[Snort-sigs] Can Snort detect a download file from internet?

Al Lewis (allewi) allewi at cisco.com
Wed May 23 00:17:53 EDT 2018


Hello,

See attached conf and pcap as an example. It is a http download of a PNG file (netbeans icon).

The two alerts you should get are below:

alewis at localhost snort-2.9.11-test]$ ./bin/snort -c etc/TAI.conf -r etc/TAI.pcap -Acmg -k none -q

10/13-09:55:36.078000  [**] [1:1000001:0] PNG file downloaded [**] [Priority: 0] {TCP} 173.37.145.84:80 -> 192.168.0.1:27785
Stream reassembled packet
10/13-09:55:36.078000 00:11:22:33:44:55 -> 00:55:44:33:22:11 type:0x800 len:0x92E
173.37.145.84:80 -> 192.168.0.1:27785 TCP TTL:64 TOS:0x0 ID:26637 IpLen:20 DgmLen:2336
***A**** Seq: 0xC67  Ack: 0xB4A  Win: 0x16D0  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 6B 0D  HTTP/1.1 200 Ok.
0A 44 61 74 65 3A 20 57 65 64 2C 20 32 39 20 4A  .Date: Wed, 29 J
75 6C 20 32 30 30 39 20 31 33 3A 33 35 3A 32 36  ul 2009 13:35:26
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


10/13-09:55:36.156000  [**] [1:1000001:0] PNG file downloaded [**] [Priority: 0] {TCP} 173.37.145.84:80 -> 192.168.0.1:27785
10/13-09:55:36.156000 00:11:22:33:44:55 -> 00:55:44:33:22:11 type:0x800 len:0x36
173.37.145.84:80 -> 192.168.0.1:27785 TCP TTL:64 TOS:0x0 ID:9066 IpLen:20 DgmLen:40
***A***F Seq: 0x155F  Ack: 0xB4A  Win: 0x16D0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Hope this helps.


Thanks.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of Tai Ly via Snort-sigs <snort-sigs at lists.snort.org>
Reply-To: Tai Ly <haotai1803 at gmail.com>
Date: Tuesday, May 22, 2018 at 8:41 PM
To: "snort-sigs at lists.snort.org" <snort-sigs at lists.snort.org>
Subject: Re: [Snort-sigs] Can Snort detect a download file from internet?

When I use normal rule like:
alert tcp any any -> any any (msg:"JPEG"; content:"|FF D8 FF E0|"; sid:1000001)
Also there is no alert.
It mean Snort does not catch data file when downloading from internet.
So I think I configured wrong in somewhere.
Do your guys have experience about this case?
Thank you.

On Tue, May 22, 2018 at 7:16 PM, Tai Ly <haotai1803 at gmail.com<mailto:haotai1803 at gmail.com>> wrote:
Thank you for your help.

I read this file and do some step as below:

- Add some line in the end of snort.conf
# File Inspect Configuration


preprocessor file_inspect: type_id, signature, \

  capture_queue_size 5000, \

  capture_disk /home/file_capture/tmp/


# File magic reference
include file_magic.conf

- and I try with 2 rules:
1. alert (msg: "JPEG file"; gid:146; sid:70;)
2. alert tcp any any -> any any (msg: "JPEG file"; file_type:JPEG; sid:1000001)

- I use this command to run snort:
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i wlan0

But when I download JPEG file from internet , there is no alert.
Do I missing somethings?


On Tue, May 22, 2018 at 6:45 PM, Tai Ly <haotai1803 at gmail.com<mailto:haotai1803 at gmail.com>> wrote:
Thank you for your help.

I read this file and do some step as below:

- Add some line in the end of snort.conf
# File Inspect Configuration


preprocessor file_inspect: type_id, signature, \

  capture_queue_size 5000, \

  capture_disk /home/file_capture/tmp/


# File magic reference
include file_magic.conf

- and I try with 2 rules:
1. alert (msg: "JPEG file"; gid:146; sid:70;)
2. alert tcp any any -> any any (msg: "JPEG file"; file_type:JPEG; sid:1000001)

- I use this command to run snort:
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i wlan0

But when I download JPEG file from internet , there is no alert.
Do I missing somethings?

On Tue, May 22, 2018 at 9:51 AM, Al Lewis (allewi) <allewi at cisco.com<mailto:allewi at cisco.com>> wrote:
Yes. See the README.file in the docs directory.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-sigs <snort-sigs-bounces at lists.snort.org<mailto:snort-sigs-bounces at lists.snort.org>> on behalf of Hào Tài via Snort-sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>>
Reply-To: Hào Tài <haotai1803 at gmail.com<mailto:haotai1803 at gmail.com>>
Date: Monday, May 21, 2018 at 8:50 PM
To: "snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>" <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>>
Subject: Re: [Snort-sigs] Can Snort detect a download file from internet?

Can everyone help me to confirm this point: " Can the Snort detect a file from the internet" ?
If yes , how do we config the Snort the get the content file?


On Sun, May 20, 2018 at 3:23 PM, Hào Tài <haotai1803 at gmail.com<mailto:haotai1803 at gmail.com>> wrote:
Hello everyone,

I am a newbie about Snort. I try to write the snort rule to catch a download JPG file from internet. Here is my rule:

>> alert tcp any any <> $HOME_NET any (msg:"JPEG"; content:"|FF D8 FF E0|"; sid:1000001)

But it does not work. Do I missing somethings or do I need to config somethings for Snort?
Can everybody help me to find out the problem? Thank you.

Regards,
Tai Ly




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180523/fcb434e7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TAI.conf
Type: application/octet-stream
Size: 3562 bytes
Desc: TAI.conf
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180523/fcb434e7/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TAI.pcap
Type: application/octet-stream
Size: 3783 bytes
Desc: TAI.pcap
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180523/fcb434e7/attachment-0003.obj>


More information about the Snort-sigs mailing list