[Oisf-users] Truncated files

Peter Manev petermanev at gmail.com
Thu Oct 11 09:34:47 UTC 2018 

On Thu, Oct 11, 2018 at 11:26 AM Piquenot, Gaetan
<gaetan.piquenot at airbus.com> wrote:
>
> > Are Moloch and Suricata listening on the same machine/interface?
> They are different ESX VM but listening on the same physical interface
>

Still things can be different.
Is the NIC set up and config (ethtool -k ethxxx ) exactly the same for
both VMs ?

> > Unless the MTU is adjusted. You should have some info when starting in verbose mode - "-vvv".
> I join the output of the suricata command.
>

Thank you
I will check it out and feedback.

> Cordialement.
>
> --
> Gaëtan Piquenot
>
>
>
>
> This document, technology or software
> does not contain French national dual-use or military controlled data nor US
> national dual-use or military controlled data.
>
>
>
> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Thursday, October 11, 2018 10:40 AM
> To: Piquenot, Gaetan
> Cc: Open Information Security Foundation
> Subject: Re: [Oisf-users] Truncated files
>
> On Wed, Oct 10, 2018 at 11:11 AM Piquenot, Gaetan
> <gaetan.piquenot at airbus.com> wrote:
> >
> > Hello,
> >
> > I looked again and It appears my modification are more damaging the PCAP than I thought. Can I send it to you directly ?
> >
>
> Yes sure!
>
> > The one which is called session_mal140_7zip is from Moloch, the other one is from Suricata.
> >
> > Both Suricata and Moloch are ESX VM and I can't use ethool to disable offloading, I will try to find a way. But I'm surprised moloch can see the file where suricata see truncated file because they both had the same network conf.
>
> If you can extract the pcap that Moloch has  - it would be best for
> review/feedback. Are Moloch and Suricata listening on the same
> machine/interface?
>
> >
> > The default-packet-size is commented, so I assume is using the default value 1514 ?
> >
>
> Unless the MTU is adjusted. You should have some info when starting in
> verbose mode - "-vvv".
>
> Thank you
>
> > Cordialement.
> >
> > --
> > Gaëtan Piquenot
> >
> >
> >
> > This document, technology or software
> > does not contain French national dual-use or military controlled data nor US
> > national dual-use or military controlled data.
> >
> >
> >
> > -----Original Message-----
> > From: Peter Manev [mailto:petermanev at gmail.com]
> > Sent: Wednesday, October 10, 2018 9:57 AM
> > To: Piquenot, Gaetan
> > Cc: Open Information Security Foundation
> > Subject: Re: [Oisf-users] Truncated files
> >
> > On Tue, Oct 9, 2018 at 1:07 PM Piquenot, Gaetan
> > <gaetan.piquenot at airbus.com> wrote:
> > >
> > >
> > > Yes here the link: https://we.tl/t-g2aOPU46JS
> > > It contains conf, logs, file samples and pcap anonymized with scapy (DNS response are invalid though but HTTP request should be ok), I'm in 4.0.5 with filestore version 1
> > >
> >
> > Thank you for the information.
> > Looking at it through Wireshark as well though - it is many files as
> > compared to one big one (if that is what you are after i suspect).
> > There are some info notes too - "[Packet size limited during capture:
> > HTTP truncated]".
> > Is that the pcap extracted from Moloch or the pcap captured on the
> > sniffing interface where Suricata runs?
> > Couple of other things you may need to confirm/look at : if you have
> > all NIC offloading disabled and the default packet size in
> > suricata.yaml
> >
> > Thanks
> >
> > > Regards.
> > >
> > > --
> > > Gaëtan Piquenot
> > >
> > >
> > >
> > > This document, technology or software
> > > does not contain French national dual-use or military controlled data nor US
> > > national dual-use or military controlled data.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Peter Manev [mailto:petermanev at gmail.com]
> > > Sent: Tuesday, October 09, 2018 11:20 AM
> > > To: Piquenot, Gaetan
> > > Cc: Open Information Security Foundation
> > > Subject: Re: [Oisf-users] Truncated files
> > >
> > > On Tue, Oct 9, 2018 at 10:54 AM Piquenot, Gaetan
> > > <gaetan.piquenot at airbus.com> wrote:
> > > >
> > > > Hello,
> > > >
> > > >
> > > >
> > > > I use Suricata to extract files from http/s and sometimes some files are truncated, even with stream depth and http body unlimited. Aside I use Moloch to capture all traffic and it see all files and can extract them. Are there any parameters I can tweak to avoid this issue ?
> > > >
> > >
> > > Hi,
> > >
> > > Can you share an example pcap reproducing the case?
> > > Which suricata version do you use? Which filestore version?
> > >
> > > Thank you
> > > >
> > > >
> > > > Cordialement.
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > Gaëtan Piquenot
> > > >
> > > > Ingénieur SSI
> > > >
> > > > Airbus CyberSecurity
> > > >
> > > >
> > > >
> > > > T +33 (0)1 61 38 50 57
> > > >
> > > > E gaetan.piquenot at airbus.com
> > > >
> > > >
> > > >
> > > > Airbus CyberSecurity
> > > >
> > > > 1 Boulevard Jean Moulin, CS 40001
> > > >
> > > > 78996 Elancourt Cedex
> > > >
> > > > France
> > > >
> > > >
> > > >
> > > > This document, technology or software does not contain French national dual-use or military controlled data nor US national dual-use or military controlled data.
> > > >
> > > >
> > > >
> > > > The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
> > > > If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
> > > > Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
> > > > All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
> > > > _______________________________________________
> > > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > >
> > > > Conference: https://suricon.net
> > > > Trainings: https://suricata-ids.org/training/
> > >
> > >
> > >
> > > --
> > > Regards,
> > > Peter Manev
> > > The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
> > > If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
> > > Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
> > > All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> > The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
> > If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
> > Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
> > All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
>
>
>
> --
> Regards,
> Peter Manev
> The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
> If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
> Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
> All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list