[Oisf-users] [OT: Pedantic] file truncated
Peter Manev
petermanev at gmail.com
Mon Apr 27 22:01:19 UTC 2015
On Mon, Apr 27, 2015 at 6:16 PM, Miso Mijatovic <mmijatovic at sorint.it> wrote:
> Hi,
>
> i wrote you some updates.
> I sent my yaml in private to Peter Manev who responded me with a new one, the main changes where:
> enabled max pending packets set to 16384
> on NIC: 4 threads instead of auto, enabled mmap and ring-size
> generally increased memcaps and decreased timeouts.
> His cofig allowed file extraction of files of max 5mb.
>
> I did other tests: i disabled IPV6 on eth1 with ethtool, then i ran 3 scripts i found under /opt/selks/Scripts/Tuning:
> disable-interface-offloading_stamus.sh idps-interface-tuneup_stamus kernel-tuneup_stamus.sh
> can someone give me some deepening on these scripts?
>
> Now i often see md5 alerts some files (i tried 40k, 140k, 500k, 1m), not always, let's say 90% of my tests. Never for bigger files.
> I still have reassembly gap but i don't have any invalid checksum now.
>
> I modified the config to allow file extraction for bigger files but without success.
>
> Peter feel free to correct me if i forgot something.
I am looking into it - but form the shared pcap I see lots of previous
segment "unseen", duplicates,incorrect checksums and retransmissions -
which could explain your tcp gaps in the stats.log and not being able
to extract the file. (btw - Wireshark does not "see" the file either
in the privately shared pcap).
>
> Miso
>
> ----- Messaggio originale -----
> Da: "James Moe" <jimoe at sohnen-moe.com>
> A: oisf-users at lists.openinfosecfoundation.org
> Inviato: Venerdì, 24 aprile 2015 8:09:45
> Oggetto: Re: [Oisf-users] [OT: Pedantic] file truncated
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/23/2015 11:37 AM, Cooper F. Nelson wrote:
>> Suricata doesn't use decimal metric prefixes, it uses binary
>> prefixes:
>>
>>>> http://en.wikipedia.org/wiki/Binary_prefix
>>
> Which supports my assertion regarding the case sensitivity of prefixes
> .
>
>> It's also made clear in the yaml documentation that you can give
>> it an integer in bytes. The kb,mb,gb tag is defined within the
>> scope of the suricata engine, which is fine.
>>
> Quite so.
> It is semantically dubious in a larger context, but within the
> confines of suricata's YAML documentation and usage, it is acceptable.
>
> - --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iEYEARECAAYFAlU53ikACgkQzTcr8Prq0ZOdAgCgk7NrWfOKE3Kgq8HPD1l76mCn
> 3GkAnRmTtE0SEljqszED68mRuY4Gg4pI
> =TK6i
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list