[Oisf-users] file truncated
Peter Manev
petermanev at gmail.com
Mon Apr 20 17:15:10 UTC 2015
On Mon, Apr 20, 2015 at 6:49 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This is usually because you did not disable all the NIC offloading features:
>
>> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html\
NIC offloading is already included in the wiki link that Miso
mentioned he followed -
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
(plus all offloading should be disabled by default in selks - only
for eth0 though)
so i assumed this is not the issue Miso ?
Are there a lot of drops/gaps in the stats.log?
What is your set up - is it entirely virtual(including the mirror technique)?
>
> - -Coop
>
> On 4/20/2015 8:44 AM, Miso Mijatovic wrote:
>> Sorry i forgot to say i have already tried and haven't seen any alert.
>> I check for the alerts on kibana.
>>
>>
>> ------------------------------------------------------------------------
>> *Da: *"Peter Manev" <petermanev at gmail.com>
>> *A: *"Miso Mijatovic" <mmijatovic at sorint.it>
>> *Cc: *oisf-users at lists.openinfosecfoundation.org
>> *Inviato: *Lunedì, 20 aprile 2015 17:34:52
>> *Oggetto: *Re: [Oisf-users] file truncated
>>
>>
>>
>> On 20 apr 2015, at 17:12, Miso Mijatovic <mmijatovic at sorint.it
>> <mailto:mmijatovic at sorint.it>> wrote:
>>
>> Hi,
>>
>> i need to set up a black md5 list using Suricata2.1beta3 on Selks. I
>> wrote a rule to try:
>>
>> alert http any any -> any any (msg:"CHECK file MD5";
>> filemd5:md5list.txt; gid:10000; sid:1200002; rev:1;)
>>
>> In md5list.txt i have only the md5 of the file i am trying to check.
>> I followed the instructions on this page
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>> and set up the suricata.yaml:
>> /stream.checksum_validation/ yes
>>
>>
>> Can you try with
>> /stream.checksum_validation/ no
>> ?
>> Thanks
>>
>>
>> /stream.reassembly.depth/ 0
>> /libhtp.default-config.request-body-limit /0
>> /libhtp.default-config.response-body-limit/ 0 (the server part is
>> commented)
>>
>> I used the rule to match some pdf (for example the one at this page
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5) and
>> i noticed that the signature matches only on small files (some kb).
>> With bigger files the sig doesn't match and if i search for those
>> files in the files-json.log i see that are always truncated (even if
>> i can read the file with no problems). I even tried to increase the
>> timeouts in the flow-timeouts section of the sutricata.yaml without
>> success.
>>
>> Does anybody have this problem or know how to solve it?
>>
>> Thanks,
>>
>> Miso Mijatovic
>>
>> _______________________________________________
>> Suricata IDS Users mailing list:
>> oisf-users at openinfosecfoundation.org
>> <mailto:oisf-users at openinfosecfoundation.org>
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>>
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJVNS4IAAoJEKIFRYQsa8FWqDoH/2weaI34z/SZ7v89LMbpvppM
> ed0Ve69VKdxOIBqtqrAr6IbN70RYCvIa6VpN9ybwnwGmRVhfRaXw76yI4Wt5wS/l
> ScrkoFnJAD99DIxpDeMCc5FnZfHHFOmp7WHipuBOJ8FVIoqcrHS9HLjiLhYXEG9I
> mQoCu99w0+Xy4UkoJoQEIkDSj6VlEGsjN+f5ye1hJfUJwCihSXZUEevXA8OLCbY7
> IxC0hskKceCmvn/kA3YunH1ZZYfLoenSkfr6vLzPVXcq6CuFbK1+cC5i9wGwt7ER
> FgLImx1xElB1RVIS6PDKqjAsw+/y4qH78OaR5bMCgOr0kPCDl1dAN+LtN0wh11k=
> =aI4P
> -----END PGP SIGNATURE-----
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list