[Snort-users] File extract troubleshot

Hui Cao (huica) huica at ...589...
Wed Apr 6 09:45:36 EDT 2016


Based on the config, you can only capture file size up to 1M. You might
hit on one of those files based on snort output (Total capture max before
reserve:  1). You can try to increase that to 10M.

Best,
Hui.

On 4/6/16, 6:41 AM, "valentin.giraud at ...17480..."
<valentin.giraud at ...17480...> wrote:

>Hi snort team!
>
>I have some trouble to capture files:
>I downloaded some  rtf, pdf and exe files in order to capture them with
>snort. But it's not captured. Yet the alert is "identified" :
>
>[**] [1:10000003:0] WEB-MISC rtf download attempt [**]
>[Priority: 0]
>04/06-12:25:36.788506 10.1.10.8:40630 -> 97.88.242.114:80
>TCP TTL:43 TOS:0x0 ID:39946 IpLen:20 DgmLen:404 DF
>***A**** Seq: 0x7BB49AB9  Ack: 0x713EA3EE  Win: 0x7580  TcpLen: 32
>
>
>
>
>
>Here is the output when i close snort:
>****
>
>File type stats:
>          Type              Download   (Bytes)      Upload     (Bytes)
>          RTF( 23)          2          1428622      0          0
>             Total          2          1428622      0          0
>
>File signature stats:
>          Type              Download   Upload
>             Total          0          0
>
>File type verdicts:
>         UNKNOWN:           2
>             LOG:           0
>            STOP:           0
>           BLOCK:           0
>          REJECT:           0
>         PENDING:           0
>    STOP CAPTURE:           0
>           Total:           2
>
>File signature verdicts:
>         UNKNOWN:           1
>             LOG:           0
>            STOP:           0
>           BLOCK:           0
>          REJECT:           0
>         PENDING:           0
>    STOP CAPTURE:           0
>           Total:           1
>
>Total files processed:             65
>Total files data processed:        1510357   bytes
>Total files buffered:              2
>Total files released:              0
>Total files freed:                 2
>Total files captured:              0
>Total files within one packet:     0
>Total buffers allocated:           17
>Total buffers freed:               17
>Total buffers released:            0
>Maximum file buffers used:         16
>Total buffers free errors:         0
>Total buffers release errors:      0
>Total memcap failures:             0
>Total memcap failures at reserve:  0
>Total reserve failures:            0
>Total file capture size min:       0
>Total file capture size max:       0
>Total capture max before reserve:  1
>Total file signature max:          0
>Maximum buffers can allocate:      3198
>Number of buffers in use:          0
>Number of buffers in free list:    3198
>Number of buffers in release list: 0
>
>****
>
>I am running snort 2.9.8.2. i upload my snort.conf file and the local
>rules that i've add.
>
>Any idea why this is not captured?
>
>Sincerely,
>Valentin.





More information about the Snort-users mailing list