doc: update file-store stream depth description

pull/5164/head
Jeff Lucovsky 6 years ago committed by Victor Julien
parent 2f32d7f831
commit ec07f58705

@ -532,7 +532,8 @@ The following shows the configuration options for version 2 of the
#force-filestore: yes
# Override the global stream-depth for sessions in which we want
# to perform file extraction. Set to 0 for unlimited.
# to perform file extraction. Set to 0 for unlimited; otherwise,
# must be greater than the global stream-depth value to be used.
#stream-depth: 0
# Uncomment the following variable to define how many files can

@ -6,7 +6,7 @@ File Extraction
Architecture
~~~~~~~~~~~~
The file extraction code works on top of the some protocols parsers. The application layer parsers runs on top of the stream reassembly engine and the UDP flow tracking.
The file extraction code works on top of selected protocol parsers (see supported protocols below). The application layer parsers run on top of the stream reassembly engine and the UDP flow tracking.
In case of HTTP, the parser takes care of dechunking and unzipping the request and/or response data if necessary.
@ -27,7 +27,7 @@ Settings
*stream.checksum_validation* controls whether or not the stream engine rejects packets with invalid checksums. A good idea normally, but the network interface performs checksum offloading a lot of packets may seem to be broken. This setting is enabled by default, and can be disabled by setting to "no". Note that the checksum handling can be controlled per interface, see "checksum_checks" in example configuration.
*file-store.stream-depth* controls how far into a stream reassembly is done. Beyond this value no reassembly will be done. This means that after this value the HTTP session will no longer be tracked. By default a settings of 1 Megabyte is used. 0 sets it to unlimited. If set to no, it is disabled and stream.reassembly.depth is considered.
*file-store.stream-depth* controls how far into a stream reassembly is done. Beyond this value no reassembly will be done. This means that after this value the HTTP session will no longer be tracked. By default a setting of 1 Megabyte is used. 0 sets it to unlimited. If set to no, it is disabled and ``stream.reassembly.depth`` is considered. Non-zero values must be greater than ``stream.stream-depth`` to be used.
*libhtp.default-config.request-body-limit* / *libhtp.server-config.<config>.request-body-limit* controls how much of the HTTP request body is tracked for inspection by the http_client_body keyword, but also used to limit file inspection. A value of 0 means unlimited.
@ -49,7 +49,7 @@ This must be enabled in the ``eve`` output::
- outputs:
- eve-log:
types:
types:
- files:
force-magic: no
force-hash: [md5,sha256]
@ -60,7 +60,7 @@ with the `eve` output.
The other output module, ``file-store`` stores the actual files to
disk.
The ``file-store`` uses its own log directory (default: `filestore` in
The ``file-store`` module uses its own log directory (default: `filestore` in
the default logging directory) and logs files using the SHA256 of the
contents as the filename. Each file is then placed in a directory
named `00` to `ff` where the directory shares the first 2 characters
@ -72,7 +72,8 @@ The size of a file that can be stored depends on ``file-store.stream-depth``,
if this value is reached a file can be truncated and might not be stored completely.
If not enabled, ``stream.reassembly.depth`` will be considered.
Setting ``file-store.stream-depth`` to 0 permits to store any files.
Setting ``file-store.stream-depth`` to 0 permits store of the entire file;
here, 0 means "unlimited."
``file-store.stream-depth`` will always override ``stream.reassembly.depth``
when filestore keyword is used.

Loading…
Cancel
Save