[Oisf-users] file truncated

Miso Mijatovic mmijatovic at sorint.it
Mon Apr 20 15:44:23 UTC 2015

Sorry i forgot to say i have already tried and haven't seen any alert. 
I check for the alerts on kibana. 

Da: "Peter Manev" <petermanev at gmail.com> 
A: "Miso Mijatovic" <mmijatovic at sorint.it> 
Cc: oisf-users at lists.openinfosecfoundation.org 
Inviato: Lunedì, 20 aprile 2015 17:34:52 
Oggetto: Re: [Oisf-users] file truncated 

On 20 apr 2015, at 17:12, Miso Mijatovic < mmijatovic at sorint.it > wrote: 


i need to set up a black md5 list using Suricata2.1beta3 on Selks. I wrote a rule to try: 

alert http any any -> any any (msg:"CHECK file MD5"; filemd5:md5list.txt; gid:10000; sid:1200002; rev:1;) 

In md5list.txt i have only the md5 of the file i am trying to check. 
I followed the instructions on this page https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction and set up the suricata.yaml: 
stream.checksum_validation yes 

Can you try with 
stream.checksum_validation no 


stream.reassembly.depth 0 
libhtp.default-config.request-body-limit 0 
libhtp.default-config.response-body-limit 0 (the server part is commented) 

I used the rule to match some pdf (for example the one at this page https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5 ) and i noticed that the signature matches only on small files (some kb). With bigger files the sig doesn't match and if i search for those files in the files-json.log i see that are always truncated (even if i can read the file with no problems). I even tried to increase the timeouts in the flow-timeouts section of the sutricata.yaml without success. 

Does anybody have this problem or know how to solve it? 


Miso Mijatovic 



Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150420/0700e76c/attachment-0002.html>

More information about the Oisf-users mailing list