[Snort-users] preprocessor file_inspect: file capture from FTP traffic differs from original

Lương Minh Tuấn not.soledad at ...11827...
Fri Dec 11 21:16:07 EST 2015


Thanks for reply Hui, but I run snort in IDS mode, so normalize_tcp may 
not work. Anyway, I used a default configuration, so normalize 
preprocessor is:
     preprocessor normalize_ip4
     preprocessor normalize_tcp: ips ecn stream
     preprocessor normalize_icmp4
     preprocessor normalize_ip6
     preprocessor normalize_icmp6

Thanks,
Minh Tuan Luong
On 12/11/2015 9:21 PM, Hui cao wrote:
> Do you have the following configured?
>
> preprocessor normalize_tcp: ips
>
> *Best,
> Hui.*
>
> On 12/10/2015 11:04 PM, Lương Minh Tuấn wrote:
>> Hi everybody,
>>       I have a problem with file_inspect preprocessor, when snort
>> captures file from FTP traffic, the file written to disk differs from
>> the original file, the file data, SHA256 is not true. The problem
>> happended with almost file transfer via FTP, but HTTP still works well.
>> I'm using snort version 2.9.7.6 and tried with 2.9.8.0 but no luck.
>>       Here's my snort server information:
>>       - OS: Centos 7 64bit, installed snort and vsftpd, tried with both
>> real server and virtual vmware guest.
>>       - file service and file_inspect configuration:
>>           configfile:\
>>           file_type_depth 42949672, \
>>           file_signature_depth 42949672, \
>>           file_capture_max 42949672, \
>>           file_capture_memcap 200
>>
>>           preprocessor file_inspect:\
>>                 type_id, \
>>                 signature, \
>>                 capture_queue_size 5000, \
>>                 capture_disk /home/file_capture/tmp/ 1024
>>
>>      Is there anything need to configure to make snort work better?
>> almost file captured from FTP is not true, so it cannot match block
>> list, also cannot be used to further analyzing.
>> Please help, thank you!
>>
>> Minh Tuan Luong
>>
>> ---
>> This email has been checked for viruses by Avast antivirus software.
>> https://www.avast.com/antivirus
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151212/d71316b3/attachment.html>


More information about the Snort-users mailing list