[Snort-users] preprocessor file_inspect: file capture from FTP traffic differs from original

Lương Minh Tuấn not.soledad at ...11827...
Thu Dec 10 23:04:30 EST 2015


Hi everybody,
     I have a problem with file_inspect preprocessor, when snort 
captures file from FTP traffic, the file written to disk differs from 
the original file, the file data, SHA256 is not true. The problem 
happended with almost file transfer via FTP, but HTTP still works well. 
I'm using snort version 2.9.7.6 and tried with 2.9.8.0 but no luck.
     Here's my snort server information:
     - OS: Centos 7 64bit, installed snort and vsftpd, tried with both 
real server and virtual vmware guest.
     - file service and file_inspect configuration:
         config file:\
         file_type_depth 42949672, \
         file_signature_depth 42949672, \
         file_capture_max 42949672, \
         file_capture_memcap 200

         preprocessor file_inspect:\
               type_id, \
               signature, \
               capture_queue_size 5000, \
               capture_disk /home/file_capture/tmp/ 1024

    Is there anything need to configure to make snort work better? 
almost file captured from FTP is not true, so it cannot match block 
list, also cannot be used to further analyzing.
Please help, thank you!

Minh Tuan Luong

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus





More information about the Snort-users mailing list