[Oisf-users] file truncated
Miso Mijatovic
mmijatovic at sorint.it
Mon Apr 20 15:12:29 UTC 2015
Hi,
i need to set up a black md5 list using Suricata2.1beta3 on Selks. I wrote a rule to try:
alert http any any -> any any (msg:"CHECK file MD5"; filemd5:md5list.txt; gid:10000; sid:1200002; rev:1;)
In md5list.txt i have only the md5 of the file i am trying to check.
I followed the instructions on this page https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction and set up the suricata.yaml:
stream.checksum_validation yes
stream.reassembly.depth 0
libhtp.default-config.request-body-limit 0
libhtp.default-config.response-body-limit 0 (the server part is commented)
I used the rule to match some pdf (for example the one at this page https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5) and i noticed that the signature matches only on small files (some kb). With bigger files the sig doesn't match and if i search for those files in the files-json.log i see that are always truncated (even if i can read the file with no problems). I even tried to increase the timeouts in the flow-timeouts section of the sutricata.yaml without success.
Does anybody have this problem or know how to solve it?
Thanks,
Miso Mijatovic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150420/0057bdd8/attachment.html>
More information about the Oisf-users
mailing list