[Snort-users] preprocessor file_inspect: file capture from FTP traffic differs from original

Hui cao huica at ...589...
Fri Dec 11 09:21:12 EST 2015


Do you have the following configured?

preprocessor normalize_tcp: ips

*Best,
Hui.*

On 12/10/2015 11:04 PM, Lương Minh Tuấn wrote:
> Hi everybody,
>       I have a problem with file_inspect preprocessor, when snort
> captures file from FTP traffic, the file written to disk differs from
> the original file, the file data, SHA256 is not true. The problem
> happended with almost file transfer via FTP, but HTTP still works well.
> I'm using snort version 2.9.7.6 and tried with 2.9.8.0 but no luck.
>       Here's my snort server information:
>       - OS: Centos 7 64bit, installed snort and vsftpd, tried with both
> real server and virtual vmware guest.
>       - file service and file_inspect configuration:
>           config file:\
>           file_type_depth 42949672, \
>           file_signature_depth 42949672, \
>           file_capture_max 42949672, \
>           file_capture_memcap 200
>
>           preprocessor file_inspect:\
>                 type_id, \
>                 signature, \
>                 capture_queue_size 5000, \
>                 capture_disk /home/file_capture/tmp/ 1024
>
>      Is there anything need to configure to make snort work better?
> almost file captured from FTP is not true, so it cannot match block
> list, also cannot be used to further analyzing.
> Please help, thank you!
>
> Minh Tuan Luong
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151211/0cf91a56/attachment.html>


More information about the Snort-users mailing list