On Fri, Jun 28, 2019 at 5:35 PM Scap <scar...@gmail.com> wrote:
>
> Hello,
>
> I just install the last version of SELKS OVF (8vCPU - 12 Go RAM, vmxnet3 VMware esxi) with suricata 5.0.0-beta1 (i also test with the stable 4 version)
>
SELKS comes with higher version then the 5.0.0-beta - so i suppose you
have done your own install of Suri, right? (it's no problem - just
checking)
> I activate the extraction
>
> I have some rules to trig .exe files or html, css, etc.... But i only get TRUNCATED for all .exe. Only the little file like a web page html is extract.
>
> Any idea?
Depending on the file size you should adjust the following settings -
https://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html?store#settings
Thank you
>
> Kind regards
>
> Scap
>
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to se...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/CAMhe82KyzckDEyjSjM%2BWvgDJCjLJDRSrehiGQbD9cMMNJC-UwA%40mail.gmail.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/d88a374a-9590-4c4b-a7af-a164e727e9cf%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Regards,
Peter Manev
--
IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
Wiki: https://github.com/StamusNetworks/SELKS/wiki
GitHub: https://github.com/StamusNetworks/SELKS
Blog: https://www.stamus-networks.com/theblog/
Twitter: @StamusN
g+: Stamus Networks
---
You received this message because you are subscribed to the Google Groups "SELKS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to se...@googlegroups.com.
To post to this group, send email to se...@googlegroups.com.
Hi,I got have truncated file now.I can extract file like 24Ko or 512KoBut i cannot with 4Mo or 8Mo
this is my configuration :And an example :
--
IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
Wiki: https://github.com/StamusNetworks/SELKS/wiki
GitHub: https://github.com/StamusNetworks/SELKS
Blog: https://www.stamus-networks.com/theblog/
Twitter: @StamusN
g+: Stamus Networks
---
You received this message because you are subscribed to the Google Groups "SELKS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
To post to this group, send email to se...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/b26ad53e-c155-4d26-87c9-04bc4dc391be%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
On Tue, Jul 16, 2019 at 2:19 PM Scap <scar...@gmail.com> wrote:Hi,I got have truncated file now.I can extract file like 24Ko or 512KoBut i cannot with 4Mo or 8Moyou probably need to adjust - https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1347 as well.
Also check the filestore settings that are set to the appropriate number - https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L471
I think those can be adjusted in the selks5-addin.yaml, save and exit then restart suriThank you
this is my configuration :And an example :--
IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
Wiki: https://github.com/StamusNetworks/SELKS/wiki
GitHub: https://github.com/StamusNetworks/SELKS
Blog: https://www.stamus-networks.com/theblog/
Twitter: @StamusN
g+: Stamus Networks
---
You received this message because you are subscribed to the Google Groups "SELKS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to se...@googlegroups.com.
To post to this group, send email to se...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/b26ad53e-c155-4d26-87c9-04bc4dc391be%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Regards,Peter Manev
Thank you for this quick answer.I don't have the depth option in selks yaml but i have modify it in suricata.yamlso i uncomment the # depth line.and i am already at 0 for the second option.but it is not working
To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
To post to this group, send email to se...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/f2eb81e3-f28f-4df7-beb9-1e2275a28b4f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/f2eb81e3-f28f-4df7-beb9-1e2275a28b4f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Regards,Peter Manev
With this, i manage to extract less than 5mb (not all the time) but for 8,5mb it's really not working.Any idea?
To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
To post to this group, send email to se...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/19772476-a772-4f5a-a0ed-0ecff54b8705%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/19772476-a772-4f5a-a0ed-0ecff54b8705%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Regards,Peter Manev
I was in pool ressources, so i guess the cpu limitation for burst didn't help.I am out the pool and it's working better :)
To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/d3328b5a-73c7-4ef7-b417-a459ddebd591%40googlegroups.com.
Sorry.Pool ressources on VMware :)