Bug #1016
closedSuricata Only Captures And Stores The First ~4900 bytes of a file.
Description
Hi there,
When ever Suricata tries to extract a file from live network traffic it only extracts roughly the first 4900 bytes, leaving me with corrupt files.
Here are the details of my setup:
I have the Suricata 2,0beta1 release
This is Suricata version 2.0beta1 RELEASE
I have changed my libhtp config:
libhtp:
default-config:
personality: IDS
request-body-limit: 0
response-body-limit: 0
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 8kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 8kb
And the stream config:
stream:
memcap: 128mb
checksum-validation: no
inline: auto
reassembly:
memcap: 64mb
depth: 32mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes@
Here is my file capture config:
- file-store:
enabled: yes
log-dir: files
force-magic: no
force-md5: no
- file-log:
enabled: yes
filename: files-json.log
append: yes
force-magic: no
force-md5: no
I'm running a single rule as per the wiki:
alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:3; rev:1;)
The alert fires correctly when I download a pdf. But the file I get as "file.1" is only around ~4900 bytes long every time, all the meta information is correct and the pdf downloads correctly to my workstation. I have tried this with flow:established,to_client, with the same result. I have also tried it with image files and get the same result and the same file sizes.
I have followed all the tutorials, what do I have to do to fix this or is this an issue that has been fixed in later releases?