[Oisf-users] file truncated

[Miso Mijatovic]

Hi,

i increased the stream memcap and the reassembly memcap first to 512mb and 1024mb and then to 1024mb and 2048mb. I also turned off md5 calculation in file-store and file-log and last i put a cap on stream.reassembly.depth, i tried 1mb 10mb 20mb.
The news is that i sometimes get alerts matching files md5, but only for small files (30/40 kb). However it seems i get these alerts regardless of the values of depth and md5 calculation.

Regards,
Miso Mijatovic

----- Messaggio originale -----
Da: "Peter Manev" <petermanev at gmail.com>
A: "Miso Mijatovic" <mmijatovic at sorint.it>
Cc: "Cooper F. Nelson" <cnelson at ucsd.edu>, oisf-users at lists.openinfosecfoundation.org
Inviato: Mercoledì, 22 aprile 2015 9:18:06
Oggetto: Re: [Oisf-users] file truncated

On Tue, Apr 21, 2015 at 6:05 PM, Miso Mijatovic <mmijatovic at sorint.it> wrote:
> Hi,
>
>> Have you done any tuning of the suricata.yaml?
>
> yes, in addition to
>
> stream.checksum_validation no
> stream.reassembly.depth 0
> libhtp.default-config.request-body-limit 0
> libhtp.default-config.response-body-limit 0
>
> i commented the part about eth0 in the afpacket section because it is not a traffic interface;
> i enabled the file-store (with force md5,force magic and waldo) and file-log (with force md5 and force magic);

For starters i think those are low -
> i increased the stream memcap from default 32mb to 128mb;

I think you can try setting this to 512mb

> i decreased the reassembly memcap from default 128mb to 64mb.

and this to 1024mb

>
>> What type of traffic and how much of it are you inspecting on what HW ?
>
> I am inspecting 80/90 Mb of clients normal internet traffic, my hw have 12 Gb RAM on 8 processors.

you should also try the other suggestions on this thread (putting a
cap on stream.reassembly.depth and limiting the stream gaps and memcap
drops)

>
> Regards,
> Miso Mijatovic



-- 
Regards,
Peter Manev