[Snort-sigs] 回复: Can Snort detect a download file from internet?

James sjamek at gmail.com
Fri May 25 02:03:54 EDT 2018


Please unsubscribe.



On Thu, 24 May 2018 at 21:46 Zer0d0y via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi Tai Ly,This works for me!
>
> 1. add to --enable-file-inspect you ./configure.
> ./configure --enable-file-inspect  --enable-sourcefire
>
> 2.vi /etc/snort/snort.conf
> preprocessor file_inspect: type_id, signature, capture_disk /tmp/snort/,
> capture_queue_size 5000, greylist block.txt
>
> 3.snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf
>
> 4./etc/snort/rules/local.rules
> alert tcp any any -> any any (msg:"PDF"; content:"|25 50 44 46|";
> offset:0; sid:10000002)
> alert tcp any any -> any any (msg:"JPEG"; content:"|FF D8 FF E0|";
> sid:1000001)
>
> ------------------
>
> Regards,
> Zer0d0y
>
>
> The NSM(Bro|Snort|Suricata) WeChat Group of China
>
>
>
>
> ------------------ 原始邮件 ------------------
> *发件人:* "Tai Ly via Snort-sigs"<snort-sigs at lists.snort.org>;
> *发送时间:* 2018年5月23日(星期三) 上午8:39
> *收件人:* "snort-sigs"<snort-sigs at lists.snort.org>;
> *主题:* Re: [Snort-sigs] Can Snort detect a download file from internet?
>
> When I use normal rule like:
>>
>> alert tcp any any -> any any (msg:"JPEG"; content:"|FF D8 FF E0|";
>> sid:1000001)
>
> Also there is no alert.
> It mean Snort does not catch data file when downloading from internet.
> So I think I configured wrong in somewhere.
> Do your guys have experience about this case?
> Thank you.
>
> On Tue, May 22, 2018 at 7:16 PM, Tai Ly <haotai1803 at gmail.com> wrote:
>
>> Thank you for your help.
>>
>> I read this file and do some step as below:
>>
>> - Add some line in the end of snort.conf
>>
>>> # File Inspect Configuration
>>>
>>> preprocessor file_inspect: type_id, signature, \
>>>   capture_queue_size 5000, \
>>>   capture_disk /home/file_capture/tmp/
>>>
>>>
>>>
>>
>>> # File magic reference
>>> include file_magic.conf
>>
>>
>> - and I try with 2 rules:
>>
>>> 1. alert (msg: "JPEG file"; gid:146; sid:70;)
>>> 2. alert tcp any any -> any any (msg: "JPEG file"; file_type:JPEG;
>>> sid:1000001)
>>
>>
>> - I use this command to run snort:
>>
>>> sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i
>>> wlan0
>>
>>
>> But when I download JPEG file from internet , there is no alert.
>> Do I missing somethings?
>>
>>
>> On Tue, May 22, 2018 at 6:45 PM, Tai Ly <haotai1803 at gmail.com> wrote:
>>
>>> Thank you for your help.
>>>
>>> I read this file and do some step as below:
>>>
>>> - Add some line in the end of snort.conf
>>>
>>>> # File Inspect Configuration
>>>>
>>>> preprocessor file_inspect: type_id, signature, \
>>>>   capture_queue_size 5000, \
>>>>   capture_disk /home/file_capture/tmp/
>>>>
>>>>
>>>>
>>>
>>>> # File magic reference
>>>> include file_magic.conf
>>>
>>>
>>> - and I try with 2 rules:
>>>
>>>> 1. alert (msg: "JPEG file"; gid:146; sid:70;)
>>>> 2. alert tcp any any -> any any (msg: "JPEG file"; file_type:JPEG;
>>>> sid:1000001)
>>>
>>>
>>> - I use this command to run snort:
>>>
>>>> sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i
>>>> wlan0
>>>
>>>
>>> But when I download JPEG file from internet , there is no alert.
>>> Do I missing somethings?
>>>
>>> On Tue, May 22, 2018 at 9:51 AM, Al Lewis (allewi) <allewi at cisco.com>
>>> wrote:
>>>
>>>> Yes. See the README.file in the docs directory.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *Albert Lewis*
>>>>
>>>> ENGINEER.SOFTWARE ENGINEERING
>>>>
>>>> Cisco Systems Inc.
>>>>
>>>> Email: allewi at cisco.com
>>>>
>>>>
>>>>
>>>> *From: *Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of
>>>> Hào Tài via Snort-sigs <snort-sigs at lists.snort.org>
>>>> *Reply-To: *Hào Tài <haotai1803 at gmail.com>
>>>> *Date: *Monday, May 21, 2018 at 8:50 PM
>>>> *To: *"snort-sigs at lists.snort.org" <snort-sigs at lists.snort.org>
>>>> *Subject: *Re: [Snort-sigs] Can Snort detect a download file from
>>>> internet?
>>>>
>>>>
>>>>
>>>> Can everyone help me to confirm this point: " Can the Snort detect a
>>>> file from the internet" ?
>>>>
>>>> If yes , how do we config the Snort the get the content file?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Sun, May 20, 2018 at 3:23 PM, Hào Tài <haotai1803 at gmail.com> wrote:
>>>>
>>>> Hello everyone,
>>>>
>>>>
>>>>
>>>> I am a newbie about Snort. I try to write the snort rule to catch a
>>>> download JPG file from internet. Here is my rule:
>>>>
>>>>
>>>>
>>>> >> alert tcp any any <> $HOME_NET any (msg:"JPEG"; content:"|FF D8 FF
>>>> E0|"; sid:1000001)
>>>>
>>>>
>>>>
>>>> But it does not work. Do I missing somethings or do I need to config
>>>> somethings for Snort?
>>>>
>>>> Can everybody help me to find out the problem? Thank you.
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Tai Ly
>>>>
>>>>
>>>>
>>>
>>>
>>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180525/0f899dfe/attachment-0001.html>


More information about the Snort-sigs mailing list