[Snort-users] using snort to track file movement?

Jason Haar Jason_Haar at ...15306...
Mon Feb 15 18:20:42 EST 2016

Hi there

I'm wondering if I could (mis)use snort to track the movement of files
around the internal network (assuming WAN monitor ports in place). ie
log "src.ip -> cifs://dst.ip/share/dir/file" kind of thing. Filename and
checksum would make sense - keeping content would make no sense. This
could be a poor-mans DLP solution, or good for forensically detecting
worms (ie once you have the worm checksum, you can check the logs to see
if it's been on the network). Also I can't get the greylist/blacklist
option to work - I assume that I'm using the wrong checksum. I tested it
using eicar.com
(131F95C51CC819465FA1797F6CCACF9D494AAAFF46FA3EAC73AE63FFBDFD8267) -
never triggered?

I'm playing around with snort-2.9.8's "file" options, but they don't
seem to do what I want. I've managed to make it record files to disk,
but the "filelog" option doesn't work at all ("captured-filenames" never
contains anything, even though the capture_disk directory grows with
files). What I want is the opposite. But what's equally important is the
context in which the file is detected: simple src/dst ip is not good
enough. A server - whether it be FTP/CIFS/HTTP - could have literally
millions of files on it - so you really need to know where on that
server it was detected - not just that it exists. I don't think snort
keeps track of that kind of detail?

I'm hoping I'm wrong? :-)


include /etc/snort/file_magic.conf
preprocessor normalize_tcp: ips ecn stream
preprocessor file_inspect: type_id, signature, capture_disk
/var/log/snort/files/ 300, capture_queue_size 5000, greylist
dynamicoutput file
output filelog:captured-filenames



Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Jason_Haar.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160216/0f65684d/attachment.vcf>

More information about the Snort-users mailing list