[Snort-users] File preprocessor fails to capture files

Hui cao huica at ...589...
Fri May 8 09:26:01 EDT 2015


What's the exit stats?

Best,
Hui.

On 05/08/2015 08:58 AM, Pablo Cantos Polaino wrote:
> Thanks for your reply Hui,
>
> I'm attaching the full configuration now. I've used a default conf, 
> and included the file preprocessor configuration that I mentioned before.
>
> As you can see in the conf file, for normalize preprocessor, there was 
> the following line in the default conf, so I suppose I shouldn't 
> change this:
> preprocessor normalize_tcp: ips ecn stream
>
> About debug, I haven't build snort in debug mode since I haven't be 
> able to go deeper into this. I will try this when I come back to the 
> office, but in any case, I'm interested on use Snort in a normal mode, 
> not in debug mode.
>
> I forgot to mention I'm using the last version: 2.9.7.2.
>
> Best Regards,
>
>
> Pablo Cantos
> redborder.org <http://redborder.org> / pcantos at ...16842... 
> <mailto:pcantos at ...16842...>
>
> 2015-05-08 14:40 GMT+02:00 Hui Cao (huica) <huica at ...589... 
> <mailto:huica at ...589...>>:
>
>     What’s the full snort configuration?
>
>     If you build snort with debug, you should add:config paf_max: 16384
>     In addition, it would be better to add: preprocessor
>     normalize_tcp: ips
>     <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0CCQQFjAC&url=http%3A%2F%2Ft73100.security-ids-snort-general.securityupdate.info%2Fpreprocessor-normalize-tcp-ips-t73100.html&ei=B65MVdGDEJObyAT5g4GQBg&usg=AFQjCNEvwb_tSISxggsZbXdfA2SJs7Pm1A&sig2=0_WSEYBph2TfDNTtcatjhw>
>
>     Best,
>     Hui.
>     From: Pablo Cantos Polaino <pcantos at ...16842...
>     <mailto:pcantos at ...16842...>>
>     Date: Friday, May 8, 2015 at 8:26 AM
>     To: "snort-users at lists.sourceforge.net
>     <mailto:snort-users at lists.sourceforge.net>"
>     <snort-users at lists.sourceforge.net
>     <mailto:snort-users at lists.sourceforge.net>>
>     Subject: [Snort-users] File preprocessor fails to capture files
>
>     Hello all,
>
>     I'm doing some tests over the file preprocessor and these are the
>     conf options that I'm using related to file preprocessor:
>
>         include file_magic.conf
>         config file:\
>             file_type_depth 4294967295, \
>             file_signature_depth 4294967295, \
>             file_capture_max 4294967295
>         preprocessor file_inspect:\
>             capture_queue_size 50000, \
>             signature, \
>             capture_disk /var/log/snort/files/ 50000
>
>
>     This time what I'm trying to do is to capture every file detected
>     by file preprocessor in the directory /var/log/snort/files.
>
>     For these tests, I've used the following files:
>
>     wget
>     ftp://ftp.hp.com/pub/information_storage/software/video/video1.avi
>     wget
>     ftp://ftp.hp.com/pub/information_storage/software/video/MakeUp.mov
>     wget
>     ftp://ftp.hp.com/pub/information_storage/software/video/Fighter.mpg
>     wget http://releases.ubuntu.com/14.04/ubuntu-14.04.2-desktop-amd64.iso
>     wget
>     http://scholar.princeton.edu/sites/default/files/oversize_pdf_test_0.pdf
>     wget https://10.0.70.110/client/VMware-viclient.exe
>     --no-check-certificate
>     wget
>     http://cpansearch.perl.org/src/MIKEM/Device-SNP-1.3/datadesigner/tux-sw.bmp
>
>     I addition, I've got a pcap traffic capture which includes all the
>     7 files above.
>
>     When I run Snort reading this pcap, I got the following:
>
>         Captured files:
>
>
>         # ls -lS
>
>         -rw------- 1 root root 24211979 May  8 11:14
>         8452B621DC334D1FD44470A80540CBEF2F6869AF851B9E8C684EF9402016F692
>         -rw------- 1 root root 13045613 May  8 11:14
>         5CF142947C2957EE648457A91B69FB82F088F31205030F9A77B2AD827228C6E9
>         -rw------- 1 root root  6352738 May  8 11:14
>         DB57C532919D9ABABAC127F29DBDC05ED832394880E46CAD81A5DDE713CCB4BE
>         -rw------- 1 root root  2936119 May  8 11:14
>         B4127F43A3F455523B81179CC11AA4F28FC27F4C041D20E28AA08A32D85CB757
>         -rw------- 1 root root   495316 May  8 11:14
>         A294AA3D01CD8902BF842D320E7F2C043AF9EAD95D0E7198C3B71A0DBC9D253C
>         -rw------- 1 root root   424526 May  8 11:14
>         8863DB1EC4B02D5BCC1FB4BD03D220F7458136342CDD47CE507A5B886C6BB56C
>         -rw------- 1 root root     2817 May  8 11:14
>         D03CDB1F2584A2C06E866931EC5F31F141D9D08F237E04708C7C19D94FFA62F5
>         -rw------- 1 root root     1958 May  8 11:14
>         369FDD6FB34BB5E1F0EC79D063FE0115AEF35AA20972BE8E4739417594F692AA
>         -rw------- 1 root root     1958 May  8 11:14
>         EF49069F43D349C83873A6784351F16ADC39B8358ACFAE3A30EA4DD684C29DCC
>
>         -rw------- 1 root root      446 May  8 11:14
>         8D490C71A27631CF6A476F68C409655CB63BF32C17846A3C3C125A79046DB2C1
>
>         Downloaded files:
>
>
>         # ls -l
>
>         -rw-r--r-- 1 root root    2187725 May  8 11:01 Fighter.mpg
>
>         -rw-r--r-- 1 root root   14955972 May  8 11:01 MakeUp.mov
>         -rw-r--r-- 1 root root  375187792 May  8 11:02 VMware-viclient.exe
>         -rw-r--r-- 1 root root  101688487 Jul 10  2014
>         oversize_pdf_test_0.pdf 
>
>         -rw-r--r-- 1 root root        446 Mar 22  2013 tux-sw.bmp
>
>         -rw-r--r-- 1 root root 1044381696 Feb 18 20:12
>         ubuntu-14.04.2-desktop-amd64.iso
>         -rw-r--r-- 1 root root    6094376 May  8 11:01 video1.avi
>         # sha256sum *
>
>         55bdca20aa0ffd8fa3b12029d1e122696a936abc29dd4ec4a5bd878836a5d36f
>          Fighter.mpg
>
>         88a43830b006a4ade60874ffb10a0d5afd06245d0bc460da90015ed73df08d58
>          MakeUp.mov
>         57bc6123a563056e32fb317c20d1e3b96af723b2b2c9732033e3ab9ce8f8e625
>          VMware-viclient.exe
>         fa43e683e94372d81210a275cc37112bf2df9c971d377506aab8ae47e5fb0d34
>          oversize_pdf_test_0.pdf
>         8d490c71a27631cf6a476f68c409655cb63bf32c17846a3c3c125a79046db2c1
>          tux-sw.bmp
>
>         39eeb28bdb8af630850e75e54b9864ca07640a2bb10bd10055763236b99f9b1d
>          ubuntu-14.04.2-desktop-amd64.iso
>         bb13418aeb4535c0d1f5c491ad69dd87041a8a1ba7dacc6bc763337beaed7dca
>          video1.avi
>
>
>     As you can see, Snort just captures correctly the smallest file,
>     that fits in a single packet. The others captured files do not
>     coincide with the captured files (in number and size, and hence in
>     sha256)
>
>     If I run Snort sniffing from my network interface and I download
>     the 7 files by using the wget command, I got the following:
>
>         Captured files:
>
>         -rw------- 1 root root 446 May  8 11:30
>         8D490C71A27631CF6A476F68C409655CB63BF32C17846A3C3C125A79046DB2C1
>
>
>     This case, Snort just captures the smallest file, that fits in a
>     single packet.
>
>     I've gone deep into the code and I've found out the problem could
>     come from a strange behavior of the Frag3 preprocessor when
>     dealing with packets that contain files.
>
>     I see two different issues here:
>
>     1.- When sniffing from an interface, Snort is only able to capture
>     files which fit in one single packet.
>     2.- When reading from a network capture file, Snort is able to
>     capture files in general, but it does it in a wrong way when the
>     file take up more than one packet.
>
>     I'd like to know if you were aware of these strange behaviors.
>
>     Best Regards,
>
>     Pablo Cantos
>     redborder.org <http://redborder.org> / pcantos at ...16842...
>     <mailto:pcantos at ...16842...>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150508/36d72b94/attachment.html>


More information about the Snort-users mailing list