[Snort-users] File extraction during http/ftp transaction

Hui cao huica at ...589...
Wed Mar 11 11:10:18 EDT 2015


Hi Rishabh,

You need to add —enable-open-appid to you ./configure.

./configure --enable-file-inspect —enable-open-appid

Best,
Hui.
On 03/11/2015 10:33 AM, Rishabh Shah wrote:
> Hi Joel,
>
> Thanks for your prompt reply. I did a ./configure 
> --enable-file-inspect and while executing make, I saw the following 
> error messages:
>
> */root/snort_src/snort-2.9.7.0/src/plugbase.c:216: undefined reference 
> to `SetupAppId'*
> *detection-plugins/libspd.a(detection_options.o): In function 
> `detection_hash_free_func':*
> */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:553: 
> undefined reference to `optionAppIdFree'*
> *detection-plugins/libspd.a(detection_options.o): In function 
> `detection_option_hash_func':*
> */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:252: 
> undefined reference to `optionAppIdHash'*
> *detection-plugins/libspd.a(detection_options.o): In function 
> `detection_option_key_compare_func':*
> */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:409: 
> undefined reference to `optionAppIdCompare'*
> *collect2: error: ld returned 1 exit status*
> make[3]: *** [snort] Error 1
> make[3]: Leaving directory `/root/snort_src/snort-2.9.7.0/src'
> make[2]: *** [all-recursive] Error 1
> make[2]: Leaving directory `/root/snort_src/snort-2.9.7.0/src'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/root/snort_src/snort-2.9.7.0'
> make: *** [all] Error 2
>
> I am not sure why am I seeing those messages as I see a reference to 
> the above errors:
>
> root at ...17114...:~/snort_src/snort-2.9.7.0/src# grep -r 
> "optionAppIdFree" .
> Binary file ./detection-plugins/detection_options.o matches
> Binary file ./detection-plugins/sp_appid.o matches
> ./detection-plugins/sp_appid.c:void optionAppIdFree(AppIdOptionData 
> *optData)
> ./detection-plugins/sp_appid.c:  optionAppIdFree(optData);
> Binary file ./detection-plugins/libspd.a matches
> ./detection-plugins/detection_options.c: 
>  optionAppIdFree(key->option_data);
> ./detection-plugins/sp_appid.h:void optionAppIdFree(AppIdOptionData 
> *optData);
>
>
> I appended the following line in snort.conf:
> *preprocessor file_inspect: type_id, signature, capture_disk 
> /home/file_capture/tmp/, capture_queue_size 5000*
>
> While executing snort process, I got a core file with the following 
> message:
>
> File config:
>     file type: ENABLED
>     file signature: ENABLED
>     file capture: ENABLED
>     file capture directory: /home/file_capture/tmp/
>     file capture disk size: 300 (Default) megabytes
>     file sent to host: DISABLED (Default), port number: 0
>
> *Segmentation fault (core dumped)*
>
> The traceback of the core file points to:
>
> root at ...17114...:~/snort_src# gdb snort -c core
> GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
> Copyright (C) 2014 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later 
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
> <http://www.gnu.org/software/gdb/documentation/>.
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from snort...done.
>
> warning: exec file is newer than core file.
> [New LWP 10904]
>
> warning: .dynamic section for 
> "/usr/local/lib/snort_dynamicengine/libsf_engine.so" is not at the 
> expected address (wrong library or version mismatch?)
>
> warning: .dynamic section for 
> "/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so" is 
> not at the expected address (wrong library or version mismatch?)
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Core was generated by `/usr/local/bin/snort -c /etc/snort/snort.conf 
> -Q -i eth1:eth2 -l /var/log/snort'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  strlen () at ../sysdeps/x86_64/strlen.S:106
> 106     ../sysdeps/x86_64/strlen.S: No such file or directory.
> (gdb) bt
> *#0  strlen () at ../sysdeps/x86_64/strlen.S:106*
> *#1  0x00007f6ab63050a6 in appIdStatsInit (appFileName=0x7f6ab6628170 
> <config+16> "appstats-unified.log", statsPeriod=10, 
> rolloverSize=20971520, rolloverPeriod=86400) at appIdStats.c:264*
> *#2  0x00007f6ab62fa2d0 in AppIdCommonInit (memcap=268435456) at 
> commonAppMatcher.c:297*
> *#3  0x00007f6ab6303798 in AppIdInit (sc=0x1eb9770, args=0x1f516e0 
> "app_stats_filename appstats-unified.log, app_stats_period 10, 
> app_detector_dir /usr/local/lib/openappid") at spp_appid.c:157*
> *#4  0x000000000042048e in InitVarTables (p=0x1eb9770) at parser.c:5728*
> *#5  0x000000000046c3d0 in CheckAppId (option_data=0x0, p=0x0) at 
> sp_appid.c:342*
> *#6  0x0000000000000000 in ?? ()*
> *(gdb) Quit*
>
> I had installed openappid as well.
>
>
> On Wed, Mar 11, 2015 at 7:00 PM, Joel Esler (jesler) <jesler at ...589... 
> <mailto:jesler at ...589...>> wrote:
>
>
>>     On Mar 11, 2015, at 9:23 AM, Rishabh Shah <rishabh420 at ...11827...
>>     <mailto:rishabh420 at ...11827...>> wrote:
>>
>>     Hi Snort Team,
>>
>>     Is it possible to extract any file during http/ftp transactions?
>>     The HTTP preprocessor makes it possible to read the HTTP
>>     URI/content. Does snort have the intelligence to extract the file
>>     during any transfer?
>>
>
>     Beginning with 2.9.6.0, Snort has had the ability to extract files
>     from streams and write them to disk.
>
>     Check out the README: https://www.snort.org/faq/readme-file
>
>     --
>     *Joel Esler*
>     Open Source Manager
>     Threat Intelligence Team Lead
>     Talos Group
>
>
>
>
> -- 
> Regards,
> Rishabh Shah.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150311/79c22a10/attachment.html>


More information about the Snort-users mailing list