[Oisf-users] [OT: Pedantic] file truncated

Miso Mijatovic mmijatovic at sorint.it
Mon Apr 27 16:16:05 UTC 2015


i wrote you some updates.
I sent my yaml in private to Peter Manev who responded me with a new one, the main changes where:
enabled max pending packets set to 16384
on NIC: 4 threads instead of auto, enabled mmap and ring-size
generally increased memcaps and decreased timeouts.
His cofig allowed file extraction of files of max 5mb.

I did other tests: i disabled IPV6 on eth1 with ethtool, then i ran 3 scripts i found under /opt/selks/Scripts/Tuning:
disable-interface-offloading_stamus.sh        idps-interface-tuneup_stamus  kernel-tuneup_stamus.sh
can someone give me some deepening on these scripts?

Now i often see md5 alerts some files (i tried 40k, 140k, 500k, 1m), not always, let's say 90% of my tests. Never for bigger files.
I still have reassembly gap but i don't have any invalid checksum now.

I modified the config to allow file extraction for bigger files but without success.

Peter feel free to correct me if i forgot something.


----- Messaggio originale -----
Da: "James Moe" <jimoe at sohnen-moe.com>
A: oisf-users at lists.openinfosecfoundation.org
Inviato: Venerdì, 24 aprile 2015 8:09:45
Oggetto: Re: [Oisf-users] [OT: Pedantic] file truncated

Hash: SHA1

On 04/23/2015 11:37 AM, Cooper F. Nelson wrote:
> Suricata doesn't use decimal metric prefixes, it uses binary 
> prefixes:
>>> http://en.wikipedia.org/wiki/Binary_prefix
  Which supports my assertion regarding the case sensitivity of prefixes

> It's also made clear in the yaml documentation that you can give
> it an integer in bytes.  The kb,mb,gb tag is defined within the
> scope of the suricata engine, which is fine.
  Quite so.
  It is semantically dubious in a larger context, but within the
confines of suricata's YAML documentation and usage, it is acceptable.

- -- 
James Moe
moe dot james at sohnen-moe dot com
Version: GnuPG v2

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

More information about the Oisf-users mailing list