[Oisf-users] file truncated
Miso Mijatovic
mmijatovic at sorint.it
Mon Apr 20 15:44:23 UTC 2015
Sorry i forgot to say i have already tried and haven't seen any alert.
I check for the alerts on kibana.
Da: "Peter Manev" <petermanev at gmail.com>
A: "Miso Mijatovic" <mmijatovic at sorint.it>
Cc: oisf-users at lists.openinfosecfoundation.org
Inviato: Lunedì, 20 aprile 2015 17:34:52
Oggetto: Re: [Oisf-users] file truncated
On 20 apr 2015, at 17:12, Miso Mijatovic < mmijatovic at sorint.it > wrote:
Hi,
i need to set up a black md5 list using Suricata2.1beta3 on Selks. I wrote a rule to try:
alert http any any -> any any (msg:"CHECK file MD5"; filemd5:md5list.txt; gid:10000; sid:1200002; rev:1;)
In md5list.txt i have only the md5 of the file i am trying to check.
I followed the instructions on this page https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction and set up the suricata.yaml:
stream.checksum_validation yes
Can you try with
stream.checksum_validation no
?
Thanks
BQ_BEGIN
stream.reassembly.depth 0
libhtp.default-config.request-body-limit 0
libhtp.default-config.response-body-limit 0 (the server part is commented)
I used the rule to match some pdf (for example the one at this page https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5 ) and i noticed that the signature matches only on small files (some kb). With bigger files the sig doesn't match and if i search for those files in the files-json.log i see that are always truncated (even if i can read the file with no problems). I even tried to increase the timeouts in the flow-timeouts section of the sutricata.yaml without success.
Does anybody have this problem or know how to solve it?
Thanks,
Miso Mijatovic
BQ_END
BQ_BEGIN
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
BQ_END
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150420/0700e76c/attachment-0002.html>
More information about the Oisf-users
mailing list