Support #2453
closedBig flows are splitted
Description
Hi,
I wrote a rule to match on a specific file that I send with a tcp socket using a python script.
This rule call a lua script that write the flow data in a file.
The file size is like 500ko.
What I expected is that the rule trigger only one time on the whole tcp sessions, but it didn't.
The rule triggered many times, and each file created by the lua script is only a part of the real file.
Another strange thing is that the files does not have the same size.
Do anyone have an idea of why it is doing that ?
Thank you !
The data send is "Hello"*100000.
This is the rule :
alert ip any any -> any any (msg:"TEST"; content:"Hello"; sid:290666; luajit:test.lua;)
The lua script :
function init (args)
local needs = {}
needs["stream"] = tostring(true)
return needs
end
local DIR_TEST = "/var/log/suricata/test/"
function match (args)
local ID = tostring(math.random(10^10, 10^(11) - 1))
local name = SCFlowTimeString()..ID
local data = args["stream"]
local file = io.open(DIR_TEST..name, "w")
file:write(data)
file:close()
return 1
end
return 0
Updated by Andreas Herz almost 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien almost 7 years ago
This seems to work as expected. Stream data is inspected in chunks, and you won't get the whole data unless it's very small.
Updated by Anonymous almost 7 years ago
I should have written more informations :/
This is the related part of my yaml:
stream:
memcap: 2gb
checksum-validation: yes
prealloc-sessions: 2k
inline: auto
reassembly:
memcap: 1gb
depth: 0
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
And the "sub-file" size are something like 16ko, 25ko, 8ko, etc
I understand the inspection by chunks but I don't understand the connection between the config sizes and the sizes I'm getting...
Updated by Andreas Herz over 5 years ago
- Status changed from New to Feedback
Sorry for the late reply.
1. Is there a reason why depth is set to 0?
2. Could you try to create a pcap for that so we can try to reproduce that?
Updated by Andreas Herz over 5 years ago
- Target version changed from TBD to Support
Updated by Andreas Herz about 5 years ago
- Status changed from Feedback to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs