[Oisf-users] Truncated files

Peter Manev petermanev at gmail.com
Thu Oct 11 08:39:53 UTC 2018 

On Wed, Oct 10, 2018 at 11:11 AM Piquenot, Gaetan
<gaetan.piquenot at airbus.com> wrote:
>
> Hello,
>
> I looked again and It appears my modification are more damaging the PCAP than I thought. Can I send it to you directly ?
>

Yes sure!

> The one which is called session_mal140_7zip is from Moloch, the other one is from Suricata.
>
> Both Suricata and Moloch are ESX VM and I can't use ethool to disable offloading, I will try to find a way. But I'm surprised moloch can see the file where suricata see truncated file because they both had the same network conf.

If you can extract the pcap that Moloch has  - it would be best for
review/feedback. Are Moloch and Suricata listening on the same
machine/interface?

>
> The default-packet-size is commented, so I assume is using the default value 1514 ?
>

Unless the MTU is adjusted. You should have some info when starting in
verbose mode - "-vvv".

Thank you

> Cordialement.
>
> --
> Gaëtan Piquenot
>
>
>
> This document, technology or software
> does not contain French national dual-use or military controlled data nor US
> national dual-use or military controlled data.
>
>
>
> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Wednesday, October 10, 2018 9:57 AM
> To: Piquenot, Gaetan
> Cc: Open Information Security Foundation
> Subject: Re: [Oisf-users] Truncated files
>
> On Tue, Oct 9, 2018 at 1:07 PM Piquenot, Gaetan
> <gaetan.piquenot at airbus.com> wrote:
> >
> >
> > Yes here the link: https://we.tl/t-g2aOPU46JS
> > It contains conf, logs, file samples and pcap anonymized with scapy (DNS response are invalid though but HTTP request should be ok), I'm in 4.0.5 with filestore version 1
> >
>
> Thank you for the information.
> Looking at it through Wireshark as well though - it is many files as
> compared to one big one (if that is what you are after i suspect).
> There are some info notes too - "[Packet size limited during capture:
> HTTP truncated]".
> Is that the pcap extracted from Moloch or the pcap captured on the
> sniffing interface where Suricata runs?
> Couple of other things you may need to confirm/look at : if you have
> all NIC offloading disabled and the default packet size in
> suricata.yaml
>
> Thanks
>
> > Regards.
> >
> > --
> > Gaëtan Piquenot
> >
> >
> >
> > This document, technology or software
> > does not contain French national dual-use or military controlled data nor US
> > national dual-use or military controlled data.
> >
> >
> >
> > -----Original Message-----
> > From: Peter Manev [mailto:petermanev at gmail.com]
> > Sent: Tuesday, October 09, 2018 11:20 AM
> > To: Piquenot, Gaetan
> > Cc: Open Information Security Foundation
> > Subject: Re: [Oisf-users] Truncated files
> >
> > On Tue, Oct 9, 2018 at 10:54 AM Piquenot, Gaetan
> > <gaetan.piquenot at airbus.com> wrote:
> > >
> > > Hello,
> > >
> > >
> > >
> > > I use Suricata to extract files from http/s and sometimes some files are truncated, even with stream depth and http body unlimited. Aside I use Moloch to capture all traffic and it see all files and can extract them. Are there any parameters I can tweak to avoid this issue ?
> > >
> >
> > Hi,
> >
> > Can you share an example pcap reproducing the case?
> > Which suricata version do you use? Which filestore version?
> >
> > Thank you
> > >
> > >
> > > Cordialement.
> > >
> > >
> > >
> > > --
> > >
> > > Gaëtan Piquenot
> > >
> > > Ingénieur SSI
> > >
> > > Airbus CyberSecurity
> > >
> > >
> > >
> > > T +33 (0)1 61 38 50 57
> > >
> > > E gaetan.piquenot at airbus.com
> > >
> > >
> > >
> > > Airbus CyberSecurity
> > >
> > > 1 Boulevard Jean Moulin, CS 40001
> > >
> > > 78996 Elancourt Cedex
> > >
> > > France
> > >
> > >
> > >
> > > This document, technology or software does not contain French national dual-use or military controlled data nor US national dual-use or military controlled data.
> > >
> > >
> > >
> > > The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
> > > If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
> > > Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
> > > All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> > The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
> > If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
> > Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
> > All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
>
>
>
> --
> Regards,
> Peter Manev
> The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
> If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
> Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
> All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list