From: Giuseppe Longo <giuseppe@glongo.it>
Date: Mon, 28 Jan 2019 20:39:07 +0000 (+0100)
Subject: doc: update file-extraction section
X-Git-Tag: suricata-5.0.0-rc1~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=972be0a560a610f20e967b74cd488900ef86de73;p=thirdparty%2Fsuricata.git

doc: update file-extraction section
---

diff --git a/doc/userguide/file-extraction/file-extraction.rst b/doc/userguide/file-extraction/file-extraction.rst
index 1c2e564e99..05fb481180 100644
--- a/doc/userguide/file-extraction/file-extraction.rst
+++ b/doc/userguide/file-extraction/file-extraction.rst
@@ -66,6 +66,19 @@ of the filename. For example, if the SHA256 hex string of an extracted
 file starts with "f9bc6d..." the file we be placed in the directory
 `filestore/f9`.
 
+
+The size of a file that can be stored depends on ``file-store.stream-depth``,
+if this value is reached a file can be truncated and might not be stored completely.
+If not enabled, ``stream.reassembly.depth`` will be considered.
+
+Setting ``file-store.stream-depth`` to 0 permits to store any files.
+
+``file-store.stream-depth`` will always override ``stream.reassembly.depth``
+when filestore keyword is used.
+
+A protocol parser, like modbus, could permit to set a different
+store-depth value and use it rather than ``file-store.stream-depth``.
+
 Using the SHA256 for file names allows for automatic de-duplication of
 extracted files. However, the timestamp of a pre-existing file will be
 updated if the same files is extracted again, similar to the `touch`