[Oisf-users] Truncated files

Piquenot, Gaetan gaetan.piquenot at airbus.com
Wed Oct 24 08:53:20 UTC 2018


> From what i can see - even Wireshark does not report HTTP file present
> (This is the way i checked: File->Export Objects->HTTP..) and reports
> "unseen segments". Suricata reports reassembly gap as well as 2 alerts
> (archive over http but the files are truncated in flight).
>
> Can you extract the actual file captured by Moloch(MAL140_7ZIP) and
> compare the sha256 of the extracted/downloaded file and the one that
> is served by the http server - would they match?

Sorry for the late response, I will relaunch test, I suspect having an issue with SSL Broker.

Thanks for your time


Regards.

--
Gaƫtan Piquenot




This document, technology or software
does not contain French national dual-use or military controlled data nor US
national dual-use or military controlled data.



-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com] 
Sent: Monday, October 15, 2018 8:31 AM
To: Piquenot, Gaetan
Cc: Open Information Security Foundation
Subject: Re: [Oisf-users] Truncated files

On Fri, Oct 12, 2018 at 10:41 AM Piquenot, Gaetan
<gaetan.piquenot at airbus.com> wrote:
>
> > Still things can be different.
> > Is the NIC set up and config (ethtool -k ethxxx ) exactly the same for
> > both VMs ?
> We use vmxnet3 for our interface. Both output are the same everything is off except highdma and rx-vlan-filter.
>
>

From what i can see - even Wireshark does not report HTTP file present
(This is the way i checked: File->Export Objects->HTTP..) and reports
"unseen segments". Suricata reports reassembly gap as well as 2 alerts
(archive over http but the files are truncated in flight).

Can you extract the actual file captured by Moloch(MAL140_7ZIP) and
compare the sha256 of the extracted/downloaded file and the one that
is served by the http server - would they match?

Thank you

-- 
Regards,
Peter Manev
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.


More information about the Oisf-users mailing list