[Oisf-users] file truncated

Miso Mijatovic mmijatovic at sorint.it
Wed Apr 22 11:02:17 UTC 2015


i increased the stream memcap and the reassembly memcap first to 512mb and 1024mb and then to 1024mb and 2048mb. I also turned off md5 calculation in file-store and file-log and last i put a cap on stream.reassembly.depth, i tried 1mb 10mb 20mb.
The news is that i sometimes get alerts matching files md5, but only for small files (30/40 kb). However it seems i get these alerts regardless of the values of depth and md5 calculation.

Miso Mijatovic

----- Messaggio originale -----
Da: "Peter Manev" <petermanev at gmail.com>
A: "Miso Mijatovic" <mmijatovic at sorint.it>
Cc: "Cooper F. Nelson" <cnelson at ucsd.edu>, oisf-users at lists.openinfosecfoundation.org
Inviato: Mercoledì, 22 aprile 2015 9:18:06
Oggetto: Re: [Oisf-users] file truncated

On Tue, Apr 21, 2015 at 6:05 PM, Miso Mijatovic <mmijatovic at sorint.it> wrote:
> Hi,
>> Have you done any tuning of the suricata.yaml?
> yes, in addition to
> stream.checksum_validation no
> stream.reassembly.depth 0
> libhtp.default-config.request-body-limit 0
> libhtp.default-config.response-body-limit 0
> i commented the part about eth0 in the afpacket section because it is not a traffic interface;
> i enabled the file-store (with force md5,force magic and waldo) and file-log (with force md5 and force magic);

For starters i think those are low -
> i increased the stream memcap from default 32mb to 128mb;

I think you can try setting this to 512mb

> i decreased the reassembly memcap from default 128mb to 64mb.

and this to 1024mb

>> What type of traffic and how much of it are you inspecting on what HW ?
> I am inspecting 80/90 Mb of clients normal internet traffic, my hw have 12 Gb RAM on 8 processors.

you should also try the other suggestions on this thread (putting a
cap on stream.reassembly.depth and limiting the stream gaps and memcap

> Regards,
> Miso Mijatovic

Peter Manev

More information about the Oisf-users mailing list