[Snort-users] File preprocessor fails to capture files

Hui Cao (huica) huica at ...589...
Fri May 8 08:40:42 EDT 2015


What’s the full snort configuration?

If you build snort with debug, you should add:config paf_max: 16384
In addition, it would be better to add: preprocessor normalize_tcp: ips<https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0CCQQFjAC&url=http%3A%2F%2Ft73100.security-ids-snort-general.securityupdate.info%2Fpreprocessor-normalize-tcp-ips-t73100.html&ei=B65MVdGDEJObyAT5g4GQBg&usg=AFQjCNEvwb_tSISxggsZbXdfA2SJs7Pm1A&sig2=0_WSEYBph2TfDNTtcatjhw>

Best,
Hui.
From: Pablo Cantos Polaino <pcantos at ...16842...<mailto:pcantos at ...16842...>>
Date: Friday, May 8, 2015 at 8:26 AM
To: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Subject: [Snort-users] File preprocessor fails to capture files

Hello all,

I'm doing some tests over the file preprocessor and these are the conf options that I'm using related to file preprocessor:

include file_magic.conf
config file:\
    file_type_depth 4294967295, \
    file_signature_depth 4294967295, \
    file_capture_max 4294967295
preprocessor file_inspect:\
    capture_queue_size 50000, \
    signature, \
    capture_disk /var/log/snort/files/ 50000

This time what I'm trying to do is to capture every file detected by file preprocessor in the directory /var/log/snort/files.

For these tests, I've used the following files:

wget ftp://ftp.hp.com/pub/information_storage/software/video/video1.avi
wget ftp://ftp.hp.com/pub/information_storage/software/video/MakeUp.mov
wget ftp://ftp.hp.com/pub/information_storage/software/video/Fighter.mpg
wget http://releases.ubuntu.com/14.04/ubuntu-14.04.2-desktop-amd64.iso
wget http://scholar.princeton.edu/sites/default/files/oversize_pdf_test_0.pdf
wget https://10.0.70.110/client/VMware-viclient.exe --no-check-certificate
wget http://cpansearch.perl.org/src/MIKEM/Device-SNP-1.3/datadesigner/tux-sw.bmp

I addition, I've got a pcap traffic capture which includes all the 7 files above.

When I run Snort reading this pcap, I got the following:

Captured files:

# ls -lS
-rw------- 1 root root 24211979 May  8 11:14 8452B621DC334D1FD44470A80540CBEF2F6869AF851B9E8C684EF9402016F692
-rw------- 1 root root 13045613 May  8 11:14 5CF142947C2957EE648457A91B69FB82F088F31205030F9A77B2AD827228C6E9
-rw------- 1 root root  6352738 May  8 11:14 DB57C532919D9ABABAC127F29DBDC05ED832394880E46CAD81A5DDE713CCB4BE
-rw------- 1 root root  2936119 May  8 11:14 B4127F43A3F455523B81179CC11AA4F28FC27F4C041D20E28AA08A32D85CB757
-rw------- 1 root root   495316 May  8 11:14 A294AA3D01CD8902BF842D320E7F2C043AF9EAD95D0E7198C3B71A0DBC9D253C
-rw------- 1 root root   424526 May  8 11:14 8863DB1EC4B02D5BCC1FB4BD03D220F7458136342CDD47CE507A5B886C6BB56C
-rw------- 1 root root     2817 May  8 11:14 D03CDB1F2584A2C06E866931EC5F31F141D9D08F237E04708C7C19D94FFA62F5
-rw------- 1 root root     1958 May  8 11:14 369FDD6FB34BB5E1F0EC79D063FE0115AEF35AA20972BE8E4739417594F692AA
-rw------- 1 root root     1958 May  8 11:14 EF49069F43D349C83873A6784351F16ADC39B8358ACFAE3A30EA4DD684C29DCC
-rw------- 1 root root      446 May  8 11:14 8D490C71A27631CF6A476F68C409655CB63BF32C17846A3C3C125A79046DB2C1

Downloaded files:

# ls -l
-rw-r--r-- 1 root root    2187725 May  8 11:01 Fighter.mpg
-rw-r--r-- 1 root root   14955972 May  8 11:01 MakeUp.mov
-rw-r--r-- 1 root root  375187792 May  8 11:02 VMware-viclient.exe
-rw-r--r-- 1 root root  101688487 Jul 10  2014 oversize_pdf_test_0.pdf
-rw-r--r-- 1 root root        446 Mar 22  2013 tux-sw.bmp
-rw-r--r-- 1 root root 1044381696 Feb 18 20:12 ubuntu-14.04.2-desktop-amd64.iso
-rw-r--r-- 1 root root    6094376 May  8 11:01 video1.avi
# sha256sum *
55bdca20aa0ffd8fa3b12029d1e122696a936abc29dd4ec4a5bd878836a5d36f  Fighter.mpg
88a43830b006a4ade60874ffb10a0d5afd06245d0bc460da90015ed73df08d58  MakeUp.mov
57bc6123a563056e32fb317c20d1e3b96af723b2b2c9732033e3ab9ce8f8e625  VMware-viclient.exe
fa43e683e94372d81210a275cc37112bf2df9c971d377506aab8ae47e5fb0d34  oversize_pdf_test_0.pdf
8d490c71a27631cf6a476f68c409655cb63bf32c17846a3c3c125a79046db2c1  tux-sw.bmp
39eeb28bdb8af630850e75e54b9864ca07640a2bb10bd10055763236b99f9b1d  ubuntu-14.04.2-desktop-amd64.iso
bb13418aeb4535c0d1f5c491ad69dd87041a8a1ba7dacc6bc763337beaed7dca  video1.avi

As you can see, Snort just captures correctly the smallest file, that fits in a single packet. The others captured files do not coincide with the captured files (in number and size, and hence in sha256)

If I run Snort sniffing from my network interface and I download the 7 files by using the wget command, I got the following:

Captured files:

-rw------- 1 root root 446 May  8 11:30 8D490C71A27631CF6A476F68C409655CB63BF32C17846A3C3C125A79046DB2C1

This case, Snort just captures the smallest file, that fits in a single packet.

I've gone deep into the code and I've found out the problem could come from a strange behavior of the Frag3 preprocessor when dealing with packets that contain files.

I see two different issues here:

1.- When sniffing from an interface, Snort is only able to capture files which fit in one single packet.
2.- When reading from a network capture file, Snort is able to capture files in general, but it does it in a wrong way when the file take up more than one packet.

I'd like to know if you were aware of these strange behaviors.

Best Regards,

Pablo Cantos
redborder.org<http://redborder.org> / pcantos at ...16842...<mailto:pcantos at ...846....16842...>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150508/d76494d0/attachment.html>


More information about the Snort-users mailing list