[Snort-users] preprocessor file_inspect does not capture file

Lương Minh Tuấn not.soledad at ...11827...
Wed Dec 2 07:27:51 EST 2015


your email make me confuse :D
thanks a billion tons YM!

On 12/2/2015 6:06 PM, Y M wrote:
> Awesome.
>
> Just to clarify, I'm not in the snort team, just another person on the 
> list, though, all credits goes to them.
>
> YM
>
> Sent from Mobile
>
>
>
>
> On Wed, Dec 2, 2015 at 3:03 AM -0800, "Lương Minh Tuấn" 
> <not.soledad at ...11827... <mailto:not.soledad at ...11827...>> wrote:
>
>
>     Thank snort team a thousand thousand tons, option '-k none' makes 
> snort works like a charm
>
>
> On 12/2/2015 5:10 PM, Y M wrote:
>> Hmm..just for testing purposes, calculate the sha256 hashes of the 
>> files, and add the hashes to the black list, and then re-run Snort.
>>
>> Another thing to try is to use "-k none" when running Snort to read 
>> the pcap.
>>
>> YM
>>
>> Sent from Mobile
>>
>> _____________________________
>> From: Lương Minh Tuấn <not.soledad at ...11827... 
>> <mailto:not.soledad at ...11827...>>
>> Sent: Wednesday, December 2, 2015 1:05 PM
>> Subject: Re: [Snort-users] preprocessor file_inspect does not capture 
>> file
>> To: Y M <snort at ...15979... <mailto:snort at ...15979...>>
>> Cc: <snort-users at lists.sourceforge.net 
>> <mailto:snort-users at lists.sourceforge.net>>
>>
>>
>>
>>     I tried many times, add, remove every options: type_id, signature 
>> to test if preprocessor can detect something but no luck, nothing in 
>> snort exit stat.
>>     The nearest test result with type_id, signature on:
>>     - configuration I tried:
>>     exactly like document:
>>
>> /preprocessor file_inspect: type_id, signature, \/ /
>> //                capture_disk /home/file_capture/tmp/, \/ /
>> //                capture_queue_size 5000/
>>
>>     - snort say that file_inspect maybe good:
>> /File config:/ /
>> //    file type: ENABLED/ /
>> //    file signature: ENABLED/ /
>> //    file capture: ENABLED/ /
>> //    file capture directory: /home/file_capture/tmp// /
>> //    file capture disk size: 300 (Default) megabytes/ /
>> //    file sent to host: DISABLED (Default), port number: 0/ /
>> //
>> //    File service: file type enabled./ /
>> //    File service: file signature enabled./ /
>> //    File service: file capture enabled./ /
>> //    File capture thread started tid=0x7f5add080700 (pid=20478)/
>>
>>     - After uploading, downloading a pdf, a pcap, and a zip file, 
>> exit stats are:
>> /   File Preprocessor Statistics/ /
>> //  Total file type callbacks:            0/ /
>> //  Total file signature callbacks:       0/ /
>> //  Total files would saved to disk:      0/ /
>> //  Total files saved to disk:            0/ /
>> //  Total file data saved to disk:        0 bytes/ /
>> //  Total files duplicated:               0/ /
>> //  Total files reserving failed:         0/ /
>> //  Total file capture min:               0/ /
>> //  Total file capture max:               0/ /
>> //  Total file capture memcap:            0/ /
>> //  Total files reading failed:           0/ /
>> //  Total file agent memcap failures:     0/ /
>> //  Total files sent:                     0/ /
>> //  Total file data sent:                 0/ /
>> //  Total file transfer failures:         0/ /
>> //===============================================================================/ 
>> /
>> //Files processed: none/ /
>> //===============================================================================/ 
>>
>>
>> Thanks
>> On 12/2/2015 4:26 PM, Y M wrote:
>>
>>     Do you have file type and file signature enabled? For instance, I
>>     don't see the type_id in the preprocessor configurations you posted.
>>
>>     Documentation says that capturing depends on type and signature
>>     being enabled, I.e: Unknown file types will not be captured.
>>
>>     YM
>>
>>     Sent from Mobile
>>
>>     _____________________________
>>     From: Lương Minh Tuấn < not.soledad at ...11827...
>>     <mailto:not.soledad at ...11827...>>
>>     Sent: Wednesday, December 2, 2015 11:09 AM
>>     Subject: Re: [Snort-users] preprocessor file_inspect does not
>>     capture file
>>     To: Y M < snort at ...15979... <mailto:snort at ...15979...>>
>>     Cc: < snort-users at lists.sourceforge.net
>>     <mailto:snort-users at lists.sourceforge.net>>
>>
>>
>>     Hi YM,
>>         file_captrue_min and file_capture_max is set with default
>>     value, 0 and 1GB. the path in capture_disk exist with full
>>     permission (I set to 777 for testing). README.file says that with
>>     block of config which I posted, snort can capture any file, but
>>     in my case, it does not work.
>>          I tried using signature in file_magic.conf to write a normal
>>     rule, snort detect ok, and with keyword tag, i can even capture
>>     all file in tcpdump.
>>
>>
>>
>>     On 12/2/2015 2:16 PM, Y M wrote:
>>
>>         I haven't played enough with the file_inspect preprocessor
>>         but what is the size of the file in relation to things like
>>         "file_capture_min", "file_capture_max"?
>>
>>         Also, does the path in "capture_disk" exist?
>>
>>         Finally, as far as I understand, only those files that have
>>         their hashes in the black or grey lists will be captured.
>>         Please anyone, correct me if I am wrong.
>>
>>         YM
>>
>>         Sent from Mobile
>>
>>         _____________________________
>>         From: Lương Minh Tuấn < not.soledad at ...11827...
>>         <mailto:not.soledad at ...11827...>>
>>         Sent: Wednesday, December 2, 2015 9:46 AM
>>         Subject: [Snort-users] preprocessor file_inspect does not
>>         capture file
>>         To: < snort-users at lists.sourceforge.net
>>         <mailto:snort-users at lists.sourceforge.net>>
>>
>>
>>         Hi everybody,
>>         I had problem when using file_inspect to capture file send over
>>         FTP. Please help me resolv. Here's my Snort info:
>>         - Server OS:
>>         $cat /etc/redhat-release
>>         CentOS Linux release 7.1.1503 (Core)
>>         - Snort version: 2.9.7.6, build options: --enable-file-inspect
>>         --enable-open-appid --enable-sourcefire
>>         - configuration file:
>>         exactly from snortrules-snapshot-2976.tar.gz, add file_inspect
>>         config as discuss in README.file:
>>         include file_magic.conf
>>         preprocessor file_inspect: signature, \
>>         capture_queue_size 5000, \
>>         capture_disk /home/file_capture/tmp/
>>
>>         Snort does not detect or process any file, here's my exit stat:
>>         File Preprocessor Statistics
>>         Total file type callbacks: 0
>>         Total file signature callbacks: 0
>>         Total files would saved to disk: 0
>>         Total files saved to disk: 0
>>         Total file data saved to disk: 0 bytes
>>         Total files duplicated: 0
>>         Total files reserving failed: 0
>>         Total file capture min: 0
>>         Total file capture max: 0
>>         Total file capture memcap: 0
>>         Total files reading failed: 0
>>         Total file agent memcap failures: 0
>>         Total files sent: 0
>>         Total file data sent: 0
>>         Total file transfer failures: 0
>>         ===============================================================================
>>
>>         Files processed: none
>>
>>         I tried to build snort v2.9.7.0, 2.9.6.2 and latest 2.9.8.0
>>         but no
>>         luck. Please help me!
>>
>>         Thanks and best regards!
>>         -- 
>>         Lương Minh Tuấn
>>         Email: not.soledad at ...11827... <mailto:not.soledad at ...11827...>
>>         Skype: minhtuan208
>>
>>
>>         ------------------------------------------------------------------------------
>>
>>         Go from Idea to Many App Stores Faster with Intel(R) XDK
>>         Give your users amazing mobile app experiences with Intel(R)
>>         XDK.
>>         Use one codebase in this all-in-one HTML5 development
>>         environment.
>>         Design, debug & build mobile apps & 2D/3D high-impact games
>>         for multiple OSs.
>>         http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>>         _______________________________________________
>>         Snort-users mailing list
>>         Snort-users at lists.sourceforge.net
>>         <mailto:Snort-users at lists.sourceforge.net>
>>         Go to this URL to change user options or unsubscribe:
>>         https://lists.sourceforge.net/lists/listinfo/snort-users
>>         Snort-users list archive:
>>         http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>>
>>         Please visit http://blog.snort.org to stay current on all the
>>         latest Snort news!
>>
>>
>>
>>
>>
>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151202/02261a3d/attachment.html>


More information about the Snort-users mailing list