[Snort-sigs] Can Snort detect a download file from internet?

Joel Esler (jesler) jesler at cisco.com
Mon May 21 21:04:49 EDT 2018


Snort can extract files from the network in real time and write them out to disk.  Please see the email that Al sent earlier about the README.file

Sent from my iPad

On May 21, 2018, at 9:01 PM, Antonio Leding <tech at leding.net<mailto:tech at leding.net>> wrote:

One point of clarification - I have Snort firing off an alert about the file being downloaded and then the packet capture + Wireshark for the follow-on file extraction and analysis.



On May 21, 2018, at 5:50 PM, Antonio Leding <tech at leding.net<mailto:tech at leding.net>> wrote:

Not sure if this helps or is relevant but I have always done this using full packet capture + Wireshark.  If there is a way to do this directly in Snort, I would be curious to hear…


On May 21, 2018, at 5:48 PM, Hào Tài via Snort-sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>> wrote:

Can everyone help me to confirm this point: " Can the Snort detect a file from the internet" ?
If yes , how do we config the Snort the get the content file?


On Sun, May 20, 2018 at 3:23 PM, Hào Tài <haotai1803 at gmail.com<mailto:haotai1803 at gmail.com>> wrote:
Hello everyone,

I am a newbie about Snort. I try to write the snort rule to catch a download JPG file from internet. Here is my rule:

>> alert tcp any any <> $HOME_NET any (msg:"JPEG"; content:"|FF D8 FF E0|"; sid:1000001)

But it does not work. Do I missing somethings or do I need to config somethings for Snort?
Can everybody help me to find out the problem? Thank you.

Regards,
Tai Ly

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180522/22e40f04/attachment-0001.html>


More information about the Snort-sigs mailing list