[Snort-users] preprocessor file_inspect does not capture file

Y M snort at ...15979...
Wed Dec 2 06:06:50 EST 2015


Awesome.

Just to clarify, I'm not in the snort team, just another person on the list, though, all credits goes to them.

YM

Sent from Mobile




On Wed, Dec 2, 2015 at 3:03 AM -0800, "Lương Minh Tuấn" <not.soledad at ...11827...<mailto:not.soledad at ...11827...>> wrote:


    Thank snort team a thousand thousand tons, option '-k none' makes snort works like a charm


On 12/2/2015 5:10 PM, Y M wrote:
Hmm..just for testing purposes, calculate the sha256 hashes of the files, and add the hashes to the black list, and then re-run Snort.

Another thing to try is to use "-k none" when running Snort to read the pcap.

YM

Sent from Mobile

_____________________________
From: Lương Minh Tuấn <not.soledad at ...11827...<mailto:not.soledad at ...11827...>>
Sent: Wednesday, December 2, 2015 1:05 PM
Subject: Re: [Snort-users] preprocessor file_inspect does not capture file
To: Y M <snort at ...15979...<mailto:snort at ...15979...>>
Cc: <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>



    I tried many times, add, remove every options: type_id, signature to test if preprocessor can detect something but no luck, nothing in snort exit stat.
    The nearest test result with type_id, signature on:
    - configuration I tried:
    exactly like document:

    preprocessor file_inspect: type_id, signature, \
                capture_disk /home/file_capture/tmp/, \
                capture_queue_size 5000

    - snort say that file_inspect maybe good:
    File config:
    file type: ENABLED
    file signature: ENABLED
    file capture: ENABLED
    file capture directory: /home/file_capture/tmp/
    file capture disk size: 300 (Default) megabytes
    file sent to host: DISABLED (Default), port number: 0

    File service: file type enabled.
    File service: file signature enabled.
    File service: file capture enabled.
    File capture thread started tid=0x7f5add080700 (pid=20478)

    - After uploading, downloading a pdf, a pcap, and a zip file, exit stats are:
     File Preprocessor Statistics
  Total file type callbacks:            0
  Total file signature callbacks:       0
  Total files would saved to disk:      0
  Total files saved to disk:            0
  Total file data saved to disk:        0         bytes
  Total files duplicated:               0
  Total files reserving failed:         0
  Total file capture min:               0
  Total file capture max:               0
  Total file capture memcap:            0
  Total files reading failed:           0
  Total file agent memcap failures:     0
  Total files sent:                     0
  Total file data sent:                 0
  Total file transfer failures:         0
===============================================================================
Files processed: none
===============================================================================

Thanks
On 12/2/2015 4:26 PM, Y M wrote:
Do you have file type and file signature enabled? For instance, I don't see the type_id in the preprocessor configurations you posted.

Documentation says that capturing depends on type and signature being enabled, I.e: Unknown file types will not be captured.

YM

Sent from Mobile

_____________________________
From: Lương Minh Tuấn < not.soledad at ...11827...<mailto:not.soledad at ...11827...>>
Sent: Wednesday, December 2, 2015 11:09 AM
Subject: Re: [Snort-users] preprocessor file_inspect does not capture file
To: Y M < snort at ...15979...<mailto:snort at ...15979...>>
Cc: < snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>


Hi YM,
    file_captrue_min and file_capture_max is set with default value, 0 and 1GB. the path in capture_disk exist with full permission (I set to 777 for testing). README.file says that with block of config which I posted, snort can capture any file, but in my case, it does not work.
     I tried using signature in file_magic.conf to write a normal rule, snort detect ok, and with keyword tag, i can even capture all file in tcpdump.



On 12/2/2015 2:16 PM, Y M wrote:
I haven't played enough with the file_inspect preprocessor but what is the size of the file in relation to things like "file_capture_min", "file_capture_max"?

Also, does the path in "capture_disk" exist?

Finally, as far as I understand, only those files that have their hashes in the black or grey lists will be captured. Please anyone, correct me if I am wrong.

YM

Sent from Mobile

_____________________________
From: Lương Minh Tuấn < not.soledad at ...11827...<mailto:not.soledad at ...11827...>>
Sent: Wednesday, December 2, 2015 9:46 AM
Subject: [Snort-users] preprocessor file_inspect does not capture file
To: < snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>


Hi everybody,
I had problem when using file_inspect to capture file send over
FTP. Please help me resolv. Here's my Snort info:
- Server OS:
$cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
- Snort version: 2.9.7.6, build options: --enable-file-inspect
--enable-open-appid --enable-sourcefire
- configuration file:
exactly from snortrules-snapshot-2976.tar.gz, add file_inspect
config as discuss in README.file:
include file_magic.conf
preprocessor file_inspect: signature, \
capture_queue_size 5000, \
capture_disk /home/file_capture/tmp/

Snort does not detect or process any file, here's my exit stat:
File Preprocessor Statistics
Total file type callbacks: 0
Total file signature callbacks: 0
Total files would saved to disk: 0
Total files saved to disk: 0
Total file data saved to disk: 0 bytes
Total files duplicated: 0
Total files reserving failed: 0
Total file capture min: 0
Total file capture max: 0
Total file capture memcap: 0
Total files reading failed: 0
Total file agent memcap failures: 0
Total files sent: 0
Total file data sent: 0
Total file transfer failures: 0
===============================================================================
Files processed: none

I tried to build snort v2.9.7.0, 2.9.6.2 and latest 2.9.8.0 but no
luck. Please help me!

Thanks and best regards!
--
Lương Minh Tuấn
Email: not.soledad at ...11827...<mailto:not.soledad at ...11827...>
Skype: minhtuan208


------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151202/9e1b4325/attachment.html>


More information about the Snort-users mailing list