Support #1532
closedFile Extraction but truncate into several file.x and file.x.meta
Description
when I use suricata2.1beta4 to file_extraction, I used my chrome to download a PDF document, the document is 981.1kb . But the result is the pdf document truncated into several file.x (1 to 20),and these total size of the files are 1.1mb, I could not understand why. I'm poor in English, but hope you can understand what I mean.
Files
Updated by Victor Julien about 9 years ago
- Priority changed from Immediate to Normal
Are you able to reproduce this behaviour with a pcap recording on the PDF transfer?
Updated by hao chen about 9 years ago
- File files.rules files.rules added
- File suricata.yaml suricata.yaml added
I have lose some data by using Suricata 2.0.9 file extraction with a pcap recording on the PDF transfer, some of my wanted file ware truncated into several file.x and file.x.meta, these truncated files is not full.
suricata pcap url : http://pan.baidu.com/s/1i3AkDA9
Updated by hao chen about 9 years ago
this is my eve.json file url:http://pan.baidu.com/s/1dDDGPOl
Updated by Peter Manev about 9 years ago
Apologies for double posting - but i answered to the wrong ticket before.
That could explain why is it truncated.
Can you try to reproduce that with a much smaller pcap (than 1.5GB)?
Updated by hao chen about 9 years ago
before that , can you tell me my files.rules and suricata.yaml is right?
Updated by hao chen about 9 years ago
- File test2.pcap test2.pcap added
In this pcap I use chrome download four pdf, these are they size:633.1kb, 71.0kb, 793.3kb, 4.6mb, and the pdf's url are http://www.xeltek.com/software/sp5000/sp5000manual.pdf, http://www.freescale.com/files/analog/doc/data_sheet/MC145018.pdf, http://cfm.citizen.co.jp/english/product/pdf/CMJ206T.pdf, http://www.infineon.com/dgdl/TDK5110_DS_V1.1.pdf?folderId=db3a30431689f4420116a096e1db033e&fileId=db3a3043191a246301192e318df72b6f
Updated by Peter Manev about 9 years ago
Can you please try to narrow it down to one pcap/one pdf (with an md5 sum) case.
From what I am seeing there is none of the size of the pdfs that you are quoting in that pcap (I tried even looking with different file carving tools tools). There is some size but not the one that is supported to be - from what you mentioned before.
Updated by hao chen about 9 years ago
- File test3.pcap test3.pcap added
- File eve.json eve.json added
- File files-json.log files-json.log added
- File file.1.meta file.1.meta added
- File file.2.meta file.2.meta added
- File file.1 file.1 added
- File file.2 file.2 added
First, I'm sorry to make some troubles for you to explain my question and thank you very much for your patience. This time I produce a pcap with single pdf using the suricata.yaml and files.rules above. And the eve.json generated when I used suricata to read pcap. The result files is two.The pdf url is : http://www.freescale.com/files/analog/doc/data_sheet/MC145018.pdf, I used firefox to download it.
Updated by Peter Manev almost 9 years ago
I think this is very similar to - https://redmine.openinfosecfoundation.org/issues/1609
Updated by Andreas Herz about 8 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien almost 6 years ago
- Status changed from New to Closed
- Assignee deleted (
OISF Dev) - Target version deleted (
TBD)