[Snort-users] File preprocessor fails to capture files

Pablo Cantos Polaino pcantos at ...16842...
Fri May 8 08:58:42 EDT 2015


Thanks for your reply Hui,

I'm attaching the full configuration now. I've used a default conf, and
included the file preprocessor configuration that I mentioned before.

As you can see in the conf file, for normalize preprocessor, there was the
following line in the default conf, so I suppose I shouldn't change this:
preprocessor normalize_tcp: ips ecn stream

About debug, I haven't build snort in debug mode since I haven't be able to
go deeper into this. I will try this when I come back to the office, but in
any case, I'm interested on use Snort in a normal mode, not in debug mode.

I forgot to mention I'm using the last version: 2.9.7.2.

Best Regards,


Pablo Cantos
redborder.org / pcantos at ...16842...

2015-05-08 14:40 GMT+02:00 Hui Cao (huica) <huica at ...589...>:

>  What’s the full snort configuration?
>
>  If you build snort with debug, you should add:config paf_max: 16384
> In addition, it would be better to add: preprocessor normalize_tcp: ips
> <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0CCQQFjAC&url=http%3A%2F%2Ft73100.security-ids-snort-general.securityupdate.info%2Fpreprocessor-normalize-tcp-ips-t73100.html&ei=B65MVdGDEJObyAT5g4GQBg&usg=AFQjCNEvwb_tSISxggsZbXdfA2SJs7Pm1A&sig2=0_WSEYBph2TfDNTtcatjhw>
>
>  Best,
>  Hui.
>  From: Pablo Cantos Polaino <pcantos at ...16842...>
> Date: Friday, May 8, 2015 at 8:26 AM
> To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net
> >
> Subject: [Snort-users] File preprocessor fails to capture files
>
>   Hello all,
>
>  I'm doing some tests over the file preprocessor and these are the conf
> options that I'm using related to file preprocessor:
>
>   include file_magic.conf
>> config file:\
>>     file_type_depth 4294967295, \
>>     file_signature_depth 4294967295, \
>>     file_capture_max 4294967295
>> preprocessor file_inspect:\
>>     capture_queue_size 50000, \
>>     signature, \
>>     capture_disk /var/log/snort/files/ 50000
>
>
>  This time what I'm trying to do is to capture every file detected by
> file preprocessor in the directory /var/log/snort/files.
>
>  For these tests, I've used the following files:
>
>  wget ftp://ftp.hp.com/pub/information_storage/software/video/video1.avi
> wget ftp://ftp.hp.com/pub/information_storage/software/video/MakeUp.mov
> wget ftp://ftp.hp.com/pub/information_storage/software/video/Fighter.mpg
> wget http://releases.ubuntu.com/14.04/ubuntu-14.04.2-desktop-amd64.iso
> wget
> http://scholar.princeton.edu/sites/default/files/oversize_pdf_test_0.pdf
> wget https://10.0.70.110/client/VMware-viclient.exe --no-check-certificate
> wget
> http://cpansearch.perl.org/src/MIKEM/Device-SNP-1.3/datadesigner/tux-sw.bmp
>
>  I addition, I've got a pcap traffic capture which includes all the 7
> files above.
>
>  When I run Snort reading this pcap, I got the following:
>
>  Captured files:
>
>
>>  # ls -lS
>>
>  -rw------- 1 root root 24211979 May  8 11:14
>> 8452B621DC334D1FD44470A80540CBEF2F6869AF851B9E8C684EF9402016F692
>> -rw------- 1 root root 13045613 May  8 11:14
>> 5CF142947C2957EE648457A91B69FB82F088F31205030F9A77B2AD827228C6E9
>> -rw------- 1 root root  6352738 May  8 11:14
>> DB57C532919D9ABABAC127F29DBDC05ED832394880E46CAD81A5DDE713CCB4BE
>> -rw------- 1 root root  2936119 May  8 11:14
>> B4127F43A3F455523B81179CC11AA4F28FC27F4C041D20E28AA08A32D85CB757
>> -rw------- 1 root root   495316 May  8 11:14
>> A294AA3D01CD8902BF842D320E7F2C043AF9EAD95D0E7198C3B71A0DBC9D253C
>> -rw------- 1 root root   424526 May  8 11:14
>> 8863DB1EC4B02D5BCC1FB4BD03D220F7458136342CDD47CE507A5B886C6BB56C
>> -rw------- 1 root root     2817 May  8 11:14
>> D03CDB1F2584A2C06E866931EC5F31F141D9D08F237E04708C7C19D94FFA62F5
>> -rw------- 1 root root     1958 May  8 11:14
>> 369FDD6FB34BB5E1F0EC79D063FE0115AEF35AA20972BE8E4739417594F692AA
>> -rw------- 1 root root     1958 May  8 11:14
>> EF49069F43D349C83873A6784351F16ADC39B8358ACFAE3A30EA4DD684C29DCC
>>
>  -rw------- 1 root root      446 May  8 11:14
>> 8D490C71A27631CF6A476F68C409655CB63BF32C17846A3C3C125A79046DB2C1
>
>
>
>> Downloaded files:
>>
>
>>  # ls -l
>>
>  -rw-r--r-- 1 root root    2187725 May  8 11:01 Fighter.mpg
>>
>  -rw-r--r-- 1 root root   14955972 May  8 11:01 MakeUp.mov
>> -rw-r--r-- 1 root root  375187792 May  8 11:02 VMware-viclient.exe
>> -rw-r--r-- 1 root root  101688487 Jul 10  2014 oversize_pdf_test_0.pdf
>
>  -rw-r--r-- 1 root root        446 Mar 22  2013 tux-sw.bmp
>
>  -rw-r--r-- 1 root root 1044381696 Feb 18 20:12
>> ubuntu-14.04.2-desktop-amd64.iso
>> -rw-r--r-- 1 root root    6094376 May  8 11:01 video1.avi
>> # sha256sum *
>>
>  55bdca20aa0ffd8fa3b12029d1e122696a936abc29dd4ec4a5bd878836a5d36f
>>  Fighter.mpg
>>
>  88a43830b006a4ade60874ffb10a0d5afd06245d0bc460da90015ed73df08d58
>>  MakeUp.mov
>> 57bc6123a563056e32fb317c20d1e3b96af723b2b2c9732033e3ab9ce8f8e625
>>  VMware-viclient.exe
>> fa43e683e94372d81210a275cc37112bf2df9c971d377506aab8ae47e5fb0d34
>>  oversize_pdf_test_0.pdf
>> 8d490c71a27631cf6a476f68c409655cb63bf32c17846a3c3c125a79046db2c1
>>  tux-sw.bmp
>
>  39eeb28bdb8af630850e75e54b9864ca07640a2bb10bd10055763236b99f9b1d
>>  ubuntu-14.04.2-desktop-amd64.iso
>> bb13418aeb4535c0d1f5c491ad69dd87041a8a1ba7dacc6bc763337beaed7dca
>>  video1.avi
>
>
>  As you can see, Snort just captures correctly the smallest file, that
> fits in a single packet. The others captured files do not coincide with the
> captured files (in number and size, and hence in sha256)
>
>  If I run Snort sniffing from my network interface and I download the 7
> files by using the wget command, I got the following:
>
>  Captured files:
>>
>
>
>  -rw------- 1 root root 446 May  8 11:30
>> 8D490C71A27631CF6A476F68C409655CB63BF32C17846A3C3C125A79046DB2C1
>
>
>  This case, Snort just captures the smallest file, that fits in a single
> packet.
>
>  I've gone deep into the code and I've found out the problem could come
> from a strange behavior of the Frag3 preprocessor when dealing with packets
> that contain files.
>
>  I see two different issues here:
>
>  1.- When sniffing from an interface, Snort is only able to capture files
> which fit in one single packet.
> 2.- When reading from a network capture file, Snort is able to capture
> files in general, but it does it in a wrong way when the file take up more
> than one packet.
>
>  I'd like to know if you were aware of these strange behaviors.
>
>  Best Regards,
>
>    Pablo Cantos
>  redborder.org / pcantos at ...16842...
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150508/cbd3d40f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 27225 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150508/cbd3d40f/attachment.obj>


More information about the Snort-users mailing list