[Snort-users] preprocessor file_inspect does not capture file

Lương Minh Tuấn not.soledad at ...11827...
Wed Dec 2 05:05:47 EST 2015


     I tried many times, add, remove every options: type_id, signature 
to test if preprocessor can detect something but no luck, nothing in 
snort exit stat.
     The nearest test result with type_id, signature on:
     - configuration I tried:
     exactly like document:

/preprocessor file_inspect: type_id, signature, \//
//                capture_disk /home/file_capture/tmp/, \//
//                capture_queue_size 5000/

     - snort say that file_inspect maybe good:
/File config://
//    file type: ENABLED//
//    file signature: ENABLED//
//    file capture: ENABLED//
//    file capture directory: /home/file_capture/tmp///
//    file capture disk size: 300 (Default) megabytes//
//    file sent to host: DISABLED (Default), port number: 0//
//
//    File service: file type enabled.//
//    File service: file signature enabled.//
//    File service: file capture enabled.//
//    File capture thread started tid=0x7f5add080700 (pid=20478)/

     - After uploading, downloading a pdf, a pcap, and a zip file, exit 
stats are:
/   File Preprocessor Statistics//
//  Total file type callbacks:            0//
//  Total file signature callbacks:       0//
//  Total files would saved to disk:      0//
//  Total files saved to disk:            0//
//  Total file data saved to disk:        0         bytes//
//  Total files duplicated:               0//
//  Total files reserving failed:         0//
//  Total file capture min:               0//
//  Total file capture max:               0//
//  Total file capture memcap:            0//
//  Total files reading failed:           0//
//  Total file agent memcap failures:     0//
//  Total files sent:                     0//
//  Total file data sent:                 0//
//  Total file transfer failures:         0//
//===============================================================================//
//Files processed: none//
//===============================================================================/

Thanks
On 12/2/2015 4:26 PM, Y M wrote:
> Do you have file type and file signature enabled? For instance, I 
> don't see the type_id in the preprocessor configurations you posted.
>
> Documentation says that capturing depends on type and signature being 
> enabled, I.e: Unknown file types will not be captured.
>
> YM
>
> Sent from Mobile
>
> _____________________________
> From: Lương Minh Tuấn <not.soledad at ...11827... 
> <mailto:not.soledad at ...11827...>>
> Sent: Wednesday, December 2, 2015 11:09 AM
> Subject: Re: [Snort-users] preprocessor file_inspect does not capture file
> To: Y M <snort at ...15979... <mailto:snort at ...15979...>>
> Cc: <snort-users at lists.sourceforge.net 
> <mailto:snort-users at lists.sourceforge.net>>
>
>
> Hi YM,
>     file_captrue_min and file_capture_max is set with default value, 0 
> and 1GB. the path in capture_disk exist with full permission (I set to 
> 777 for testing). README.file says that with block of config which I 
> posted, snort can capture any file, but in my case, it does not work.
>      I tried using signature in file_magic.conf to write a normal 
> rule, snort detect ok, and with keyword tag, i can even capture all 
> file in tcpdump.
>
>
>
> On 12/2/2015 2:16 PM, Y M wrote:
>
>     I haven't played enough with the file_inspect preprocessor but
>     what is the size of the file in relation to things like
>     "file_capture_min", "file_capture_max"?
>
>     Also, does the path in "capture_disk" exist?
>
>     Finally, as far as I understand, only those files that have their
>     hashes in the black or grey lists will be captured. Please anyone,
>     correct me if I am wrong.
>
>     YM
>
>     Sent from Mobile
>
>     _____________________________
>     From: Lương Minh Tuấn < not.soledad at ...11827...
>     <mailto:not.soledad at ...11827...>>
>     Sent: Wednesday, December 2, 2015 9:46 AM
>     Subject: [Snort-users] preprocessor file_inspect does not capture
>     file
>     To: < snort-users at lists.sourceforge.net
>     <mailto:snort-users at lists.sourceforge.net>>
>
>
>     Hi everybody,
>     I had problem when using file_inspect to capture file send over
>     FTP. Please help me resolv. Here's my Snort info:
>     - Server OS:
>     $cat /etc/redhat-release
>     CentOS Linux release 7.1.1503 (Core)
>     - Snort version: 2.9.7.6, build options: --enable-file-inspect
>     --enable-open-appid --enable-sourcefire
>     - configuration file:
>     exactly from snortrules-snapshot-2976.tar.gz, add file_inspect
>     config as discuss in README.file:
>     include file_magic.conf
>     preprocessor file_inspect: signature, \
>     capture_queue_size 5000, \
>     capture_disk /home/file_capture/tmp/
>
>     Snort does not detect or process any file, here's my exit stat:
>     File Preprocessor Statistics
>     Total file type callbacks: 0
>     Total file signature callbacks: 0
>     Total files would saved to disk: 0
>     Total files saved to disk: 0
>     Total file data saved to disk: 0 bytes
>     Total files duplicated: 0
>     Total files reserving failed: 0
>     Total file capture min: 0
>     Total file capture max: 0
>     Total file capture memcap: 0
>     Total files reading failed: 0
>     Total file agent memcap failures: 0
>     Total files sent: 0
>     Total file data sent: 0
>     Total file transfer failures: 0
>     ===============================================================================
>
>     Files processed: none
>
>     I tried to build snort v2.9.7.0, 2.9.6.2 and latest 2.9.8.0 but no
>     luck. Please help me!
>
>     Thanks and best regards!
>     -- 
>     Lương Minh Tuấn
>     Email: not.soledad at ...11827... <mailto:not.soledad at ...11827...>
>     Skype: minhtuan208
>
>
>     ------------------------------------------------------------------------------
>
>     Go from Idea to Many App Stores Faster with Intel(R) XDK
>     Give your users amazing mobile app experiences with Intel(R) XDK.
>     Use one codebase in this all-in-one HTML5 development environment.
>     Design, debug & build mobile apps & 2D/3D high-impact games for
>     multiple OSs.
>     http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>     Please visit http://blog.snort.org to stay current on all the
>     latest Snort news!
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151202/561168ab/attachment.html>


More information about the Snort-users mailing list