[Oisf-users] Truncated files

Piquenot, Gaetan gaetan.piquenot at airbus.com
Tue Oct 9 11:06:45 UTC 2018 

Yes here the link: https://we.tl/t-g2aOPU46JS 
It contains conf, logs, file samples and pcap anonymized with scapy (DNS response are invalid though but HTTP request should be ok), I'm in 4.0.5 with filestore version 1

Regards.

--
Gaëtan Piquenot



This document, technology or software
does not contain French national dual-use or military controlled data nor US
national dual-use or military controlled data.



-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com] 
Sent: Tuesday, October 09, 2018 11:20 AM
To: Piquenot, Gaetan
Cc: Open Information Security Foundation
Subject: Re: [Oisf-users] Truncated files

On Tue, Oct 9, 2018 at 10:54 AM Piquenot, Gaetan
<gaetan.piquenot at airbus.com> wrote:
>
> Hello,
>
>
>
> I use Suricata to extract files from http/s and sometimes some files are truncated, even with stream depth and http body unlimited. Aside I use Moloch to capture all traffic and it see all files and can extract them. Are there any parameters I can tweak to avoid this issue ?
>

Hi,

Can you share an example pcap reproducing the case?
Which suricata version do you use? Which filestore version?

Thank you
>
>
> Cordialement.
>
>
>
> --
>
> Gaëtan Piquenot
>
> Ingénieur SSI
>
> Airbus CyberSecurity
>
>
>
> T +33 (0)1 61 38 50 57
>
> E gaetan.piquenot at airbus.com
>
>
>
> Airbus CyberSecurity
>
> 1 Boulevard Jean Moulin, CS 40001
>
> 78996 Elancourt Cedex
>
> France
>
>
>
> This document, technology or software does not contain French national dual-use or military controlled data nor US national dual-use or military controlled data.
>
>
>
> The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
> If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
> Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
> All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
Regards,
Peter Manev
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.

More information about the Oisf-users mailing list