[Snort-users] file_inspect holds blocked files into its memory until snort stops

Berkay Koyutürk berkay.koyuturk at labrisnetworks.com
Mon Sep 11 08:35:32 EDT 2017


I updated my snort to 2.9.9.0 today and my problem evolved into new one. 
Now snort sees all of files that i downloaded but frees most of them. 
Here is my exit stats on snort:

File Preprocessor Statistics
   Total file type callbacks:            0
   Total file signature callbacks:       2
   Total files would saved to disk:      2
   Total files saved to disk:            0
   Total file data saved to disk:        0         bytes
   Total files duplicated:               2
   Total files reserving failed:         0
   Total file capture min:               0
   Total file capture max:               0
   Total file capture memcap:            0
   Total files reading failed:           0
   Total file agent memcap failures:     0
   Total files sent:                     0
   Total file data sent:                 0
   Total file transfer failures:         0
========================================
File type stats:
          Type              Download   (Bytes)      Upload (Bytes)
             Total          0          0            0          0

File signature stats:
          Type              Download   Upload
Undecided file type, continue...(  0)          2          0
             Total          2          0


File type verdicts:
         UNKNOWN:           0
             LOG:           0
            STOP:           0
           BLOCK:           0
          REJECT:           0
         PENDING:           0
    STOP CAPTURE:           0
           Total:           0

File signature verdicts:
         UNKNOWN:           0
             LOG:           0
            STOP:           0
           BLOCK:           2
          REJECT:           0
         PENDING:           0
    STOP CAPTURE:           0
           Total:           2


Total files processed:             11
Total files data processed:        7128      bytes
Total files buffered:              11
Total files released:              2
Total files freed:                 9
Total files captured:              2
Total files within one packet:     2
Total buffers allocated:           11
Total buffers freed:               9
Total buffers released:            2
Maximum file buffers used:         1
Total buffers free errors:         0
Total buffers release errors:      0
Total memcap failures:             0
Total memcap failures at reserve:  0
Total reserve failures:            0
Total file capture size min:       0
Total file capture size max:       0
Total capture max before reserve:  0
Total file signature max:          0
Maximum buffers can allocate:      2
Number of buffers in use:          0
Number of buffers in free list:    1
Number of buffers in release list: 1
=================================

As seen stats above I downloaded same file(648 bytes) eleven times. but 
snort only blocked 2 of them with its signature. I didn't understand why 
is this inconsistency occurs. Any help would be appreciated


On 07-09-2017 14:23, Joel Esler (jesler) wrote:
> The first question I would ask is, why are you not using the most up 
> to date version of Snort.  If this issue was fixed in a later version, 
> that may clear it up right away.
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler at cisco.com 
> <mailto:jesler at cisco.com>
>
>
>
>
>
>
>> On Sep 7, 2017, at 1:56 AM, Berkay Koyutürk 
>> <berkay.koyuturk at labrisnetworks.com 
>> <mailto:berkay.koyuturk at labrisnetworks.com>> wrote:
>>
>> Hi everybody,
>>
>> As title says above I have a problem with file_inspect preprocessor. 
>> I am running snort with inline mod with file configurations below:
>>
>> #file config
>>
>> config file: \
>>   file_type_depth 0, \
>>   file_signature_depth 0, \
>>   file_capture_memcap 1000, \
>>   file_capture_max 4294967295, \
>>   file_block_timeout 1, \
>>   file_capture_min 0
>>
>> #file_inspect preprocessor
>>
>> preprocessor file_inspect: \
>>    signature, \
>>    capture_disk /root/captured_files 1024, \
>>    capture_queue_size 5000, \
>>    blacklist sha_blacklist, \
>>    greylist sha_greylist
>>
>> #file_inspect.rules
>>
>> alert ( msg: “File signature “; sid: 1; gid: 147; rev: 1; metadata: 
>> rule-type preproc; )
>>
>> With these configurations I can successfully block downloading files 
>> if its sha256 sum is in sha_blacklist file. My problem is , while 
>> snort running it keeps holding this files on its memory and after a 
>> while for example 33 files with 10MB each, it stops blocking files 
>> even cant see them anymore. My snort exit stats is below:
>>
>> ======================================
>>  Total file type callbacks:            0
>>  Total file signature callbacks:       33
>>  Total files would saved to disk:      33
>>  Total files saved to disk:            0
>>  Total file data saved to disk:        0         bytes
>>  Total files duplicated:               33
>>  Total files reserving failed:         0
>>  Total file capture min:               0
>>  Total file capture max:               0
>>  Total file capture memcap:            0
>>  Total files reading failed:           0
>>  Total file agent memcap failures:     0
>>  Total files sent:                     0
>>  Total file data sent:                 0
>>  Total file transfer failures:         0
>> ========================================
>> File type stats:
>>         Type              Download   (Bytes)      Upload (Bytes)
>>            Total          0          0            0 0
>>
>> File signature stats:
>>         Type              Download   Upload
>> Undecided file type, continue...(  0)          33 0
>>            Total          33         0
>>
>> File type verdicts:
>>        UNKNOWN:           0
>>            LOG:           0
>>           STOP:           0
>>          BLOCK:           0
>>         REJECT:           0
>>        PENDING:           0
>>   STOP CAPTURE:           0
>>          Total:           0
>>
>> File signature verdicts:
>>        UNKNOWN:           0
>>            LOG:           0
>>           STOP:           0
>>          BLOCK:           33
>>         REJECT:           0
>>        PENDING:           0
>>   STOP CAPTURE:           0
>>          Total:           33
>>
>> Total files processed:             33
>> Total files data processed:        346030080 bytes
>> Total files buffered:              33
>> Total files released:              33
>> Total files freed:                 0
>> Total files captured:              33
>> Total files within one packet:     0
>> Total buffers allocated:           10560
>> Total buffers freed:               0
>> Total buffers released:            10560
>> Maximum file buffers used:         379
>> Total buffers free errors:         0
>> Total buffers release errors:      0
>> Total memcap failures:             0
>> Total memcap failures at reserve:  0
>> Total reserve failures:            0
>> Total file capture size min:       0
>> Total file capture size max:       0
>> Total capture max before reserve:  0
>> Total file signature max:          0
>> Maximum buffers can allocate:      31976
>> Number of buffers in use:          0
>> Number of buffers in free list:    21416
>> Number of buffers in release list: 10560
>> ====================================
>>
>> With this stat above I downloaded 52 files and first 36 are blocked 
>> but after that snort didn't even see them .I am using snort version 
>> 2.9.8.2 with daq inline mod. Am I forgetting some sort of 
>> configuration or is it a bug? Thanks for help
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org <mailto:Snort-users at lists.snort.org>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest 
>> Snort news!
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170911/8566e9b8/attachment.html>


More information about the Snort-users mailing list