[Oisf-users] Fwd: File Extraction issues

Cooper F. Nelson cnelson at ucsd.edu
Wed Aug 2 17:50:18 UTC 2017 

Hi Jeremy,

I've been reviewing my file extraction logs and it definitely appears
that that there is an issue where some http servers result in truncated
files consistently.  I'm hazarding a guess it may be due to some HTTP
1.1 feature (like chunked encoding) not being fully supported on libhttp.

However, I tried getting a similar file (the one you referenced was
404'ed) and didn't see anything unusual:

> GET /2015/icelandic/dictionary.pdf HTTP/1.1.
> Host: css4.pub.
> User-Agent: curl/7.54.1.
> Accept: */*.
>
> HTTP/1.1 200 OK.
> Date: Wed, 02 Aug 2017 17:46:15 GMT.
> Server: Apache.
> Last-Modified: Wed, 15 Apr 2015 22:30:49 GMT.
> ETag: "542b36-513cae6241840".
> Accept-Ranges: bytes.
> Content-Length: 5516086.
> Content-Type: application/pdf.

As an aside, you might try upgrading to the most recent suricata release
(4.0) and seeing if that fixes the issue.

-Coop

On 7/24/2017 11:25 AM, Jeremy A. Grove wrote:
> I am using AF-packet with the below options.
>
>   - interface: eth0
>     threads: auto
>     cluster-id: 99
>     cluster-type: cluster_flow
>     defrag: yes
>     checksum-checks: kernel
> - interface: eth1
>     threads: auto
>     cluster-id: 98
>     cluster-type: cluster_flow
>     defrag: yes
>   - interface: eth2
>     threads: auto
>     cluster-id: 97
>     cluster-type: cluster_flow
>     defrag: yes
>   - interface: eth3
>     threads: auto
>     cluster-id: 96
>     cluster-type: cluster_flow
>     defrag: yes
>
> Jeremy Grove, SSCP
> Senior Information Security Analyst
> Quadrant Information Security
> o: (904)296-9100 <callto:%28904%29296-9100> x100
> t: (800) 538-9357 <callto:%28800%29%20538-9357> x100
> e: soc at quadrantsec.com
>
> Learn more= about our managed SIEM people + product
> <https://a.quadrantsec.com/3D%22https://quadrantsec.com/SaganMSSP%22>


-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170802/9d7cd4c1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170802/9d7cd4c1/attachment.sig>

More information about the Oisf-users mailing list