Project

General

Profile

Actions

Support #2453

closed

Big flows are splitted

Added by Anonymous almost 7 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Affected Versions:
Label:

Description

Hi,

I wrote a rule to match on a specific file that I send with a tcp socket using a python script.
This rule call a lua script that write the flow data in a file.
The file size is like 500ko.

What I expected is that the rule trigger only one time on the whole tcp sessions, but it didn't.
The rule triggered many times, and each file created by the lua script is only a part of the real file.
Another strange thing is that the files does not have the same size.

Do anyone have an idea of why it is doing that ?
Thank you !

The data send is "Hello"*100000.

This is the rule :

alert ip any any -> any any (msg:"TEST"; content:"Hello"; sid:290666; luajit:test.lua;)

The lua script :


function init (args)
    local needs = {}
    needs["stream"] = tostring(true)
    return needs
end

local DIR_TEST = "/var/log/suricata/test/" 

function match (args)
    local ID = tostring(math.random(10^10, 10^(11) - 1))
    local name = SCFlowTimeString()..ID
    local data = args["stream"]

    local file = io.open(DIR_TEST..name, "w")
    file:write(data)
    file:close()

    return 1
end

return 0

Actions #1

Updated by Andreas Herz almost 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Victor Julien almost 7 years ago

This seems to work as expected. Stream data is inspected in chunks, and you won't get the whole data unless it's very small.

Actions #3

Updated by Anonymous almost 7 years ago

I should have written more informations :/

This is the related part of my yaml:

stream:
  memcap: 2gb
  checksum-validation: yes
  prealloc-sessions: 2k
  inline: auto
  reassembly:
    memcap: 1gb
    depth: 0
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes

And the "sub-file" size are something like 16ko, 25ko, 8ko, etc

I understand the inspection by chunks but I don't understand the connection between the config sizes and the sizes I'm getting...

Actions #4

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Feedback

Sorry for the late reply.

1. Is there a reason why depth is set to 0?
2. Could you try to create a pcap for that so we can try to reproduce that?

Actions #5

Updated by Andreas Herz over 5 years ago

  • Target version changed from TBD to Support
Actions #6

Updated by Andreas Herz about 5 years ago

  • Status changed from Feedback to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF