Project

General

Profile

Actions

Bug #2005

closed

Incoherent sizes between request, capture and http length

Added by Eric Leblond about 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The information in fileinfo section about file size is not matching the http length and the size of the stored file.

For instance in the following event:
``` {
"timestamp": "2017-01-17T12:45:54.979958-0800",
"flow_id": 588945285071930,
"in_iface": "wlan0",
"event_type": "fileinfo",
"src_ip": "82.165.177.154",
"src_port": 80,
"dest_ip": "10.10.17.19",
"dest_port": 49086,
"proto": "TCP",
"http": {
"hostname": "testmyids.com",
"url": "/CVE/AR/CVE-2010-2883.pdf",
"http_user_agent": "Wget/1.18 (linux-gnu)",
"http_content_type": "application/pdf",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 200,
"length": 46518
},
"app_proto": "http",
"fileinfo": {
"filename": "/CVE/AR/CVE-2010-2883.pdf",
"state": "CLOSED",
"md5": "e3c907b79797ecd7454bf76cc5b79196",
"sha256": "6e8070cd974d275351a557148df0d486792541f4c3b9aec12fa065699cebebe7",
"stored": false,
"size": 1170,
"tx_id": 0
}
}
```

The file size is around 46518 and not near to 1170. In this event, the hash values are correct.

Actions

Also available in: Atom PDF