[Snort-sigs] Can Snort detect a download file from internet?

Tai Ly haotai1803 at gmail.com
Tue May 22 20:39:02 EDT 2018


When I use normal rule like:
>
> alert tcp any any -> any any (msg:"JPEG"; content:"|FF D8 FF E0|";
> sid:1000001)

Also there is no alert.
It mean Snort does not catch data file when downloading from internet.
So I think I configured wrong in somewhere.
Do your guys have experience about this case?
Thank you.

On Tue, May 22, 2018 at 7:16 PM, Tai Ly <haotai1803 at gmail.com> wrote:

> Thank you for your help.
>
> I read this file and do some step as below:
>
> - Add some line in the end of snort.conf
>
>> # File Inspect Configuration
>>
>> preprocessor file_inspect: type_id, signature, \
>>   capture_queue_size 5000, \
>>   capture_disk /home/file_capture/tmp/
>>
>>
>>
>
>> # File magic reference
>> include file_magic.conf
>
>
> - and I try with 2 rules:
>
>> 1. alert (msg: "JPEG file"; gid:146; sid:70;)
>> 2. alert tcp any any -> any any (msg: "JPEG file"; file_type:JPEG;
>> sid:1000001)
>
>
> - I use this command to run snort:
>
>> sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i
>> wlan0
>
>
> But when I download JPEG file from internet , there is no alert.
> Do I missing somethings?
>
>
> On Tue, May 22, 2018 at 6:45 PM, Tai Ly <haotai1803 at gmail.com> wrote:
>
>> Thank you for your help.
>>
>> I read this file and do some step as below:
>>
>> - Add some line in the end of snort.conf
>>
>>> # File Inspect Configuration
>>>
>>> preprocessor file_inspect: type_id, signature, \
>>>   capture_queue_size 5000, \
>>>   capture_disk /home/file_capture/tmp/
>>>
>>>
>>>
>>
>>> # File magic reference
>>> include file_magic.conf
>>
>>
>> - and I try with 2 rules:
>>
>>> 1. alert (msg: "JPEG file"; gid:146; sid:70;)
>>> 2. alert tcp any any -> any any (msg: "JPEG file"; file_type:JPEG;
>>> sid:1000001)
>>
>>
>> - I use this command to run snort:
>>
>>> sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i
>>> wlan0
>>
>>
>> But when I download JPEG file from internet , there is no alert.
>> Do I missing somethings?
>>
>> On Tue, May 22, 2018 at 9:51 AM, Al Lewis (allewi) <allewi at cisco.com>
>> wrote:
>>
>>> Yes. See the README.file in the docs directory.
>>>
>>>
>>>
>>>
>>>
>>> *Albert Lewis*
>>>
>>> ENGINEER.SOFTWARE ENGINEERING
>>>
>>> Cisco Systems Inc.
>>>
>>> Email: allewi at cisco.com
>>>
>>>
>>>
>>> *From: *Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of
>>> Hào Tài via Snort-sigs <snort-sigs at lists.snort.org>
>>> *Reply-To: *Hào Tài <haotai1803 at gmail.com>
>>> *Date: *Monday, May 21, 2018 at 8:50 PM
>>> *To: *"snort-sigs at lists.snort.org" <snort-sigs at lists.snort.org>
>>> *Subject: *Re: [Snort-sigs] Can Snort detect a download file from
>>> internet?
>>>
>>>
>>>
>>> Can everyone help me to confirm this point: " Can the Snort detect a
>>> file from the internet" ?
>>>
>>> If yes , how do we config the Snort the get the content file?
>>>
>>>
>>>
>>>
>>>
>>> On Sun, May 20, 2018 at 3:23 PM, Hào Tài <haotai1803 at gmail.com> wrote:
>>>
>>> Hello everyone,
>>>
>>>
>>>
>>> I am a newbie about Snort. I try to write the snort rule to catch a
>>> download JPG file from internet. Here is my rule:
>>>
>>>
>>>
>>> >> alert tcp any any <> $HOME_NET any (msg:"JPEG"; content:"|FF D8 FF
>>> E0|"; sid:1000001)
>>>
>>>
>>>
>>> But it does not work. Do I missing somethings or do I need to config
>>> somethings for Snort?
>>>
>>> Can everybody help me to find out the problem? Thank you.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Tai Ly
>>>
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180523/6399ab7d/attachment-0001.html>


More information about the Snort-sigs mailing list