[Oisf-users] Truncated files
Peter Manev
petermanev at gmail.com
Mon Oct 15 06:30:58 UTC 2018
On Fri, Oct 12, 2018 at 10:41 AM Piquenot, Gaetan
<gaetan.piquenot at airbus.com> wrote:
>
> > Still things can be different.
> > Is the NIC set up and config (ethtool -k ethxxx ) exactly the same for
> > both VMs ?
> We use vmxnet3 for our interface. Both output are the same everything is off except highdma and rx-vlan-filter.
>
>
>From what i can see - even Wireshark does not report HTTP file present
(This is the way i checked: File->Export Objects->HTTP..) and reports
"unseen segments". Suricata reports reassembly gap as well as 2 alerts
(archive over http but the files are truncated in flight).
Can you extract the actual file captured by Moloch(MAL140_7ZIP) and
compare the sha256 of the extracted/downloaded file and the one that
is served by the http server - would they match?
Thank you
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list