[Oisf-users] Mismatch between .meta and eve log and other issues
Cooper F. Nelson
cnelson at ucsd.edu
Mon Mar 31 15:10:25 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Actually, thinking about it, could you try using a libpcap based capture
mode?
I have run a couple suricata instances and the one that worked the best
for file extraction was attached to the inside of a web proxy (i.e. just
monitoring port 3128 on the proxy IP) and using a libpcap based run
mode. That worked perfectly.
I had similar problems to you (truncated files) when using AF_PACKET
mode, but on my sensor I don't have enough cores/memory to monitor for
HTTP flows, so I actually truncate the server flows myself via bpf filters.
- -Coop
On 3/31/2014 6:29 AM, Travel Factory S.r.l. wrote:
>
> In my quest for uncomplete filestored files I activated eve.log and run
> my tests (40 wget of the same executable file from an internet server).
> The file produced is here: http://pastebin.com/tiXsxdfN
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTOYVhAAoJEKIFRYQsa8FWx38IAIpEIEuoO2prY1dp6nP5Bvh7
adYBAneZd0hHCXnLvRxp6MaIiKO91zhST8C4xZfULeUuN1svyNx9cXIlBI39zGEJ
GVh6lpJlZ0R1aj37nhrJV2QOWQ/GK7Ccp6HsmgULufhjZ9gfcHGaneIJnm4PKxZS
z4NC+jjoVUh8b+yjxyBlIXA/I4ear81kP5bXT5jJFjJOj5Meg4txtUPYwakQ4U5p
S3Dy4YoX5WZSdgTgbk3SjbnchAAWS2ve1z4JU7tq1fHaynYoTdkvhjD9NL3zRTeN
FIfFfRiD++B4vvcGYB9ExbYAARreXDslEDTdv4oMU7r12PZ2LI4Au51pUGhmy40=
=mfNG
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list