[Oisf-users] file truncated

Peter Manev petermanev at gmail.com
Mon Apr 20 17:15:10 UTC 2015 

On Mon, Apr 20, 2015 at 6:49 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This is usually because you did not disable all the NIC offloading features:
>
>> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html\

NIC offloading is already included in the wiki link that Miso
mentioned he followed -
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
(plus all offloading should be disabled by default in selks  - only
for eth0 though)

so i assumed this is not the issue Miso ?
Are there a lot of drops/gaps in the stats.log?
What is your set up - is it entirely virtual(including the mirror technique)?


>
> - -Coop
>
> On 4/20/2015 8:44 AM, Miso Mijatovic wrote:
>> Sorry i forgot to say i have already tried and haven't seen any alert.
>> I check for the alerts on kibana.
>>
>>
>> ------------------------------------------------------------------------
>> *Da: *"Peter Manev" <petermanev at gmail.com>
>> *A: *"Miso Mijatovic" <mmijatovic at sorint.it>
>> *Cc: *oisf-users at lists.openinfosecfoundation.org
>> *Inviato: *Lunedì, 20 aprile 2015 17:34:52
>> *Oggetto: *Re: [Oisf-users] file truncated
>>
>>
>>
>> On 20 apr 2015, at 17:12, Miso Mijatovic <mmijatovic at sorint.it
>> <mailto:mmijatovic at sorint.it>> wrote:
>>
>>     Hi,
>>
>>     i need to set up a black md5 list using Suricata2.1beta3 on Selks. I
>>     wrote a rule to try:
>>
>>     alert http any any -> any any (msg:"CHECK file MD5";
>>     filemd5:md5list.txt; gid:10000; sid:1200002; rev:1;)
>>
>>     In md5list.txt i have only the md5 of the file i am trying to check.
>>     I followed the instructions on this page
>>     https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>>     and set up the suricata.yaml:
>>     /stream.checksum_validation/ yes
>>
>>
>> Can you try with
>> /stream.checksum_validation/ no
>> ?
>> Thanks
>>
>>
>>     /stream.reassembly.depth/ 0
>>     /libhtp.default-config.request-body-limit /0
>>     /libhtp.default-config.response-body-limit/ 0 (the server part is
>>     commented)
>>
>>     I used the rule to match some pdf (for example the one at this page
>>     https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5) and
>>     i noticed that the signature matches only on small files (some kb).
>>     With bigger files the sig doesn't match and if i search for those
>>     files in the files-json.log i see that are always truncated (even if
>>     i can read the file with no problems). I even tried to increase the
>>     timeouts in the flow-timeouts section of the sutricata.yaml without
>>     success.
>>
>>     Does anybody have this problem or know how to solve it?
>>
>>     Thanks,
>>
>>     Miso Mijatovic
>>
>>     _______________________________________________
>>     Suricata IDS Users mailing list:
>>     oisf-users at openinfosecfoundation.org
>>     <mailto:oisf-users at openinfosecfoundation.org>
>>     Site: http://suricata-ids.org | Support:
>>     http://suricata-ids.org/support/
>>     List:
>>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>     Suricata User Conference November 4 & 5 in Barcelona:
>>     http://oisfevents.net
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>>
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJVNS4IAAoJEKIFRYQsa8FWqDoH/2weaI34z/SZ7v89LMbpvppM
> ed0Ve69VKdxOIBqtqrAr6IbN70RYCvIa6VpN9ybwnwGmRVhfRaXw76yI4Wt5wS/l
> ScrkoFnJAD99DIxpDeMCc5FnZfHHFOmp7WHipuBOJ8FVIoqcrHS9HLjiLhYXEG9I
> mQoCu99w0+Xy4UkoJoQEIkDSj6VlEGsjN+f5ye1hJfUJwCihSXZUEevXA8OLCbY7
> IxC0hskKceCmvn/kA3YunH1ZZYfLoenSkfr6vLzPVXcq6CuFbK1+cC5i9wGwt7ER
> FgLImx1xElB1RVIS6PDKqjAsw+/y4qH78OaR5bMCgOr0kPCDl1dAN+LtN0wh11k=
> =aI4P
> -----END PGP SIGNATURE-----



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list