[Snort-users] file_inspect holds blocked files into its memory until snort stops

Berkay Koyutürk berkay.koyuturk at labrisnetworks.com
Thu Sep 7 01:56:27 EDT 2017


Hi everybody,

As title says above I have a problem with file_inspect preprocessor. I 
am running snort with inline mod with file configurations below:

#file config

  config file: \
    file_type_depth 0, \
    file_signature_depth 0, \
    file_capture_memcap 1000, \
    file_capture_max 4294967295, \
    file_block_timeout 1, \
    file_capture_min 0

#file_inspect preprocessor

  preprocessor file_inspect: \
     signature, \
     capture_disk /root/captured_files 1024, \
     capture_queue_size 5000, \
     blacklist sha_blacklist, \
     greylist sha_greylist

#file_inspect.rules

alert ( msg: “File signature “; sid: 1; gid: 147; rev: 1; metadata: 
rule-type preproc; )

With these configurations I can successfully block downloading files if 
its sha256 sum is in sha_blacklist file. My problem is , while snort 
running it keeps holding this files on its memory and after a while for 
example 33 files with 10MB each, it stops blocking files even cant see 
them anymore. My snort exit stats is below:

======================================
   Total file type callbacks:            0
   Total file signature callbacks:       33
   Total files would saved to disk:      33
   Total files saved to disk:            0
   Total file data saved to disk:        0         bytes
   Total files duplicated:               33
   Total files reserving failed:         0
   Total file capture min:               0
   Total file capture max:               0
   Total file capture memcap:            0
   Total files reading failed:           0
   Total file agent memcap failures:     0
   Total files sent:                     0
   Total file data sent:                 0
   Total file transfer failures:         0
========================================
File type stats:
          Type              Download   (Bytes)      Upload (Bytes)
             Total          0          0            0 0

File signature stats:
          Type              Download   Upload
Undecided file type, continue...(  0)          33 0
             Total          33         0

File type verdicts:
         UNKNOWN:           0
             LOG:           0
            STOP:           0
           BLOCK:           0
          REJECT:           0
         PENDING:           0
    STOP CAPTURE:           0
           Total:           0

File signature verdicts:
         UNKNOWN:           0
             LOG:           0
            STOP:           0
           BLOCK:           33
          REJECT:           0
         PENDING:           0
    STOP CAPTURE:           0
           Total:           33

Total files processed:             33
Total files data processed:        346030080 bytes
Total files buffered:              33
Total files released:              33
Total files freed:                 0
Total files captured:              33
Total files within one packet:     0
Total buffers allocated:           10560
Total buffers freed:               0
Total buffers released:            10560
Maximum file buffers used:         379
Total buffers free errors:         0
Total buffers release errors:      0
Total memcap failures:             0
Total memcap failures at reserve:  0
Total reserve failures:            0
Total file capture size min:       0
Total file capture size max:       0
Total capture max before reserve:  0
Total file signature max:          0
Maximum buffers can allocate:      31976
Number of buffers in use:          0
Number of buffers in free list:    21416
Number of buffers in release list: 10560
====================================

With this stat above I downloaded 52 files and first 36 are blocked but 
after that snort didn't even see them .I am using snort version 2.9.8.2 
with daq inline mod. Am I forgetting some sort of configuration or is it 
a bug? Thanks for help





More information about the Snort-users mailing list