Project

General

Profile

Actions
Copy link

Bug #1573

closed

File extraction with a pcap recording on the PDF transfer, the target file is truncated into several file.x and file.x.meta, these truncated files is not enough, maybe lose some data. Suricata 2.0.9.

Added by wu qu over 8 years ago. Updated over 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata version: 2.0.9
OS: Ubuntu 15.04
pcap url: download by the http://pan.baidu.com/s/1mgrNMRI;
suricata.yaml: download by the attachment;
files rules: download by the attachment;

when I use suricata 2.0.9 to extract file from the traffic, the target file is truncated into several file.x and file.x.meta. So, I test suricata by using the pcap file, the result is the same. Please help me, thank you for your help.

Files

Download all files
suricata.yaml (49 KB) suricata.yaml suricata yaml wu qu, 10/07/2015 08:55 AM
files.rules (3.15 KB) files.rules files rules wu qu, 10/07/2015 08:57 AM
Actions
Copy link
 #1

Updated by wu qu over 8 years ago

eve.log: download by the http://pan.baidu.com/s/1c0mE4PM
when I check the eve.log, the http session of the pdf file is truncated into several sessions, for example:

{"timestamp":"2015-09-02T10:47:18.443313","event_type":"http","src_ip":"5.5.9.110","src_port":56731,"dest_ip":"75.119.221.109","dest_port":80,"proto":"TCP","http":{"hostname":"2014.hackitoergosum.org","url":"\/slides\/day3_suricata_netfilter_prc_eric_leblond.pdf","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/43.0.2357.132 Safari\/537.36","http_content_type":"application\/pdf","http_method":"GET","protocol":"HTTP\/1.1","status":"200","length":66880}} {"timestamp":"2015-09-02T10:47:18.443313","event_type":"fileinfo","src_ip":"75.119.221.109","src_port":80,"dest_ip":"5.5.9.110","dest_port":56731,"proto":"TCP","http":{"url":"\/slides\/day3_suricata_netfilter_prc_eric_leblond.pdf","hostname":"2014.hackitoergosum.org","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/43.0.2357.132 Safari\/537.36"},"fileinfo":{"filename":"\/slides\/day3_suricata_netfilter_prc_eric_leblond.pdf","magic":"PDF document, version 1.5","state":"TRUNCATED","stored":false,"size":66880}}

Thank you for your help!

Actions
Copy link
 #2

Updated by Victor Julien over 8 years ago

  • Status changed from New to Rejected
  • Assignee deleted (Victor Julien)
  • Target version deleted (2.0.9)

Duplicate of #1532.

Actions
Copy link
 #3

Updated by Peter Manev over 8 years ago

That could explain why is it truncated.
Can you try to reproduce that with a much smaller pcap (than 1.5GB)?

Actions
Copy link
 #4

Updated by Victor Julien over 8 years ago

Peter this ticket is closed. Respond to #1532 instead.

Actions
Copy link

Also available in: Atom PDF