Project

General

Profile

Actions

Bug #1719

closed

fileinfo output wrong in eve in http

Added by Giuseppe Longo almost 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Similar to https://redmine.openinfosecfoundation.org/issues/1554, but this affects http in some conditions.

If you set a stream.reassembly.depth value greater than request/response-body-limit, you will get a wrong output,
for example: {"timestamp":"2016-02-23T15:17:13.951592+0100","flow_id":43137152,"pcap_cnt":7410,"event_type":"fileinfo","src_ip":"213.186.33.24","src_port":80,"dest_ip":"192.168.1.61","dest_port":32864,"proto":"TCP","http":{"hostname":"www.glongo.it","url":"\/fipr_c.pdf","http_user_agent":"Wget\/1.16 (linux-gnu)","http_content_type":"application\/pdf","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6732473},"app_proto":"http","fileinfo":{"filename":"\/fipr_c.pdf","state":"CLOSED","stored":false,"size":1049292,"tx_id":0}}

"state":"CLOSED","stored":false should be "state":"TRUNCATED","stored":true.

It seem to me that it happens because in FileCloseFilePtr the ff->state is set to FILE_STATE_CLOSED (util-file.c:653)
instead of FILE_STATE_TRUNCATED, and in output-filedata.c, FILE_STORED flag is not set to ff->flags.

Attached file could be used to reproduce the issue with the following settings:
stream.reassembly.depth=10mb
request-body-limit=1mb
response-body-limit=1mb


Files

log.pcap.1456237015 (6.92 MB) log.pcap.1456237015 Giuseppe Longo, 02/23/2016 08:41 AM
Actions

Also available in: Atom PDF