Hello all:
With the 2.4 release is it still best practice so specify file extraction size limit as follows…
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname, $extract_limit=]);
I ask because I seem to be getting files extracted greater than my imposed limit on occasion and was wondering if something had changed?
Thanks,
Jason
I seem to have having a similar issue with the way I was limiting the size of my extracted files too. Under 2.3.2, popping the following redef in my local.bro worked perfectly: redef FileExtract::default_limit = 25000000;
Under 2.4, I have larger files being extracted like Jason.
Thanks
Damon
Oh, interesting. I don’t think we have a test case which covers that. I suspect that it’s the file reassembly that was added into 2.4. I filed a ticket to make sure we track this.
https://bro-tracker.atlassian.net/browse/BIT-1451
.Seth