[Snort-users] File preprocessor fails to capture files

Hui Cao (huica) huica at ...589...
Fri May 8 15:49:07 EDT 2015


Hi Pablo,

When listening from interfaces, you have lots of discards. Because file processing relies on data that are reassembled correctly, it won’t be called for those sessions that miss file data.

In the case of PCAP, no sure why file type is not identified. It is interesting to see 47M file data for only 3326 packets. That is 24K per packet. I guess in this case, it will always hit PAF_MAX for each packet which might set each packet as single PDU(file). Can you try this setting?

config paf_max: 60000

Best,
Hui.

From: Pablo Cantos Polaino <pcantos at ...16842...<mailto:pcantos at ...16842...>>
Date: Friday, May 8, 2015 at 3:29 PM
To: Hui Cao <huica at ...589...<mailto:huica at ...589...>>
Cc: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Subject: Re: [Snort-users] File preprocessor fails to capture files

   IP4 Disc:       122145 ( 49.331%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:       122145 ( 49.331%)

         TCP Segments Used: 6919
              TCP Discards: 48
                  TCP Gaps: 6459
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150508/6fe17d25/attachment.html>


More information about the Snort-users mailing list