget of the same executable file from an internet
server). The file produced is here: http://pastebin.com/tiXsxdfN
40 downloads mean 80 log lines. For each download there is a http log
and one filestore log.
8 filestore files are reported as TRUNCATED but
# grep TRUNCATED *.meta | wc -l
2
so clearly .meta files are not correctly updated.
Mine is a RSPAN setup. Several VLANs are "copied" into vlan 100. But
in the logs not every line has the vlan tag:
grep -v '"vlan":100' eve.log
There are both http and fileinfo evebt_types. I don't think missing
vlan tag in the logs can be a problem but it is something to think
about.
Reading in eve.log all 80 lines and the incomplete filestore flagged
as TRUNCATED make me happy... it means that suricata keeps track of
what is happening and can log it correctly.
Now, it would be really nice to understand *why* the file is flagged
TRUNCATED. Becouse somewhere in the code, suricata decides the file
isn't complete, or can't be completed, or some timeouts expire, or
some buffers fill, or packets are out of order or .. or .. or ......
is there a way to understand why suricata flags a filestore as
TRUNCATED ?
More information about the Oisf-users
mailing list