[Snort-users] file carving

Hui cao huica at ...589...
Fri Feb 21 11:11:00 EST 2014


Hi Kerry,

When file signature or file capture in enabled,  it only logs files that 
in the blacklist/greylist  to minimize the performance impact logging 
all files.  You can put the SHA into the blacklist /grelist to get it 
blocked/logged.

If you only enable file type, you can log file type alerts. File type 
alerts (for each file type rule) are similar to snort preprocessor 
rules. You have to enable them by creating alert rules. Ideally, you 
want to have some  files with types like PDF, EXE etc, not picture files 
(BMP, JPEG etc).  We just use this way to enable/disable file type 
alerts/logs

Best,
Hui.

On 02/21/2014 09:52 AM, Long, Kerry S wrote:
>
> I got snort to carve files to a directory. They are listed by their 
> hash name.  This is not very useful without the file log which tells 
> me what the file really is and what network session it is associated 
> with.  Unfortunately I can't figure out how to get the log to print.  
> I have enabled it I think in snort.conf with these lines
>
> dynamicoutput file 
> /opt/snort/snort_dynamicpreprocessor/libsf_file_preproc.so
>
> output filelog:/metadata/attachments/file
>
> But I get nothing.  I am using the sample filemagic.conf file provided.
>
> P.S.
>
> I may still have to create alert rules for every entry in the magic 
> file.  The instructions seem to indicate I need to do this for some 
> reason.  I have not because it looks like I would have to do it for 
> file inspect and file signature aspects of the preprocessor.  That 
> would be painful 2*100+ rules
>
> Thanks,
>
> Kerry
>
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140221/aeab1b94/attachment.html>


More information about the Snort-users mailing list