One point of clarification - I have Snort firing off an alert about the file being downloaded and then the packet capture + Wireshark for the follow-on file extraction and analysis.



On May 21, 2018, at 5:50 PM, Antonio Leding <tech@leding.net> wrote:

Not sure if this helps or is relevant but I have always done this using full packet capture + Wireshark.  If there is a way to do this directly in Snort, I would be curious to hear…


On May 21, 2018, at 5:48 PM, Hào Tài via Snort-sigs <snort-sigs@lists.snort.org> wrote:

Can everyone help me to confirm this point: " Can the Snort detect a file from the internet" ?
If yes , how do we config the Snort the get the content file?


On Sun, May 20, 2018 at 3:23 PM, Hào Tài <haotai1803@gmail.com> wrote:
Hello everyone,

I am a newbie about Snort. I try to write the snort rule to catch a download JPG file from internet. Here is my rule:

>> alert tcp any any <> $HOME_NET any (msg:"JPEG"; content:"|FF D8 FF E0|"; sid:1000001)

But it does not work. Do I missing somethings or do I need to config somethings for Snort?
Can everybody help me to find out the problem? Thank you.

Regards,
Tai Ly

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!