<div dir="ltr">Hi Hui,<div><br></div><div>I missed creating the directory(assumed that snort would create one). It is working now. Thanks a ton Hui. </div><div><br></div><div>One minor query regarding the new files:</div><div><div>-rw------- 1 root root  7091 Mar 11 22:48 9D29C44863C6A27D45F8621E6A636DF0746245C5F436DB9CA488252A7FF76579</div><div>-rw------- 1 root root 22016 Mar 11 22:49 67792ACE824606664CE51973800D6B952CA4733CAF6F03CCF5F636768EFB39B1</div></div><div><br></div><div>Can it not retain the name/extension of the file?</div><div><br></div><div>Thanks,</div><div>Rishabh.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 11, 2015 at 10:12 PM, Hui cao <span dir="ltr"><<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Sorry. Don't change the conf, but check whether you have permission
    "write" on the folder <b>/home/file_capture/tmp/<br>
      <br>
      Best,<br>
      Hui.<br>
    </b><div><div class="h5"><br>
    <div>On 03/11/2015 12:37 PM, Rishabh Shah
      wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">Hi Hui,
        <div><br>
        </div>
        <div>I removed signature and transferred two pcap files, but no
          luck:</div>
        <div><br>
        </div>
        <div>
          <div>File Preprocessor Statistics</div>
          <div>  Total file type callbacks:            2</div>
          <div>  Total file signature callbacks:       2</div>
          <div>  Total files would saved to disk:      2</div>
          <div>  Total files saved to disk:            0</div>
          <div>  Total file data saved to disk:        0         bytes</div>
          <div>  Total files duplicated:               0</div>
          <div>  Total files reserving failed:         0</div>
          <div>  Total file capture min:               0</div>
          <div>  Total file capture max:               0</div>
          <div>  Total file capture memcap:            0</div>
          <div>  Total files reading failed:           0</div>
          <div>  Total file agent memcap failures:     0</div>
          <div>  Total files sent:                     0</div>
          <div>  Total file data sent:                 0</div>
          <div>  Total file transfer failures:         0</div>
          <div>===============================================================================</div>
          <div>File type stats:</div>
          <div>         Type              Download   (Bytes)      Upload
                (Bytes)</div>
          <div>        PCAP(145)          2          3870         0    
                 0</div>
          <div>            Total          2          3870         0    
                 0</div>
          <div><br>
          </div>
          <div>File signature stats:</div>
          <div>         Type              Download   Upload</div>
          <div>        PCAP(145)          2          0</div>
          <div>            Total          2          0</div>
          <div><br>
          </div>
          <div>File type verdicts:</div>
          <div>        UNKNOWN:           2</div>
          <div>            LOG:           0</div>
          <div>           STOP:           0</div>
          <div>          BLOCK:           0</div>
          <div>         REJECT:           0</div>
          <div>        PENDING:           0</div>
          <div>   STOP CAPTURE:           0</div>
          <div>          Total:           2</div>
          <div><br>
          </div>
          <div>File signature verdicts:</div>
          <div>        UNKNOWN:           2</div>
          <div>            LOG:           0</div>
          <div>           STOP:           0</div>
          <div>          BLOCK:           0</div>
          <div>         REJECT:           0</div>
          <div>        PENDING:           0</div>
          <div>   STOP CAPTURE:           0</div>
          <div>          Total:           2</div>
          <div><br>
          </div>
          <div>Total files processed:             2</div>
          <div>Total files data processed:        3870      bytes</div>
          <div>Total files buffered:              2</div>
          <div>Total files released:              2</div>
          <div>Total files freed:                 0</div>
          <div>Total files captured:              2</div>
          <div>Total files within one packet:     2</div>
          <div>Total buffers allocated:           2</div>
          <div>Total buffers freed:               0</div>
          <div>Total buffers released:            2</div>
          <div>Maximum file buffers used:         1</div>
          <div>Total buffers free errors:         0</div>
          <div>Total buffers release errors:      0</div>
          <div>Total memcap failures:             0</div>
          <div>Total memcap failures at reserve:  0</div>
          <div>Total reserve failures:            0</div>
          <div>Total file capture size min:       0</div>
          <div>Total file capture size max:       0</div>
          <div>Total capture max before reserve:  0</div>
          <div>Total file signature max:          0</div>
          <div>Maximum buffers can allocate:      3196</div>
          <div>Number of buffers in use:          0</div>
          <div>Number of buffers in free list:    3194</div>
          <div>Number of buffers in release list: 2</div>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Wed, Mar 11, 2015 at 10:02 PM, Hui
          cao <span dir="ltr"><<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> Can you remove
              signature? If this is enabled, it only captures file that
              matches to a signature list.<br>
              <br>
              <div>
                <div><b>preprocessor file_inspect: type_id, capture_disk
                    /home/file_capture/tmp/, capture_queue_size 5000</b></div>
              </div>
              <div><br>
                Best,<br>
                Hui.<br>
              </div>
              <div>
                <div> <br>
                  <br>
                  <div>On 03/11/2015 12:24 PM, Rishabh Shah wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">Hi Hui,
                      <div><br>
                      </div>
                      <div>I included file_magic.conf in my snort
                        configuration file. After starting the snort
                        process, I transferred 3 files and this is the
                        output after stopping snort:</div>
                      <div><br>
                      </div>
                      <div>
                        <div>File Preprocessor Statistics</div>
                        <div>  Total file type callbacks:            1</div>
                        <div>  Total file signature callbacks:       1</div>
                        <div>  Total files would saved to disk:      1</div>
                        <div>  Total files saved to disk:            0</div>
                        <div>  Total file data saved to disk:        0  
                                bytes</div>
                        <div>  Total files duplicated:               0</div>
                        <div>  Total files reserving failed:         0</div>
                        <div>  Total file capture min:               0</div>
                        <div>  Total file capture max:               0</div>
                        <div>  Total file capture memcap:            0</div>
                        <div>  Total files reading failed:           0</div>
                        <div>  Total file agent memcap failures:     0</div>
                        <div>  Total files sent:                     0</div>
                        <div>  Total file data sent:                 0</div>
                        <div>  Total file transfer failures:         0</div>
                        <div>===============================================================================</div>
                        <div>File type stats:</div>
                        <div>         Type              Download  
                          (Bytes)      Upload     (Bytes)</div>
                        <div>        PCAP(145)          1          1935
                                  0          0</div>
                        <div>            Total          1          1935
                                  0          0</div>
                        <div><br>
                        </div>
                        <div>File signature stats:</div>
                        <div>         Type              Download  
                          Upload</div>
                        <div>        PCAP(145)          1          0</div>
                        <div>            Total          1          0</div>
                        <div><br>
                        </div>
                        <div>File type verdicts:</div>
                        <div>        UNKNOWN:           1</div>
                        <div>            LOG:           0</div>
                        <div>           STOP:           0</div>
                        <div>          BLOCK:           0</div>
                        <div>         REJECT:           0</div>
                        <div>        PENDING:           0</div>
                        <div>   STOP CAPTURE:           0</div>
                        <div>          Total:           1</div>
                        <div><br>
                        </div>
                        <div>File signature verdicts:</div>
                        <div>        UNKNOWN:           1</div>
                        <div>            LOG:           0</div>
                        <div>           STOP:           0</div>
                        <div>          BLOCK:           0</div>
                        <div>         REJECT:           0</div>
                        <div>        PENDING:           0</div>
                        <div>   STOP CAPTURE:           0</div>
                        <div>          Total:           1</div>
                        <div><br>
                        </div>
                        <div><b>Total files processed:             3</b></div>
                        <div>Total files data processed:        8124    
                           bytes</div>
                        <div>Total files buffered:              1</div>
                        <div>Total files released:              1</div>
                        <div>Total files freed:                 0</div>
                        <div>Total files captured:              1</div>
                        <div>Total files within one packet:     1</div>
                        <div>Total buffers allocated:           1</div>
                        <div>Total buffers freed:               0</div>
                        <div>Total buffers released:            1</div>
                        <div>Maximum file buffers used:         1</div>
                        <div>Total buffers free errors:         0</div>
                        <div>Total buffers release errors:      0</div>
                        <div>Total memcap failures:             0</div>
                        <div>Total memcap failures at reserve:  0</div>
                        <div>Total reserve failures:            0</div>
                        <div>Total file capture size min:       0</div>
                        <div>Total file capture size max:       0</div>
                        <div>Total capture max before reserve:  0</div>
                        <div>Total file signature max:          0</div>
                        <div>Maximum buffers can allocate:      3196</div>
                        <div>Number of buffers in use:          0</div>
                        <div>Number of buffers in free list:    3195</div>
                        <div>Number of buffers in release list: 1</div>
                        <div>===============================================================================</div>
                      </div>
                      <div><br>
                      </div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Wed, Mar 11, 2015 at
                        9:34 PM, Hui cao <span dir="ltr"><<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000"> In
                            READMe.file:<br>
                            <br>
                            Pre-packaged file magic rules:<br>
                            <br>
                            A set of file magic rules is packaged with
                            Snort. They can be located at<br>
                            "etc/file_magic.conf". To use this feature,
                            it is recommended that the <br>
                            these pre-packaged rules are used; doing so
                            requires that you include<br>
                            the file in your Snort configuration as
                            such:<br>
                            <br>
                              include etc/filemagic.conf <br>
                            <div>
                              <div> <br>
                                <div>On 03/11/2015 12:01 PM, Hui cao
                                  wrote:<br>
                                </div>
                                <blockquote type="cite"> Have you added
                                  file magic into your configuration.
                                  What's the snort output?<br>
                                  <br>
                                  Best,<br>
                                  Hui.<br>
                                  <br>
                                  <div>On 03/11/2015 11:56 AM, Rishabh
                                    Shah wrote:<br>
                                  </div>
                                  <blockquote type="cite">
                                    <div dir="ltr">Thanks Hui. That
                                      worked for me!
                                      <div>Now I started snort after
                                        adding file_inspect
                                        preprocessor. </div>
                                      <div>
                                        <div><b>preprocessor
                                            file_inspect: type_id,
                                            signature, capture_disk
                                            /home/file_capture/tmp/,
                                            capture_queue_size 5000</b></div>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div>(Got the following console
                                        logs to confirm that
                                        file_inspect has started)</div>
                                      <div><br>
                                      </div>
                                      <div>
                                        <div>File config:</div>
                                        <div>    file type: ENABLED</div>
                                        <div>    file signature: ENABLED</div>
                                        <div>    file capture: ENABLED</div>
                                        <div><b>    file capture
                                            directory:
                                            /home/file_capture/tmp/</b></div>
                                        <div>    file capture disk size:
                                          300 (Default) megabytes</div>
                                        <div>    file sent to host:
                                          DISABLED (Default), port
                                          number: 0</div>
                                        <div><br>
                                        </div>
                                        <div>File service: file type
                                          enabled.</div>
                                        <div>File service: file
                                          signature enabled.</div>
                                        <div>File service: file capture
                                          enabled.</div>
                                        <div>File capture thread started
                                          tid=0x7f0aaa783700 (pid=19354)</div>
                                        <div><br>
                                        </div>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div>I initiated file transfer via
                                        HTTP/FTP as shown below:</div>
                                      <div><br>
                                      </div>
                                      <div>
                                        <div>rishab%ftp 192.168.2.200</div>
                                        <div>Connected to <a href="http://192.168.2.200:21" target="_blank">192.168.2.200:21</a>.</div>
                                        <div>220 (vsFTPd 2.0.5)</div>
                                        <div>Name
                                          (192.168.2.200:21:fwdevtest1):
                                          fwuser</div>
                                        <div>331 Please specify the
                                          password.</div>
                                        <div>Password:</div>
                                        <div>230 Login successful.</div>
                                        <div>Remote system type is UNIX.</div>
                                        <div>Using binary mode to
                                          transfer files.</div>
                                        <div><b>ftp> get new.pcap</b></div>
                                        <div><b>200 PORT command
                                            successful. Consider using
                                            PASV.</b></div>
                                        <div><b>150 Opening BINARY mode
                                            data connection for new.pcap
                                            (1555 bytes).</b></div>
                                        <div><b>226 File send OK.</b></div>
                                        <div><b>1555 bytes received in
                                            0.4 seconds (3887 bytes/s)</b></div>
                                        <div>ftp></div>
                                        <div>ftp> quit</div>
                                        <div>221 Goodbye.</div>
                                        <div><b>rishab%wget <a href="http://192.168.2.200/dns.pcap" target="_blank">192.168.2.200/dns.pcap</a></b></div>
                                        <div><b>--2015-03-11 21:23:16--
                                             <a href="http://192.168.2.200/dns.pcap" target="_blank">http://192.168.2.200/dns.pcap</a></b></div>
                                        <div><b>Connecting to
                                            192.168.2.200:80...
                                            connected.</b></div>
                                        <div><b>HTTP request sent,
                                            awaiting response... 200 OK</b></div>
                                        <div><b>Length: 1935 (1.9K)
                                            [text/plain]</b></div>
                                        <div><b>Saving to: ?dns.pcap?</b></div>
                                        <div><b><br>
                                          </b></div>
                                        <div><b>100%[======================================================================================================================================================================================>]



                                            1,935       9.39KB/s   in
                                            0.2s</b></div>
                                        <div><b><br>
                                          </b></div>
                                        <div><b>2015-03-11 21:23:19
                                            (9.39 KB/s) - ?dns.pcap?
                                            saved [1935/1935]</b></div>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div>After killing the snort
                                        process, I do not see any file
                                        created in that location:</div>
                                      <div>
                                        <div><br>
                                        </div>
                                        <div>root@...17114...:/home#
                                          ls</div>
                                        <div>fwuser</div>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div>Am I missing anything?</div>
                                      <div><br>
                                      </div>
                                    </div>
                                    <div class="gmail_extra"><br>
                                      <div class="gmail_quote">On Wed,
                                        Mar 11, 2015 at 9:09 PM, Hui cao
                                        <span dir="ltr"><<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>></span>
                                        wrote:<br>
                                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                          <div bgcolor="#FFFFFF" text="#000000"> Have you
                                            done make clean before you
                                            do a make?<br>
                                            <br>
                                            Best,<br>
                                            Hui.
                                            <div>
                                              <div><br>
                                                <br>
                                                <div>On 03/11/2015 11:38
                                                  AM, Rishabh Shah
                                                  wrote:<br>
                                                </div>
                                                <blockquote type="cite">
                                                  <div dir="ltr">Hi Hui,
                                                    <div><br>
                                                    </div>
                                                    <div>I am hitting
                                                      the same issue
                                                      while executing
                                                      make. These are
                                                      the commands that
                                                      I issued:</div>
                                                    <div>
                                                      <div><a href="mailto:root@...17114...:%7E/snort_src/snort-2.9.7.0#" target="_blank">root@...979...17114...:~/snort_src/snort-2.9.7.0#</a>
                                                        ./configure
                                                        --enable-file-inspect
                                                        --enable-open-appid

--enable-sourcefire</div>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                    <div>
                                                      <div><a href="mailto:root@...17114...:%7E/snort_src/snort-2.9.7.0#" target="_blank">root@...979...17114...:~/snort_src/snort-2.9.7.0#</a>
                                                        make</div>
                                                    </div>
                                                    <div>
                                                      <div><br>
                                                      </div>
                                                      <div><br>
                                                      </div>
                                                      <div>/root/snort_src/snort-2.9.7.0/src/plugbase.c:216:




                                                        undefined
                                                        reference to
                                                        `SetupAppId'</div>
                                                      <div>detection-plugins/libspd.a(detection_options.o):



                                                        In function
                                                        `detection_hash_free_func':</div>
                                                      <div>/root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:553:




                                                        undefined
                                                        reference to
                                                        `optionAppIdFree'</div>
                                                      <div>detection-plugins/libspd.a(detection_options.o):



                                                        In function
                                                        `detection_option_hash_func':</div>
                                                      <div>/root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:252:




                                                        undefined
                                                        reference to
                                                        `optionAppIdHash'</div>
                                                      <div>detection-plugins/libspd.a(detection_options.o):



                                                        In function
                                                        `detection_option_key_compare_func':</div>
                                                      <div>/root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:409:




                                                        undefined
                                                        reference to
                                                        `optionAppIdCompare'</div>
                                                      <div>collect2:
                                                        error: ld
                                                        returned 1 exit
                                                        status</div>
                                                      <div>make[3]: ***
                                                        [snort] Error 1</div>
                                                      <div>make[3]:
                                                        Leaving
                                                        directory
`/root/snort_src/snort-2.9.7.0/src'</div>
                                                      <div>make[2]: ***
                                                        [all-recursive]
                                                        Error 1</div>
                                                      <div>make[2]:
                                                        Leaving
                                                        directory
`/root/snort_src/snort-2.9.7.0/src'</div>
                                                      <div>make[1]: ***
                                                        [all-recursive]
                                                        Error 1</div>
                                                      <div>make[1]:
                                                        Leaving
                                                        directory
`/root/snort_src/snort-2.9.7.0'</div>
                                                      <div>make: ***
                                                        [all] Error 2</div>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                  </div>
                                                  <div class="gmail_extra"><br>
                                                    <div class="gmail_quote">On
                                                      Wed, Mar 11, 2015
                                                      at 8:40 PM, Hui
                                                      cao <span dir="ltr"><<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>></span>
                                                      wrote:<br>
                                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                        <div bgcolor="#FFFFFF" text="#000000">
                                                          Hi Rishabh,<br>
                                                          <br>
                                                          You need to
                                                          add
                                                          —enable-open-appid
                                                          to you
                                                          ./configure.<br>
                                                          <br>
                                                          ./configure
                                                          --enable-file-inspect
—enable-open-appid<br>
                                                          <br>
                                                          Best,<br>
                                                          Hui.
                                                          <div>
                                                          <div><br>
                                                          <div>On
                                                          03/11/2015
                                                          10:33 AM,
                                                          Rishabh Shah
                                                          wrote:<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <blockquote type="cite">
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">Hi

                                                          Joel,
                                                          <div><br>
                                                          </div>
                                                          <div>Thanks
                                                          for your
                                                          prompt reply.
                                                          I did a
                                                          ./configure
                                                          --enable-file-inspect
                                                          and while
                                                          executing
                                                          make, I saw
                                                          the following
                                                          error
                                                          messages:</div>
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <div><b>/root/snort_src/snort-2.9.7.0/src/plugbase.c:216:





                                                          undefined
                                                          reference to
                                                          `SetupAppId'</b></div>
                                                          <div><b>detection-plugins/libspd.a(detection_options.o):




                                                          In function
                                                          `detection_hash_free_func':</b></div>
                                                          <div><b>/root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:553:





                                                          undefined
                                                          reference to
                                                          `optionAppIdFree'</b></div>
                                                          <div><b>detection-plugins/libspd.a(detection_options.o):




                                                          In function
                                                          `detection_option_hash_func':</b></div>
                                                          <div><b>/root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:252:





                                                          undefined
                                                          reference to
                                                          `optionAppIdHash'</b></div>
                                                          <div><b>detection-plugins/libspd.a(detection_options.o):




                                                          In function
                                                          `detection_option_key_compare_func':</b></div>
                                                          <div><b>/root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:409:





                                                          undefined
                                                          reference to
                                                          `optionAppIdCompare'</b></div>
                                                          <div><b>collect2:

                                                          error: ld
                                                          returned 1
                                                          exit status</b></div>
                                                          <div>make[3]:
                                                          *** [snort]
                                                          Error 1</div>
                                                          <div>make[3]:
                                                          Leaving
                                                          directory
`/root/snort_src/snort-2.9.7.0/src'</div>
                                                          <div>make[2]:
                                                          ***
                                                          [all-recursive]
                                                          Error 1</div>
                                                          <div>make[2]:
                                                          Leaving
                                                          directory
`/root/snort_src/snort-2.9.7.0/src'</div>
                                                          <div>make[1]:
                                                          ***
                                                          [all-recursive]
                                                          Error 1</div>
                                                          <div>make[1]:
                                                          Leaving
                                                          directory
`/root/snort_src/snort-2.9.7.0'</div>
                                                          <div>make: ***
                                                          [all] Error 2</div>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>I am not
                                                          sure why am I
                                                          seeing those
                                                          messages as I
                                                          see a
                                                          reference to
                                                          the above
                                                          errors:</div>
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <div><a href="mailto:root@...17114...:%7E/snort_src/snort-2.9.7.0/src#" target="_blank">root@...17114...:~/snort_src/snort-2.9.7.0/src#</a>
                                                          grep -r
                                                          "optionAppIdFree"
                                                          .</div>
                                                          <div>Binary
                                                          file
                                                          ./detection-plugins/detection_options.o
                                                          matches</div>
                                                          <div>Binary
                                                          file
                                                          ./detection-plugins/sp_appid.o
                                                          matches</div>
                                                          <div>./detection-plugins/sp_appid.c:void




                                                          optionAppIdFree(AppIdOptionData



                                                          *optData)</div>
                                                          <div>./detection-plugins/sp_appid.c:



                                                               
                                                           optionAppIdFree(optData);</div>
                                                          <div>Binary
                                                          file
                                                          ./detection-plugins/libspd.a
                                                          matches</div>
                                                          <div>./detection-plugins/detection_options.c:



                                                                   
                                                           optionAppIdFree(key->option_data);</div>
                                                          <div>./detection-plugins/sp_appid.h:void




                                                          optionAppIdFree(AppIdOptionData



                                                          *optData);</div>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>I
                                                          appended the
                                                          following line
                                                          in snort.conf:</div>
                                                          <div>
                                                          <div><b>preprocessor


                                                          file_inspect:
                                                          type_id,
                                                          signature,
                                                          capture_disk
                                                          /home/file_capture/tmp/,
                                                          capture_queue_size

                                                          5000</b></div>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>While
                                                          executing
                                                          snort process,
                                                          I got a core
                                                          file with the
                                                          following
                                                          message:</div>
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <div>File
                                                          config:</div>
                                                          <div>    file
                                                          type: ENABLED</div>
                                                          <div>    file
                                                          signature:
                                                          ENABLED</div>
                                                          <div>    file
                                                          capture:
                                                          ENABLED</div>
                                                          <div>    file
                                                          capture
                                                          directory:
                                                          /home/file_capture/tmp/</div>
                                                          <div>    file
                                                          capture disk
                                                          size: 300
                                                          (Default)
                                                          megabytes</div>
                                                          <div>    file
                                                          sent to host:
                                                          DISABLED
                                                          (Default),
                                                          port number: 0</div>
                                                          <div><br>
                                                          </div>
                                                          <div><b>Segmentation

                                                          fault (core
                                                          dumped)</b></div>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>The
                                                          traceback of
                                                          the core file
                                                          points to:</div>
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <div>root@...17115...4...:~/snort_src#




                                                          gdb snort -c
                                                          core</div>
                                                          <div>GNU gdb
                                                          (Ubuntu
                                                          7.7.1-0ubuntu5~14.04.2)
                                                          7.7.1</div>
                                                          <div>Copyright
                                                          (C) 2014 Free
                                                          Software
                                                          Foundation,
                                                          Inc.</div>
                                                          <div>License
                                                          GPLv3+: GNU
                                                          GPL version 3
                                                          or later <<a href="http://gnu.org/licenses/gpl.html" target="_blank">http://gnu.org/licenses/gpl.html</a>></div>
                                                          <div>This is
                                                          free software:
                                                          you are free
                                                          to change and
                                                          redistribute
                                                          it.</div>
                                                          <div>There is
                                                          NO WARRANTY,
                                                          to the extent
                                                          permitted by
                                                          law.  Type
                                                          "show copying"</div>
                                                          <div>and "show
                                                          warranty" for
                                                          details.</div>
                                                          <div>This GDB
                                                          was configured
                                                          as
                                                          "x86_64-linux-gnu".</div>
                                                          <div>Type
                                                          "show
                                                          configuration"
                                                          for
                                                          configuration
                                                          details.</div>
                                                          <div>For bug
                                                          reporting
                                                          instructions,
                                                          please see:</div>
                                                          <div><<a href="http://www.gnu.org/software/gdb/bugs/" target="_blank">http://www.gnu.org/software/gdb/bugs/</a>>.</div>
                                                          <div>Find the
                                                          GDB manual and
                                                          other
                                                          documentation
                                                          resources
                                                          online at:</div>
                                                          <div><<a href="http://www.gnu.org/software/gdb/documentation/" target="_blank">http://www.gnu.org/software/gdb/documentation/</a>>.</div>
                                                          <div>For help,
                                                          type "help".</div>
                                                          <div>Type
                                                          "apropos word"
                                                          to search for
                                                          commands
                                                          related to
                                                          "word"...</div>
                                                          <div>Reading
                                                          symbols from
                                                          snort...done.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>warning:
                                                          exec file is
                                                          newer than
                                                          core file.</div>
                                                          <div>[New LWP
                                                          10904]</div>
                                                          <div><br>
                                                          </div>
                                                          <div>warning:
                                                          .dynamic
                                                          section for
                                                          "/usr/local/lib/snort_dynamicengine/libsf_engine.so"
                                                          is not at the
                                                          expected
                                                          address (wrong
                                                          library or
                                                          version
                                                          mismatch?)</div>
                                                          <div><br>
                                                          </div>
                                                          <div>warning:
                                                          .dynamic
                                                          section for
                                                          "/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so"
                                                          is not at the
                                                          expected
                                                          address (wrong
                                                          library or
                                                          version
                                                          mismatch?)</div>
                                                          <div>[Thread
                                                          debugging
                                                          using
                                                          libthread_db
                                                          enabled]</div>
                                                          <div>Using
                                                          host
                                                          libthread_db
                                                          library
                                                          "/lib/x86_64-linux-gnu/libthread_db.so.1".</div>
                                                          <div>Core was
                                                          generated by
                                                          `/usr/local/bin/snort
                                                          -c
                                                          /etc/snort/snort.conf
                                                          -Q -i
                                                          eth1:eth2 -l
                                                          /var/log/snort'.</div>
                                                          <div>Program
                                                          terminated
                                                          with signal
                                                          SIGSEGV,
                                                          Segmentation
                                                          fault.</div>
                                                          <div>#0
                                                           strlen () at
../sysdeps/x86_64/strlen.S:106</div>
                                                          <div>106    
                                                          ../sysdeps/x86_64/strlen.S:
                                                          No such file
                                                          or directory.</div>
                                                          <div>(gdb) bt</div>
                                                          <div><b>#0
                                                           strlen () at
../sysdeps/x86_64/strlen.S:106</b></div>
                                                          <div><b>#1
                                                           0x00007f6ab63050a6
                                                          in
                                                          appIdStatsInit
                                                          (appFileName=0x7f6ab6628170


                                                          <config+16>


                                                          "appstats-unified.log",


                                                          statsPeriod=10,


                                                          rolloverSize=20971520,


                                                          rolloverPeriod=86400)

                                                          at
                                                          appIdStats.c:264</b></div>
                                                          <div><b>#2
                                                           0x00007f6ab62fa2d0
                                                          in
                                                          AppIdCommonInit
                                                          (memcap=268435456)

                                                          at
                                                          commonAppMatcher.c:297</b></div>
                                                          <div><b>#3
                                                           0x00007f6ab6303798
                                                          in AppIdInit
                                                          (sc=0x1eb9770,
                                                          args=0x1f516e0
                                                          "app_stats_filename


                                                          appstats-unified.log,


                                                          app_stats_period

                                                          10,
                                                          app_detector_dir
                                                          /usr/local/lib/openappid")


                                                          at
                                                          spp_appid.c:157</b></div>
                                                          <div><b>#4
                                                           0x000000000042048e
                                                          in
                                                          InitVarTables
                                                          (p=0x1eb9770)
                                                          at
                                                          parser.c:5728</b></div>
                                                          <div><b>#5
                                                           0x000000000046c3d0
                                                          in CheckAppId
                                                          (option_data=0x0,

                                                          p=0x0) at
                                                          sp_appid.c:342</b></div>
                                                          <div><b>#6
                                                           0x0000000000000000
                                                          in ?? ()</b></div>
                                                          <div><b>(gdb)
                                                          Quit</b></div>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>I had
                                                          installed
                                                          openappid as
                                                          well. </div>
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On

                                                          Wed, Mar 11,
                                                          2015 at 7:00
                                                          PM, Joel Esler
                                                          (jesler) <span dir="ltr"><<a href="mailto:jesler@...589..." target="_blank">jesler@...589...</a>></span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div style="word-wrap:break-word"><span>
                                                          <br>
                                                          <div>
                                                          <blockquote type="cite">
                                                          <div>On Mar
                                                          11, 2015, at
                                                          9:23 AM,
                                                          Rishabh Shah
                                                          <<a href="mailto:rishabh420@...11827..." target="_blank">rishabh420@...11827...</a>>





                                                          wrote:</div>
                                                          <br>
                                                          <div>
                                                          <div dir="ltr">Hi


                                                          Snort Team,
                                                          <div><br>
                                                          </div>
                                                          <div>Is it
                                                          possible to
                                                          extract any
                                                          file during
                                                          http/ftp
                                                          transactions?
                                                          The HTTP
                                                          preprocessor
                                                          makes it
                                                          possible to
                                                          read the HTTP
                                                          URI/content.
                                                          Does snort
                                                          have the
                                                          intelligence
                                                          to extract the
                                                          file during
                                                          any transfer? <br clear="all">
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </span>
                                                          <div>Beginning
                                                          with 2.9.6.0,
                                                          Snort has had
                                                          the ability to
                                                          extract files
                                                          from streams
                                                          and write them
                                                          to disk.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Check out
                                                          the README: <a href="https://www.snort.org/faq/readme-file" target="_blank">https://www.snort.org/faq/readme-file</a></div>
                                                          <div><br>
                                                          </div>
                                                          <div><span>--</span><br>
                                                          <span><b>Joel
                                                          Esler</b></span><br>
                                                          <span>Open
                                                          Source Manager</span><br>
                                                          <span>Threat
                                                          Intelligence
                                                          Team Lead</span><br>
                                                          <span>Talos
                                                          Group</span></div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          <br clear="all">
                                                          <div><br>
                                                          </div>
                                                          -- <br>
                                                          <div>Regards,
                                                          <div>Rishabh
                                                          Shah.</div>
                                                          </div>
                                                          </div>
                                                          <br>
                                                          <fieldset></fieldset>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          <pre>------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. <a href="http://goparallel.sourceforge.net/" target="_blank">http://goparallel.sourceforge.net/</a></pre>
                                                          <br>
                                                          <fieldset></fieldset>
                                                          <br>
                                                          <pre>_______________________________________________
Snort-users mailing list
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</pre>
                                                          </blockquote>
                                                          <br>
                                                        </div>
                                                        <br>
------------------------------------------------------------------------------<br>
                                                        Dive into the
                                                        World of
                                                        Parallel
                                                        Programming The
                                                        Go Parallel
                                                        Website,
                                                        sponsored<br>
                                                        by Intel and
                                                        developed in
                                                        partnership with
                                                        Slashdot Media,
                                                        is your hub for
                                                        all<br>
                                                        things parallel
                                                        software
                                                        development,
                                                        from weekly
                                                        thought
                                                        leadership blogs
                                                        to<br>
                                                        news, videos,
                                                        case studies,
                                                        tutorials and
                                                        more. Take a
                                                        look and join
                                                        the<br>
                                                        conversation
                                                        now. <a href="http://goparallel.sourceforge.net/" target="_blank">http://goparallel.sourceforge.net/</a><br>
_______________________________________________<br>
                                                        Snort-users
                                                        mailing list<br>
                                                        <a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@...635...eforge.net</a><br>
                                                        Go to this URL
                                                        to change user
                                                        options or
                                                        unsubscribe:<br>
                                                        <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
                                                        Snort-users list
                                                        archive:<br>
                                                        <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
                                                        <br>
                                                        Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a>
                                                        to stay current
                                                        on all the
                                                        latest Snort
                                                        news!<br>
                                                      </blockquote>
                                                    </div>
                                                    <br>
                                                    <br clear="all">
                                                    <div><br>
                                                    </div>
                                                    -- <br>
                                                    <div>Regards,
                                                      <div>Rishabh Shah.</div>
                                                    </div>
                                                  </div>
                                                </blockquote>
                                                <br>
                                              </div>
                                            </div>
                                          </div>
                                        </blockquote>
                                      </div>
                                      <br>
                                      <br clear="all">
                                      <div><br>
                                      </div>
                                      -- <br>
                                      <div>Regards,
                                        <div>Rishabh Shah.</div>
                                      </div>
                                    </div>
                                  </blockquote>
                                  <br>
                                  <br>
                                  <fieldset></fieldset>
                                  <br>
                                  <pre>------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. <a href="http://goparallel.sourceforge.net/" target="_blank">http://goparallel.sourceforge.net/</a></pre>
                                  <br>
                                  <fieldset></fieldset>
                                  <br>
                                  <pre>_______________________________________________
Snort-users mailing list
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</pre>
                                </blockquote>
                                <br>
                              </div>
                            </div>
                          </div>
                          <br>
------------------------------------------------------------------------------<br>
                          Dive into the World of Parallel Programming
                          The Go Parallel Website, sponsored<br>
                          by Intel and developed in partnership with
                          Slashdot Media, is your hub for all<br>
                          things parallel software development, from
                          weekly thought leadership blogs to<br>
                          news, videos, case studies, tutorials and
                          more. Take a look and join the<br>
                          conversation now. <a href="http://goparallel.sourceforge.net/" target="_blank">http://goparallel.sourceforge.net/</a><br>
_______________________________________________<br>
                          Snort-users mailing list<br>
                          <a href="mailto:Snort-users@...973...et" target="_blank">Snort-users@lists.sourceforge.net</a><br>
                          Go to this URL to change user options or
                          unsubscribe:<br>
                          <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
                          Snort-users list archive:<br>
                          <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
                          <br>
                          Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a>
                          to stay current on all the latest Snort news!<br>
                        </blockquote>
                      </div>
                      <br>
                      <br clear="all">
                      <div><br>
                      </div>
                      -- <br>
                      <div>Regards,
                        <div>Rishabh Shah.</div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div>Regards,
          <div>Rishabh Shah.</div>
        </div>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Regards,<div>Rishabh Shah.</div></div>
</div>