File store with different sizes

I am trying to store files using file-store version 2. Small files are stored well with the CLOSED state. Files above 60mb are sometimes CLOSED and sometimes TRUNCATED.

outputs.12 = file-store
outputs.12.file-store = (null)
outputs.12.file-store.version = 2
outputs.12.file-store.enabled = yes
outputs.12.file-store.dir = files
outputs.12.file-store.write-fileinfo = yes
outputs.12.file-store.stream-depth = 0
outputs.12.file-store.force-hash = (null)
outputs.12.file-store.force-hash.0 = sha1
outputs.12.file-store.force-hash.1 = md5
outputs.12.file-store.xff = (null)
outputs.12.file-store.xff.enabled = no
outputs.12.file-store.xff.mode = extra-data
outputs.12.file-store.xff.deployment = reverse
outputs.12.file-store.xff.header = X-Forwarded-For
outputs.13 = file-store
outputs.13.file-store = (null)
outputs.13.file-store.version = 1
outputs.13.file-store.enabled = no

The file info shows:

{"timestamp":"2021-01-07T21:59:17.426523+0100","flow_id":664688973356500,"in_iface":"ens160","event_type":"fileinfo","src_ip":"192.114.251.198","src_port":80,"dest_ip":"192.168.90.200","dest_port":52048,"proto":"TCP","http":{"hostname":"strading.de","url":"/jv.exe","http_user_agent":"Wget/1.19.4 (linux-gnu)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":9431729},"app_proto":"http","fileinfo":{"filename":"/jv.exe","sid":[22],"magic":"PE32+ executable (GUI) x86-64, for MS Windows","gaps":false,"state":"TRUNCATED","sha256":"00ea9a8f22f65bf4f73bcb5b46a08c48dc1512b5c8525e4bdb12058f0513ce04","stored":true,"file_id":1,"size":9431729,"tx_id":0}}

and for the same file:

{"timestamp":"2021-01-07T21:59:46.140093+0100","flow_id":874878231899437,"in_iface":"ens160","event_type":"fileinfo","src_ip":"192.114.251.198","src_port":80,"dest_ip":"192.168.90.200","dest_port":52052,"proto":"TCP","http":{"hostname":"strading.de","url":"/jv.exe","http_user_agent":"Wget/1.19.4 (linux-gnu)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":83364488},"app_proto":"http","fileinfo":{"filename":"/jv.exe","sid":[22],"magic":"PE32+ executable (GUI) x86-64, for MS Windows","gaps":false,"state":"CLOSED","md5":"1469e9c49db6764e194915412cbadca7","sha1":"fb704922c7c26fbcc6a34183059830cff1b18623","sha256":"6210a4cdfc5c67d34027224dfadf48798bf3508e5db6ef268bb93f0fb7d697d5","stored":true,"file_id":3,"size":83364488,"tx_id":0}}

Any idea why this happens (I tested with Suricata v6.0.1 and v5.0.5).

Thanks

Hi,

I have the same issue with release 6.0.1. The downloaded file is truncated and the file size under /var/log/suricata/files/xx is different from the real file size

My Suricata VM is installed in ESXi with 16GO RAM and 6 CPU.

Any idea please ?
Thanks by advance for your support!

• The filestore config under suricata.yaml

  outputs:
      - eve-log:
         enabled: yes
         filetype: regular 
         filename: eve.json
         types:
         - files:
            force-magic: no   
            force-hash: [md5,sha256]
     
     - file-store:
         version: 2
         enabled: yes
         dir: files
         write-fileinfo: yes
         #force-filestore: yes
         stream-depth: 0
         #max-open-files: 1000
         force-hash: [sha256, md5]
  
  stream:
  memcap: 10gb
  checksum-validation: no
  inline: no
  midstream: false
  prealloc-sessions: 375000            
  reassembly:
    memcap: 10gb
    depth: 0  
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    #randomize-chunk-range: 10
    raw: yes
    #segment-prealloc: 2048
    #check-overlap-different-data: true
  

• The rule indexed in suricata.rules
  alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)

Could somebody from the Suricata Team give me support please!

You might need to increase the tcp reassembly memory limits in suricata.yaml.
I’m not affiliated with OISF.

Hi @syoc

my reassembly.memcap is 4gb and reassembly.depth is 0. Is this what you meant? The file (70MB of size) is still truncated

Is your stream memcap that high as well?
Can you post your stats.log?

I’m not really that familiar with file extraction so not sure I can help either way.