[Oisf-users] file truncated
Cooper F. Nelson
cnelson at ucsd.edu
Mon Apr 20 16:49:12 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is usually because you did not disable all the NIC offloading features:
> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
- -Coop
On 4/20/2015 8:44 AM, Miso Mijatovic wrote:
> Sorry i forgot to say i have already tried and haven't seen any alert.
> I check for the alerts on kibana.
>
>
> ------------------------------------------------------------------------
> *Da: *"Peter Manev" <petermanev at gmail.com>
> *A: *"Miso Mijatovic" <mmijatovic at sorint.it>
> *Cc: *oisf-users at lists.openinfosecfoundation.org
> *Inviato: *Lunedì, 20 aprile 2015 17:34:52
> *Oggetto: *Re: [Oisf-users] file truncated
>
>
>
> On 20 apr 2015, at 17:12, Miso Mijatovic <mmijatovic at sorint.it
> <mailto:mmijatovic at sorint.it>> wrote:
>
> Hi,
>
> i need to set up a black md5 list using Suricata2.1beta3 on Selks. I
> wrote a rule to try:
>
> alert http any any -> any any (msg:"CHECK file MD5";
> filemd5:md5list.txt; gid:10000; sid:1200002; rev:1;)
>
> In md5list.txt i have only the md5 of the file i am trying to check.
> I followed the instructions on this page
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
> and set up the suricata.yaml:
> /stream.checksum_validation/ yes
>
>
> Can you try with
> /stream.checksum_validation/ no
> ?
> Thanks
>
>
> /stream.reassembly.depth/ 0
> /libhtp.default-config.request-body-limit /0
> /libhtp.default-config.response-body-limit/ 0 (the server part is
> commented)
>
> I used the rule to match some pdf (for example the one at this page
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5) and
> i noticed that the signature matches only on small files (some kb).
> With bigger files the sig doesn't match and if i search for those
> files in the files-json.log i see that are always truncated (even if
> i can read the file with no problems). I even tried to increase the
> timeouts in the flow-timeouts section of the sutricata.yaml without
> success.
>
> Does anybody have this problem or know how to solve it?
>
> Thanks,
>
> Miso Mijatovic
>
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVNS4IAAoJEKIFRYQsa8FWqDoH/2weaI34z/SZ7v89LMbpvppM
ed0Ve69VKdxOIBqtqrAr6IbN70RYCvIa6VpN9ybwnwGmRVhfRaXw76yI4Wt5wS/l
ScrkoFnJAD99DIxpDeMCc5FnZfHHFOmp7WHipuBOJ8FVIoqcrHS9HLjiLhYXEG9I
mQoCu99w0+Xy4UkoJoQEIkDSj6VlEGsjN+f5ye1hJfUJwCihSXZUEevXA8OLCbY7
IxC0hskKceCmvn/kA3YunH1ZZYfLoenSkfr6vLzPVXcq6CuFbK1+cC5i9wGwt7ER
FgLImx1xElB1RVIS6PDKqjAsw+/y4qH78OaR5bMCgOr0kPCDl1dAN+LtN0wh11k=
=aI4P
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list