[Snort-users] file carving

Long, Kerry S kslong at ...312...
Fri Feb 21 09:52:48 EST 2014

I got snort to carve files to a directory.  They are listed by their hash name.  This is not very useful without the file log which tells me what the file really is and what network session it is associated with.  Unfortunately I can't figure out how to get the log to print.  I have enabled it I think in snort.conf with these lines

dynamicoutput file /opt/snort/snort_dynamicpreprocessor/libsf_file_preproc.so

output filelog:/metadata/attachments/file

But I get nothing.  I am using the sample filemagic.conf file provided.


I may still have to create alert rules for every entry in the magic file.  The instructions seem to indicate I need to do this for some reason.  I have not because it looks like I would have to do it for file inspect and file signature aspects of the preprocessor.  That would be painful 2*100+ rules



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140221/043f3f53/attachment.html>

More information about the Snort-users mailing list