Project

General

Profile

Actions

Bug #2506

closed

filestore v1: with stream-depth not null, files are never truncated

Added by pascal delalande over 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using suricata 4.1 beta2 (top of git - May 30 2018), and http session with this yaml:
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-hash: [md5]
force-filestore: yes # force storing of all files
stream-depth: 1
whatever size of attached files within HTTP session, stored files are never truncated despite stream-depth is set at a fixed small value.
Example: stream-depth set to 1, we still have meta file like:

more file.8.meta
TIME: 05/30/2018-21:58:02.767116
SRC IP: 192.168.0.26
DST IP: 212.95.74.42
PROTO: 6
SRC PORT: 54303
DST PORT: 80
APP PROTO: http
HTTP URI: /async/articles/flashs
HTTP HOST: www.lefigaro.fr
HTTP REFERER: http://www.lefigaro.fr/
HTTP USER AGENT: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
FILENAME: /async/articles/flashs
MAGIC: <unknown>
STATE: CLOSED
SIZE: 55545

{"timestamp":"2018-05-30T21:58:02.848356+0200","flow_id":1136624478607845,"in_iface":"wlan0","event_type":"fileinfo","src_ip":"212.95.74.42","src_port":80,"dest_ip":"192.168.0.26","dest_port":54303,"proto":"TCP","http":{"hostname":"www.lefigaro.fr","url":"/async/articles/flashs","http_user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0","http_content_type":"application/json","http_refer":"http://www.lefigaro.fr/","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":14626},"app_proto":"http","fileinfo":{"filename":"/async/articles/flashs","gaps":false,"state":"CLOSED","stored":true,"file_id":8,"size":55545,"tx_id":0}}

I do think this is not the expected behavior.


Related issues 3 (0 open3 closed)

Related to Suricata - Bug #2264: file-store.stream-depth not working as expected when configured to a specfic valueClosedGiuseppe LongoActions
Related to Suricata - Bug #2495: Stream depth and filestore interactionClosedActions
Related to Suricata - Support #2369: option force-filestore generate truncated fileClosedActions
Actions #1

Updated by pascal delalande over 6 years ago

I would expect for this session, "state":"TRUNCATED".

Actions #2

Updated by Jason Ish over 6 years ago

This is really meant for increasing the depth, or disabling it (unlimited). If set to a non-zero value, it will only have affect if greater than your stream.reassembly.depth, as a certain amount of depth is required for other things to function properly.

Did you have a requirement where you only wish a portion of a file to be logged, even if more of it is in memory?

Actions #3

Updated by pascal delalande over 6 years ago

pascal delalande wrote:

Using suricata 4.1 beta2 (top of git - May 30 2018), and http session with this yaml:
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-hash: [md5]
force-filestore: yes # force storing of all files
stream-depth: 1
whatever size of attached files within HTTP session, stored files are never truncated despite stream-depth is set at a fixed small value.
Example: stream-depth set to 1, we still have meta file like:

more file.8.meta
TIME: 05/30/2018-21:58:02.767116
SRC IP: 192.168.0.26
DST IP: 212.95.74.42
PROTO: 6
SRC PORT: 54303
DST PORT: 80
APP PROTO: http
HTTP URI: /async/articles/flashs
HTTP HOST: www.lefigaro.fr
HTTP REFERER: http://www.lefigaro.fr/
HTTP USER AGENT: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
FILENAME: /async/articles/flashs
MAGIC: <unknown>
STATE: CLOSED
SIZE: 55545

{"timestamp":"2018-05-30T21:58:02.848356+0200",....."fileinfo":{"filename":"/async/articles/flashs","gaps":false,"state":"CLOSED","stored":true,"file_id":8,"size":55545,"tx_id":0}}

I do think this is not the expected behavior.

Actions #4

Updated by pascal delalande over 6 years ago

pascal delalande wrote:

Using suricata 4.1 beta2 (top of git - May 30 2018), and http session with this yaml:
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-hash: [md5]
force-filestore: yes # force storing of all files
stream-depth: 1
whatever size of attached files within HTTP session, stored files are never truncated despite stream-depth is set at a fixed small value.
Example: stream-depth set to 1, we still have meta file like:

more file.8.meta
TIME: 05/30/2018-21:58:02.767116
SRC IP: 192.168.0.26
DST IP: 212.95.74.42
PROTO: 6
SRC PORT: 54303
DST PORT: 80
APP PROTO: http
HTTP URI: /async/articles/flashs
HTTP HOST: www.lefigaro.fr
HTTP REFERER: http://www.lefigaro.fr/
HTTP USER AGENT: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
FILENAME: /async/articles/flashs
MAGIC: <unknown>
STATE: CLOSED
SIZE: 55545

{"timestamp":"2018-05-30T21:58:02.848356+0200","flow_id":1136624478607845,"in_iface":"wlan0","event_type":"fileinfo",../articles/flashs","gaps":false,"state":"CLOSED","stored":true,"file_id":8,"size":55545,"tx_id":0}}

I do think this is not the expected behavior.

Actions #5

Updated by pascal delalande over 6 years ago

pascal delalande wrote:

Using suricata 4.1 beta2 (top of git - May 30 2018), and http session with this yaml:
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-hash: [md5]
force-filestore: yes # force storing of all files
stream-depth: 1
whatever size of attached files within HTTP session, stored files are never truncated despite stream-depth is set at a fixed small value.
Example: stream-depth set to 1, we still have meta file like:

more file.8.meta
TIME: 05/30/2018-21:58:02.767116
SRC IP: 192.168.0.26
DST IP: 212.95.74.42
PROTO: 6
SRC PORT: 54303
DST PORT: 80
APP PROTO: http
HTTP URI: /async/articles/flashs
HTTP HOST: www.lefigaro.fr
HTTP REFERER: http://www.lefigaro.fr/
HTTP USER AGENT: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
FILENAME: /async/articles/flashs
MAGIC: <unknown>
STATE: CLOSED
SIZE: 55545

I do think this is not the expected behavior.

Actions #6

Updated by Jason Ish over 6 years ago

Sorry, I don't think any new comment came through.

Actions #7

Updated by Victor Julien over 6 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 4.1rc2
Actions #8

Updated by Victor Julien over 6 years ago

  • Related to Bug #2264: file-store.stream-depth not working as expected when configured to a specfic value added
Actions #9

Updated by Victor Julien about 6 years ago

  • Target version changed from 4.1rc2 to 70
Actions #10

Updated by Victor Julien over 5 years ago

  • Assignee changed from Victor Julien to OISF Dev
Actions #11

Updated by Victor Julien over 5 years ago

  • Assignee changed from OISF Dev to Jeff Lucovsky
  • Target version changed from 70 to 5.0rc1
Actions #12

Updated by Victor Julien over 5 years ago

  • Related to Bug #2495: Stream depth and filestore interaction added
Actions #13

Updated by Victor Julien over 5 years ago

  • Related to Support #2369: option force-filestore generate truncated file added
Actions #14

Updated by Jason Ish about 5 years ago

I'm not sure if this is really an issue, per my original comment.

If the reassembly buffer is larger than the filestore stream depth, we have more data that we can log, so we do it. The filestore stream-depth doesn't reduce the other stream stream-depth values from stream and libhtp. Perhaps when the filestore stream-depth is less than the data available, it acts as a file size limit for logging? The name doesn't quite make sense then.

However, when this value is greater than the stream.reassembly.depth, then it does override, in which case the name does make sense.

All-in-all, the multiple places to set stream-depth are a little confusing.

Actions #15

Updated by Victor Julien about 5 years ago

Agreed. I think its a good idea to consider the various 'stream depth' settings as overrides to the master stream.reassembly.depth setting for specific protocols or operations like file storing.

I think we need to consider whether it makes sense to make this a 'increase only' override (e.g. main depth is 1MiB, file store override is 10MiB) or that we want to allow decrease as well (e.g. main depth unlimited but modbus only 10MiB). It's definitely created with the 'increase only' usecases in mind.

It's clear we need a bit of value validation as well. A setting of 1 from the example is nonsensical. A minimum value of at least a few kilobyes seems to make sense.

I think if we agree on the 'increase only' we should also validate that the overrides are in fact higher than the main setting and ignore them with a warning if they are not.

Actions #16

Updated by Victor Julien about 5 years ago

  • Target version changed from 5.0rc1 to 70
Actions #17

Updated by Jason Ish about 5 years ago

My recommendation, at least for filestore is that it is a grow only option. I don't think a filestore configuration should negatively impact stream reassembly for http inspection.

So a notice log if the file store stream depth is set less than primary stream depth.

I still wonder though if this should then be applied as a max file size? Even if the stream depth is 1mb, but the file-store.stream-depth is 500k for example, should the file extraction just stop at 500k?

Actions #18

Updated by Victor Julien about 5 years ago

Jason Ish wrote:

I still wonder though if this should then be applied as a max file size? Even if the stream depth is 1mb, but the file-store.stream-depth is 500k for example, should the file extraction just stop at 500k?

No, there is no 1 to 1 relation between stream depth and file size. HTTP bodies may have chunking, multipart, compression etc all affecting the size of the files that are transferred. It should simply remain a setting that affects the stream engines depth logic.

Actions #19

Updated by Jeff Lucovsky about 5 years ago

I think we need to consider whether it makes sense to make this a 'increase only' override (e.g. main depth is 1MiB, file store override is 10MiB) or that we want to allow decrease as well (e.g. main depth unlimited but modbus only 10MiB). It's definitely created with the 'increase only' usecases in mind.

The default value for the stream reassembly depth originates in

suricata.yaml.in
. Where is the corresponding default value for the file store override located?

Actions #20

Updated by Jason Ish about 5 years ago

Jeff Lucovsky wrote:

I think we need to consider whether it makes sense to make this a 'increase only' override (e.g. main depth is 1MiB, file store override is 10MiB) or that we want to allow decrease as well (e.g. main depth unlimited but modbus only 10MiB). It's definitely created with the 'increase only' usecases in mind.

The default value for the stream reassembly depth originates in [...]. Where is the corresponding default value for the file store override located?

There isn't one. This value only kicks in if present, and acts as an override.

Might be nice to get this cleaned up for 5.0.0 as it looks like trivial code changes, and some documentation clarification.

Actions #21

Updated by Victor Julien over 4 years ago

  • Target version changed from 70 to 6.0.0beta1

Lets start by creating a SV test to trigger this behaviour.

Actions #22

Updated by Jeff Lucovsky over 4 years ago

  • Status changed from Assigned to In Review
Actions #23

Updated by Jeff Lucovsky over 4 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF