[Oisf-users] Truncated files

Peter Manev petermanev at gmail.com
Wed Oct 10 07:57:18 UTC 2018 

On Tue, Oct 9, 2018 at 1:07 PM Piquenot, Gaetan
<gaetan.piquenot at airbus.com> wrote:
>
>
> Yes here the link: https://we.tl/t-g2aOPU46JS
> It contains conf, logs, file samples and pcap anonymized with scapy (DNS response are invalid though but HTTP request should be ok), I'm in 4.0.5 with filestore version 1
>

Thank you for the information.
Looking at it through Wireshark as well though - it is many files as
compared to one big one (if that is what you are after i suspect).
There are some info notes too - "[Packet size limited during capture:
HTTP truncated]".
Is that the pcap extracted from Moloch or the pcap captured on the
sniffing interface where Suricata runs?
Couple of other things you may need to confirm/look at : if you have
all NIC offloading disabled and the default packet size in
suricata.yaml

Thanks

> Regards.
>
> --
> Gaëtan Piquenot
>
>
>
> This document, technology or software
> does not contain French national dual-use or military controlled data nor US
> national dual-use or military controlled data.
>
>
>
> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Tuesday, October 09, 2018 11:20 AM
> To: Piquenot, Gaetan
> Cc: Open Information Security Foundation
> Subject: Re: [Oisf-users] Truncated files
>
> On Tue, Oct 9, 2018 at 10:54 AM Piquenot, Gaetan
> <gaetan.piquenot at airbus.com> wrote:
> >
> > Hello,
> >
> >
> >
> > I use Suricata to extract files from http/s and sometimes some files are truncated, even with stream depth and http body unlimited. Aside I use Moloch to capture all traffic and it see all files and can extract them. Are there any parameters I can tweak to avoid this issue ?
> >
>
> Hi,
>
> Can you share an example pcap reproducing the case?
> Which suricata version do you use? Which filestore version?
>
> Thank you
> >
> >
> > Cordialement.
> >
> >
> >
> > --
> >
> > Gaëtan Piquenot
> >
> > Ingénieur SSI
> >
> > Airbus CyberSecurity
> >
> >
> >
> > T +33 (0)1 61 38 50 57
> >
> > E gaetan.piquenot at airbus.com
> >
> >
> >
> > Airbus CyberSecurity
> >
> > 1 Boulevard Jean Moulin, CS 40001
> >
> > 78996 Elancourt Cedex
> >
> > France
> >
> >
> >
> > This document, technology or software does not contain French national dual-use or military controlled data nor US national dual-use or military controlled data.
> >
> >
> >
> > The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
> > If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
> > Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
> > All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
>
>
> --
> Regards,
> Peter Manev
> The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
> If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
> Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
> All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list