Please include the following information with your help request:
- Suricata version : 6
- Operating system and/or Linux distribution : Ubuntu 20 LTS
- How you installed Suricata (from source, packages, something else) : source
hey guys, had to do something like this with the suricata engine we need to fix a file size that I need to support for the further analysis by file extraction. How this can be achieved I today researched according to my knowledge fixing the stream-depth and reassembly to somewhat 100mb for example will ensure we never get file more than 100mb stored in the file store.?
When i kept the stream-depth and reassembly.depth as 0 still the file which were saved had truncated true dont know why but the size this time matched the full size of the files.
Suricata 6 is EOL, please upgrade first to Suricata 7
thanks for the reply @Andreas_Herz does upgrading to version 7 fix this kind of issues. I mean was there a patch for these issues in file extraction.
There have been many changes between 6 and 7 so even without a direct fix behavior has changed.
We can’t provide support for Suricata 6 issues anymore, thus you would have to run your tests with Suricata 7 first
hey sorry for previous message i was wrong the suricata version was 7.0.8 not 6.
What I want to achieve is have a max-file-size to extract from suricata engine lets say 300mb. To my understanding fixing stream-depth to 300mb is the solution right it will not process the 300mb tcp stream and ignore other part so I won’t never get file size more than 300mb? And other thing is even after running pcaps and live traffic sometime small files gets state truncated even if the size if less than stream-depth is it expected behavior?
@Andreas_Herz ? any help please
What is your setting for file-store.stream-depth?
stream.depth and file-store.stream-depth are related – a lower value of stream.depth will prevent a higher value for file-store.stream-depth from having effect (and, Suricata will issue a warning).
E.g.,
stream.depth = 100mb
file-store.stream-depth = 200mb
Here, file-store has no effect since stream.depth limits how much is collected.
@Andreas_Herz there is no value in stream.depth and only set up value is the file-store.stream-depth and stream.reassembly.depth both kept at 500MB but still pcap files having zip files of 10MB 1MB 100MB are having stored true but sometimes truncated:true ?