[Oisf-users] file truncated

Cooper F. Nelson cnelson at ucsd.edu
Mon Apr 20 16:49:12 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is usually because you did not disable all the NIC offloading features:

> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

- -Coop

On 4/20/2015 8:44 AM, Miso Mijatovic wrote:
> Sorry i forgot to say i have already tried and haven't seen any alert.
> I check for the alerts on kibana.
> 
> 
> ------------------------------------------------------------------------
> *Da: *"Peter Manev" <petermanev at gmail.com>
> *A: *"Miso Mijatovic" <mmijatovic at sorint.it>
> *Cc: *oisf-users at lists.openinfosecfoundation.org
> *Inviato: *Lunedì, 20 aprile 2015 17:34:52
> *Oggetto: *Re: [Oisf-users] file truncated
> 
> 
> 
> On 20 apr 2015, at 17:12, Miso Mijatovic <mmijatovic at sorint.it
> <mailto:mmijatovic at sorint.it>> wrote:
> 
>     Hi,
> 
>     i need to set up a black md5 list using Suricata2.1beta3 on Selks. I
>     wrote a rule to try:
> 
>     alert http any any -> any any (msg:"CHECK file MD5";
>     filemd5:md5list.txt; gid:10000; sid:1200002; rev:1;)
> 
>     In md5list.txt i have only the md5 of the file i am trying to check.
>     I followed the instructions on this page
>     https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>     and set up the suricata.yaml:
>     /stream.checksum_validation/ yes
> 
> 
> Can you try with
> /stream.checksum_validation/ no
> ?
> Thanks
> 
> 
>     /stream.reassembly.depth/ 0
>     /libhtp.default-config.request-body-limit /0
>     /libhtp.default-config.response-body-limit/ 0 (the server part is
>     commented)
> 
>     I used the rule to match some pdf (for example the one at this page
>     https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5) and
>     i noticed that the signature matches only on small files (some kb).
>     With bigger files the sig doesn't match and if i search for those
>     files in the files-json.log i see that are always truncated (even if
>     i can read the file with no problems). I even tried to increase the
>     timeouts in the flow-timeouts section of the sutricata.yaml without
>     success.
> 
>     Does anybody have this problem or know how to solve it?
> 
>     Thanks,
> 
>     Miso Mijatovic
> 
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     Suricata User Conference November 4 & 5 in Barcelona:
>     http://oisfevents.net
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVNS4IAAoJEKIFRYQsa8FWqDoH/2weaI34z/SZ7v89LMbpvppM
ed0Ve69VKdxOIBqtqrAr6IbN70RYCvIa6VpN9ybwnwGmRVhfRaXw76yI4Wt5wS/l
ScrkoFnJAD99DIxpDeMCc5FnZfHHFOmp7WHipuBOJ8FVIoqcrHS9HLjiLhYXEG9I
mQoCu99w0+Xy4UkoJoQEIkDSj6VlEGsjN+f5ye1hJfUJwCihSXZUEevXA8OLCbY7
IxC0hskKceCmvn/kA3YunH1ZZYfLoenSkfr6vLzPVXcq6CuFbK1+cC5i9wGwt7ER
FgLImx1xElB1RVIS6PDKqjAsw+/y4qH78OaR5bMCgOr0kPCDl1dAN+LtN0wh11k=
=aI4P
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list