[Snort-users] File extract troubleshot

valentin.giraud at ...17480... valentin.giraud at ...17480...
Wed Apr 6 06:41:30 EDT 2016


Hi snort team!

I have some trouble to capture files:
I downloaded some  rtf, pdf and exe files in order to capture them with 
snort. But it's not captured. Yet the alert is "identified" :

[**] [1:10000003:0] WEB-MISC rtf download attempt [**]
[Priority: 0]
04/06-12:25:36.788506 10.1.10.8:40630 -> 97.88.242.114:80
TCP TTL:43 TOS:0x0 ID:39946 IpLen:20 DgmLen:404 DF
***A**** Seq: 0x7BB49AB9  Ack: 0x713EA3EE  Win: 0x7580  TcpLen: 32





Here is the output when i close snort:
****

File type stats:
          Type              Download   (Bytes)      Upload     (Bytes)
          RTF( 23)          2          1428622      0          0
             Total          2          1428622      0          0

File signature stats:
          Type              Download   Upload
             Total          0          0

File type verdicts:
         UNKNOWN:           2
             LOG:           0
            STOP:           0
           BLOCK:           0
          REJECT:           0
         PENDING:           0
    STOP CAPTURE:           0
           Total:           2

File signature verdicts:
         UNKNOWN:           1
             LOG:           0
            STOP:           0
           BLOCK:           0
          REJECT:           0
         PENDING:           0
    STOP CAPTURE:           0
           Total:           1

Total files processed:             65
Total files data processed:        1510357   bytes
Total files buffered:              2
Total files released:              0
Total files freed:                 2
Total files captured:              0
Total files within one packet:     0
Total buffers allocated:           17
Total buffers freed:               17
Total buffers released:            0
Maximum file buffers used:         16
Total buffers free errors:         0
Total buffers release errors:      0
Total memcap failures:             0
Total memcap failures at reserve:  0
Total reserve failures:            0
Total file capture size min:       0
Total file capture size max:       0
Total capture max before reserve:  1
Total file signature max:          0
Maximum buffers can allocate:      3198
Number of buffers in use:          0
Number of buffers in free list:    3198
Number of buffers in release list: 0

****

I am running snort 2.9.8.2. i upload my snort.conf file and the local 
rules that i've add.

Any idea why this is not captured?

Sincerely,
Valentin.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: local.rules
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160406/386a03bd/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort.conf
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160406/386a03bd/attachment-0001.ksh>


More information about the Snort-users mailing list