[Snort-users] preprocessor file_inspect does not capture file

Lương Minh Tuấn not.soledad at ...11827...
Wed Dec 2 03:09:35 EST 2015


Hi YM,
     file_captrue_min and file_capture_max is set with default value, 0 
and 1GB. the path in capture_disk exist with full permission (I set to 
777 for testing). README.file says that with block of config which I 
posted, snort can capture any file, but in my case, it does not work.
      I tried using signature in file_magic.conf to write a normal rule, 
snort detect ok, and with keyword tag, i can even capture all file in 
tcpdump.



On 12/2/2015 2:16 PM, Y M wrote:
> I haven't played enough with the file_inspect preprocessor but what is 
> the size of the file in relation to things like "file_capture_min", 
> "file_capture_max"?
>
> Also, does the path in "capture_disk" exist?
>
> Finally, as far as I understand, only those files that have their 
> hashes in the black or grey lists will be captured. Please anyone, 
> correct me if I am wrong.
>
> YM
>
> Sent from Mobile
>
> _____________________________
> From: Lương Minh Tuấn <not.soledad at ...11827... 
> <mailto:not.soledad at ...11827...>>
> Sent: Wednesday, December 2, 2015 9:46 AM
> Subject: [Snort-users] preprocessor file_inspect does not capture file
> To: <snort-users at lists.sourceforge.net 
> <mailto:snort-users at lists.sourceforge.net>>
>
>
> Hi everybody,
> I had problem when using file_inspect to capture file send over
> FTP. Please help me resolv. Here's my Snort info:
> - Server OS:
> $cat /etc/redhat-release
> CentOS Linux release 7.1.1503 (Core)
> - Snort version: 2.9.7.6, build options: --enable-file-inspect
> --enable-open-appid --enable-sourcefire
> - configuration file:
> exactly from snortrules-snapshot-2976.tar.gz, add file_inspect
> config as discuss in README.file:
> include file_magic.conf
> preprocessor file_inspect: signature, \
> capture_queue_size 5000, \
> capture_disk /home/file_capture/tmp/
>
> Snort does not detect or process any file, here's my exit stat:
> File Preprocessor Statistics
> Total file type callbacks: 0
> Total file signature callbacks: 0
> Total files would saved to disk: 0
> Total files saved to disk: 0
> Total file data saved to disk: 0 bytes
> Total files duplicated: 0
> Total files reserving failed: 0
> Total file capture min: 0
> Total file capture max: 0
> Total file capture memcap: 0
> Total files reading failed: 0
> Total file agent memcap failures: 0
> Total files sent: 0
> Total file data sent: 0
> Total file transfer failures: 0
> ===============================================================================
> Files processed: none
>
> I tried to build snort v2.9.7.0, 2.9.6.2 and latest 2.9.8.0 but no
> luck. Please help me!
>
> Thanks and best regards!
> -- 
> Lương Minh Tuấn
> Email: not.soledad at ...11827... <mailto:not.soledad at ...11827...>
> Skype: minhtuan208
>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for 
> multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> <mailto:Snort-users at lists.sourceforge.net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org <http://blog.snort.org> to stay 
> current on all the latest Snort news!
>

Thanks and best regards!
-- 
Lương Minh Tuấn
Đài khai thác mạng & Hỗ trợ dịch vụ VDCIT-VDC
Phone: 0915130933
Email: lmtuan at ...17386..., luongminhtuan208 at ...11827...
Skype: minhtuan208

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151202/6dff81ee/attachment.html>


More information about the Snort-users mailing list