[Snort-users] preprocessor file_inspect: file capture from FTP traffic differs from original
Lương Minh Tuấn
not.soledad at ...11827...
Thu Dec 10 23:04:30 EST 2015
I have a problem with file_inspect preprocessor, when snort
captures file from FTP traffic, the file written to disk differs from
the original file, the file data, SHA256 is not true. The problem
happended with almost file transfer via FTP, but HTTP still works well.
I'm using snort version 22.214.171.124 and tried with 126.96.36.199 but no luck.
Here's my snort server information:
- OS: Centos 7 64bit, installed snort and vsftpd, tried with both
real server and virtual vmware guest.
- file service and file_inspect configuration:
file_type_depth 42949672, \
file_signature_depth 42949672, \
file_capture_max 42949672, \
capture_queue_size 5000, \
capture_disk /home/file_capture/tmp/ 1024
Is there anything need to configure to make snort work better?
almost file captured from FTP is not true, so it cannot match block
list, also cannot be used to further analyzing.
Please help, thank you!
Minh Tuan Luong
This email has been checked for viruses by Avast antivirus software.
More information about the Snort-users