https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022018-03-05T15:55:15ZOpen Information Security FoundationSuricata - Support #2453: Big flows are splittedhttps://redmine.openinfosecfoundation.org/issues/2453?journal_id=95392018-03-05T15:55:15ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>OISF Dev</i></li><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Support #2453: Big flows are splittedhttps://redmine.openinfosecfoundation.org/issues/2453?journal_id=95402018-03-07T08:34:21ZVictor Julienvictor@inliniac.net
<ul></ul><p>This seems to work as expected. Stream data is inspected in chunks, and you won't get the whole data unless it's very small.</p> Suricata - Support #2453: Big flows are splittedhttps://redmine.openinfosecfoundation.org/issues/2453?journal_id=95412018-03-07T10:47:27ZAnonymous
<ul></ul><p>I should have written more informations :/</p>
<p>This is the related part of my yaml:<br /><pre><code class="yaml syntaxhl" data-language="yaml"><span class="na">stream</span><span class="pi">:</span>
<span class="na">memcap</span><span class="pi">:</span> <span class="s">2gb</span>
<span class="na">checksum-validation</span><span class="pi">:</span> <span class="s">yes</span>
<span class="na">prealloc-sessions</span><span class="pi">:</span> <span class="s">2k</span>
<span class="na">inline</span><span class="pi">:</span> <span class="s">auto</span>
<span class="na">reassembly</span><span class="pi">:</span>
<span class="na">memcap</span><span class="pi">:</span> <span class="s">1gb</span>
<span class="na">depth</span><span class="pi">:</span> <span class="m">0</span>
<span class="na">toserver-chunk-size</span><span class="pi">:</span> <span class="m">2560</span>
<span class="na">toclient-chunk-size</span><span class="pi">:</span> <span class="m">2560</span>
<span class="na">randomize-chunk-size</span><span class="pi">:</span> <span class="s">yes</span>
</code></pre></p>
<p>And the "sub-file" size are something like 16ko, 25ko, 8ko, etc</p>
<p>I understand the inspection by chunks but I don't understand the connection between the config sizes and the sizes I'm getting...</p> Suricata - Support #2453: Big flows are splittedhttps://redmine.openinfosecfoundation.org/issues/2453?journal_id=128562019-07-09T18:46:13ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul><p>Sorry for the late reply.</p>
<p>1. Is there a reason why depth is set to 0?<br />2. Could you try to create a pcap for that so we can try to reproduce that?</p> Suricata - Support #2453: Big flows are splittedhttps://redmine.openinfosecfoundation.org/issues/2453?journal_id=128572019-07-09T18:46:18ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Target version</strong> changed from <i>TBD</i> to <i>Support</i></li></ul> Suricata - Support #2453: Big flows are splittedhttps://redmine.openinfosecfoundation.org/issues/2453?journal_id=137112019-09-23T21:33:16ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li></ul><p>Hi, we're closing this issue since there have been no further responses.<br />If you think this bug is still relevant, try to test it again with the<br />most recent version of suricata and reopen the issue. If you want to<br />improve the bug report please take a look at<br /><a class="external" href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs</a></p>