[Oisf-users] file truncated

Miso Mijatovic mmijatovic at sorint.it
Mon Apr 20 15:12:29 UTC 2015


i need to set up a black md5 list using Suricata2.1beta3 on Selks. I wrote a rule to try: 

alert http any any -> any any (msg:"CHECK file MD5"; filemd5:md5list.txt; gid:10000; sid:1200002; rev:1;) 

In md5list.txt i have only the md5 of the file i am trying to check. 
I followed the instructions on this page https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction and set up the suricata.yaml: 
stream.checksum_validation yes 
stream.reassembly.depth 0 
libhtp.default-config.request-body-limit 0 
libhtp.default-config.response-body-limit 0 (the server part is commented) 

I used the rule to match some pdf (for example the one at this page https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5) and i noticed that the signature matches only on small files (some kb). With bigger files the sig doesn't match and if i search for those files in the files-json.log i see that are always truncated (even if i can read the file with no problems). I even tried to increase the timeouts in the flow-timeouts section of the sutricata.yaml without success. 

Does anybody have this problem or know how to solve it? 


Miso Mijatovic 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150420/0057bdd8/attachment.html>

More information about the Oisf-users mailing list