<div dir="ltr">Exit stats when listening from interface:<div><br></div><div><div>===============================================================================</div><div>Run time for packet processing was 86.342415 seconds</div><div>Snort processed 247599 packets.</div><div>Snort ran for 0 days 0 hours 1 minutes 26 seconds</div><div>   Pkts/min:       247599</div><div>   Pkts/sec:         2879</div><div>===============================================================================</div><div>Memory usage summary:</div><div>  Total non-mmapped bytes (arena):       10100736</div><div>  Bytes in mapped regions (hblkhd):      122081280</div><div>  Total allocated space (uordblks):      8073952</div><div>  Total free space (fordblks):           2026784</div><div>  Topmost releasable block (keepcost):   108528</div><div>===============================================================================</div><div>Packet I/O Totals:</div><div>   Received:       247599</div><div>   Analyzed:       247599 (100.000%)</div><div>    Dropped:            0 (  0.000%)</div><div>   Filtered:            0 (  0.000%)</div><div>Outstanding:            0 (  0.000%)</div><div>   Injected:            0</div><div>===============================================================================</div><div>Breakdown by protocol (includes rebuilt packets):</div><div>        Eth:       247605 (100.000%)</div><div>       VLAN:            0 (  0.000%)</div><div>        IP4:       247503 ( 99.959%)</div><div>       Frag:            0 (  0.000%)</div><div>       ICMP:            0 (  0.000%)</div><div>        UDP:           24 (  0.010%)</div><div>        TCP:       125325 ( 50.615%)</div><div>        IP6:            0 (  0.000%)</div><div>    IP6 Ext:            0 (  0.000%)</div><div>   IP6 Opts:            0 (  0.000%)</div><div>      Frag6:            0 (  0.000%)</div><div>      ICMP6:            0 (  0.000%)</div><div>       UDP6:            0 (  0.000%)</div><div>       TCP6:            0 (  0.000%)</div><div>     Teredo:            0 (  0.000%)</div><div>    ICMP-IP:            0 (  0.000%)</div><div>    IP4/IP4:            0 (  0.000%)</div><div>    IP4/IP6:            0 (  0.000%)</div><div>    IP6/IP4:            0 (  0.000%)</div><div>    IP6/IP6:            0 (  0.000%)</div><div>        GRE:            0 (  0.000%)</div><div>    GRE Eth:            0 (  0.000%)</div><div>   GRE VLAN:            0 (  0.000%)</div><div>    GRE IP4:            0 (  0.000%)</div><div>    GRE IP6:            0 (  0.000%)</div><div>GRE IP6 Ext:            0 (  0.000%)</div><div>   GRE PPTP:            0 (  0.000%)</div><div>    GRE ARP:            0 (  0.000%)</div><div>    GRE IPX:            0 (  0.000%)</div><div>   GRE Loop:            0 (  0.000%)</div><div>       MPLS:            0 (  0.000%)</div><div>        ARP:          102 (  0.041%)</div><div>        IPX:            0 (  0.000%)</div><div>   Eth Loop:            0 (  0.000%)</div><div>   Eth Disc:            0 (  0.000%)</div><div>   IP4 Disc:       122145 ( 49.331%)</div><div>   IP6 Disc:            0 (  0.000%)</div><div>   TCP Disc:            0 (  0.000%)</div><div>   UDP Disc:            0 (  0.000%)</div><div>  ICMP Disc:            0 (  0.000%)</div><div>All Discard:       122145 ( 49.331%)</div><div>      Other:            9 (  0.004%)</div><div>Bad Chk Sum:          379 (  0.153%)</div><div>    Bad TTL:            0 (  0.000%)</div><div>     S5 G 1:            2 (  0.001%)</div><div>     S5 G 2:            4 (  0.002%)</div><div>      Total:       247605</div><div>===============================================================================</div><div>Action Stats:</div><div>     Alerts:            0 (  0.000%)</div><div>     Logged:            0 (  0.000%)</div><div>     Passed:            0 (  0.000%)</div><div>Limits:</div><div>      Match:            0</div><div>      Queue:            0</div><div>        Log:            0</div><div>      Event:            0</div><div>      Alert:            0</div><div>Verdicts:</div><div>      Allow:       215292 ( 86.952%)</div><div>      Block:            0 (  0.000%)</div><div>    Replace:            0 (  0.000%)</div><div>  Whitelist:        32307 ( 13.048%)</div><div>  Blacklist:            0 (  0.000%)</div><div>     Ignore:            0 (  0.000%)</div><div>===============================================================================</div><div>Frag3 statistics:</div><div>        Total Fragments: 0</div><div>      Frags Reassembled: 0</div><div>               Discards: 0</div><div>          Memory Faults: 0</div><div>               Timeouts: 0</div><div>               Overlaps: 0</div><div>              Anomalies: 0</div><div>                 Alerts: 0</div><div>                  Drops: 0</div><div>     FragTrackers Added: 0</div><div>    FragTrackers Dumped: 0</div><div>FragTrackers Auto Freed: 0</div><div>    Frag Nodes Inserted: 0</div><div>     Frag Nodes Deleted: 0</div><div>===============================================================================</div><div>===============================================================================</div><div>Stream statistics:</div><div>            Total sessions: 20</div><div>              TCP sessions: 14</div><div>              UDP sessions: 6</div><div>             ICMP sessions: 0</div><div>               IP sessions: 0</div><div>                TCP Prunes: 0</div><div>                UDP Prunes: 0</div><div>               ICMP Prunes: 0</div><div>                 IP Prunes: 0</div><div>TCP StreamTrackers Created: 14</div><div>TCP StreamTrackers Deleted: 14</div><div>              TCP Timeouts: 0</div><div>              TCP Overlaps: 0</div><div>       TCP Segments Queued: 6942</div><div>     TCP Segments Released: 6942</div><div>       TCP Rebuilt Packets: 6267</div><div>         TCP Segments Used: 6919</div><div>              TCP Discards: 48</div><div>                  TCP Gaps: 6459</div><div>      UDP Sessions Created: 6</div><div>      UDP Sessions Deleted: 6</div><div>              UDP Timeouts: 0</div><div>              UDP Discards: 0</div><div>                    Events: 17</div><div>           Internal Events: 0</div><div>           TCP Port Filter</div><div>                  Filtered: 0</div><div>                 Inspected: 0</div><div>                   Tracked: 124952</div><div>           UDP Port Filter</div><div>                  Filtered: 0</div><div>                 Inspected: 0</div><div>                   Tracked: 6</div><div>===============================================================================</div><div>HTTP Inspect - encodings (Note: stream-reassembled packets included):</div><div>    POST methods:                         0         </div><div>    GET methods:                          0         </div><div>    HTTP Request Headers extracted:       0         </div><div>    HTTP Request Cookies extracted:       0         </div><div>    Post parameters extracted:            0         </div><div>    HTTP response Headers extracted:      2         </div><div>    HTTP Response Cookies extracted:      0         </div><div>    Unicode:                              0         </div><div>    Double unicode:                       0         </div><div>    Non-ASCII representable:              0         </div><div>    Directory traversals:                 0         </div><div>    Extra slashes ("//"):                 0         </div><div>    Self-referencing paths ("./"):        0         </div><div>    HTTP Response Gzip packets extracted: 0         </div><div>    Gzip Compressed Data Processed:       n/a       </div><div>    Gzip Decompressed Data Processed:     n/a       </div><div>    Total packets processed:              13159     </div><div>===============================================================================</div><div>SMTP Preprocessor Statistics</div><div>  Total sessions                                    : 0</div><div>  Max concurrent sessions                           : 0</div><div>===============================================================================</div><div>dcerpc2 Preprocessor Statistics</div><div>  Total sessions: 0</div><div>===============================================================================</div><div>SSL Preprocessor:</div><div>   SSL packets decoded: 14        </div><div>          Client Hello: 0         </div><div>          Server Hello: 2         </div><div>           Certificate: 2         </div><div>           Server Done: 3         </div><div>   Client Key Exchange: 0         </div><div>   Server Key Exchange: 0         </div><div>         Change Cipher: 3         </div><div>              Finished: 0         </div><div>    Client Application: 0         </div><div>    Server Application: 1         </div><div>                 Alert: 0         </div><div>  Unrecognized records: 9         </div><div>  Completed handshakes: 0         </div><div>        Bad handshakes: 0         </div><div>      Sessions ignored: 1         </div><div>    Detection disabled: 2         </div><div>===============================================================================</div><div>SIP Preprocessor Statistics</div><div>  Total sessions: 0</div><div>===============================================================================</div><div>File Preprocessor Statistics</div><div>  Total file type callbacks:            0          </div><div>  Total file signature callbacks:       1          </div><div>  Total files would saved to disk:      1          </div><div>  Total files saved to disk:            1          </div><div>  Total file data saved to disk:        446       bytes</div><div>  Total files duplicated:               0          </div><div>  Total files reserving failed:         0          </div><div>  Total file capture min:               0          </div><div>  Total file capture max:               0          </div><div>  Total file capture memcap:            0          </div><div>  Total files reading failed:           0          </div><div>  Total file agent memcap failures:     0          </div><div>  Total files sent:                     0          </div><div>  Total file data sent:                 0          </div><div>  Total file transfer failures:         0          </div><div>===============================================================================</div><div>File type stats:</div><div>         Type              Download   (Bytes)      Upload     (Bytes)</div><div>            Total          0          0            0          0          </div><div><br></div><div>File signature stats:</div><div>         Type              Download   Upload </div><div>Undecided file type, continue...(  0)          1          0          </div><div>            Total          1          0          </div><div><br></div><div>File type verdicts:</div><div>        UNKNOWN:           0          </div><div>            LOG:           0          </div><div>           STOP:           0          </div><div>          BLOCK:           0          </div><div>         REJECT:           0          </div><div>        PENDING:           0          </div><div>   STOP CAPTURE:           0          </div><div>          Total:           0          </div><div><br></div><div>File signature verdicts:</div><div>        UNKNOWN:           1          </div><div>            LOG:           0          </div><div>           STOP:           0          </div><div>          BLOCK:           0          </div><div>         REJECT:           0          </div><div>        PENDING:           0          </div><div>   STOP CAPTURE:           0          </div><div>          Total:           1          </div><div><br></div><div>Total files processed:             2          </div><div>Total files data processed:        2594891   bytes </div><div>Total files buffered:              2          </div><div>Total files released:              1          </div><div>Total files freed:                 1          </div><div>Total files captured:              1          </div><div>Total files within one packet:     1          </div><div>Total buffers allocated:           81         </div><div>Total buffers freed:               80         </div><div>Total buffers released:            1          </div><div>Maximum file buffers used:         80         </div><div>Total buffers free errors:         0          </div><div>Total buffers release errors:      0          </div><div>Total memcap failures:             0          </div><div>Total memcap failures at reserve:  0          </div><div>Total reserve failures:            0          </div><div>Total file capture size min:       0          </div><div>Total file capture size max:       0          </div><div>Total capture max before reserve:  0          </div><div>Total file signature max:          0          </div><div>Maximum buffers can allocate:      3196       </div><div>Number of buffers in use:          0          </div><div>Number of buffers in free list:    3195       </div><div>Number of buffers in release list: 1          </div><div>===============================================================================</div><div>Snort exiting</div></div><div><br></div><div>###################################################################################</div><div>###################################################################################</div><div><br></div><div>Exit stats when reading the PCAP file:</div><div><br></div><div><div>===============================================================================</div><div>Run time for packet processing was 3.962580 seconds</div><div>Snort processed 3326 packets.</div><div>Snort ran for 0 days 0 hours 0 minutes 3 seconds</div><div>   Pkts/sec:         1108</div><div>===============================================================================</div><div>Memory usage summary:</div><div>  Total non-mmapped bytes (arena):       10190848</div><div>  Bytes in mapped regions (hblkhd):      122081280</div><div>  Total allocated space (uordblks):      8072912</div><div>  Total free space (fordblks):           2117936</div><div>  Topmost releasable block (keepcost):   132992</div><div>===============================================================================</div><div>Packet I/O Totals:</div><div>   Received:         3326</div><div>   Analyzed:         3326 (100.000%)</div><div>    Dropped:            0 (  0.000%)</div><div>   Filtered:            0 (  0.000%)</div><div>Outstanding:            0 (  0.000%)</div><div>   Injected:            0</div><div>===============================================================================</div><div>Breakdown by protocol (includes rebuilt packets):</div><div>        Eth:         3333 (100.000%)</div><div>       VLAN:            0 (  0.000%)</div><div>        IP4:         3333 (100.000%)</div><div>       Frag:            0 (  0.000%)</div><div>       ICMP:            0 (  0.000%)</div><div>        UDP:           40 (  1.200%)</div><div>        TCP:         3293 ( 98.800%)</div><div>        IP6:            0 (  0.000%)</div><div>    IP6 Ext:            0 (  0.000%)</div><div>   IP6 Opts:            0 (  0.000%)</div><div>      Frag6:            0 (  0.000%)</div><div>      ICMP6:            0 (  0.000%)</div><div>       UDP6:            0 (  0.000%)</div><div>       TCP6:            0 (  0.000%)</div><div>     Teredo:            0 (  0.000%)</div><div>    ICMP-IP:            0 (  0.000%)</div><div>    IP4/IP4:            0 (  0.000%)</div><div>    IP4/IP6:            0 (  0.000%)</div><div>    IP6/IP4:            0 (  0.000%)</div><div>    IP6/IP6:            0 (  0.000%)</div><div>        GRE:            0 (  0.000%)</div><div>    GRE Eth:            0 (  0.000%)</div><div>   GRE VLAN:            0 (  0.000%)</div><div>    GRE IP4:            0 (  0.000%)</div><div>    GRE IP6:            0 (  0.000%)</div><div>GRE IP6 Ext:            0 (  0.000%)</div><div>   GRE PPTP:            0 (  0.000%)</div><div>    GRE ARP:            0 (  0.000%)</div><div>    GRE IPX:            0 (  0.000%)</div><div>   GRE Loop:            0 (  0.000%)</div><div>       MPLS:            0 (  0.000%)</div><div>        ARP:            0 (  0.000%)</div><div>        IPX:            0 (  0.000%)</div><div>   Eth Loop:            0 (  0.000%)</div><div>   Eth Disc:            0 (  0.000%)</div><div>   IP4 Disc:            0 (  0.000%)</div><div>   IP6 Disc:            0 (  0.000%)</div><div>   TCP Disc:            0 (  0.000%)</div><div>   UDP Disc:            0 (  0.000%)</div><div>  ICMP Disc:            0 (  0.000%)</div><div>All Discard:            0 (  0.000%)</div><div>      Other:            0 (  0.000%)</div><div>Bad Chk Sum:            0 (  0.000%)</div><div>    Bad TTL:            0 (  0.000%)</div><div>     S5 G 1:            3 (  0.090%)</div><div>     S5 G 2:            4 (  0.120%)</div><div>      Total:         3333</div><div>===============================================================================</div><div>Action Stats:</div><div>     Alerts:            0 (  0.000%)</div><div>     Logged:            0 (  0.000%)</div><div>     Passed:            0 (  0.000%)</div><div>Limits:</div><div>      Match:            0</div><div>      Queue:            0</div><div>        Log:            0</div><div>      Event:            0</div><div>      Alert:            0</div><div>Verdicts:</div><div>      Allow:         3326 (100.000%)</div><div>      Block:            0 (  0.000%)</div><div>    Replace:            0 (  0.000%)</div><div>  Whitelist:            0 (  0.000%)</div><div>  Blacklist:            0 (  0.000%)</div><div>     Ignore:            0 (  0.000%)</div><div>===============================================================================</div><div>Frag3 statistics:</div><div>        Total Fragments: 0</div><div>      Frags Reassembled: 0</div><div>               Discards: 0</div><div>          Memory Faults: 0</div><div>               Timeouts: 0</div><div>               Overlaps: 0</div><div>              Anomalies: 0</div><div>                 Alerts: 0</div><div>                  Drops: 0</div><div>     FragTrackers Added: 0</div><div>    FragTrackers Dumped: 0</div><div>FragTrackers Auto Freed: 0</div><div>    Frag Nodes Inserted: 0</div><div>     Frag Nodes Deleted: 0</div><div>===============================================================================</div><div>===============================================================================</div><div>Stream statistics:</div><div>            Total sessions: 24</div><div>              TCP sessions: 14</div><div>              UDP sessions: 10</div><div>             ICMP sessions: 0</div><div>               IP sessions: 0</div><div>                TCP Prunes: 0</div><div>                UDP Prunes: 0</div><div>               ICMP Prunes: 0</div><div>                 IP Prunes: 0</div><div>TCP StreamTrackers Created: 14</div><div>TCP StreamTrackers Deleted: 14</div><div>              TCP Timeouts: 0</div><div>              TCP Overlaps: 0</div><div>       TCP Segments Queued: 1895</div><div>     TCP Segments Released: 1895</div><div>       TCP Rebuilt Packets: 1304</div><div>         TCP Segments Used: 1894</div><div>              TCP Discards: 0</div><div>                  TCP Gaps: 0</div><div>      UDP Sessions Created: 10</div><div>      UDP Sessions Deleted: 10</div><div>              UDP Timeouts: 0</div><div>              UDP Discards: 0</div><div>                    Events: 1</div><div>           Internal Events: 0</div><div>           TCP Port Filter</div><div>                  Filtered: 0</div><div>                 Inspected: 0</div><div>                   Tracked: 3286</div><div>           UDP Port Filter</div><div>                  Filtered: 0</div><div>                 Inspected: 0</div><div>                   Tracked: 10</div><div>===============================================================================</div><div>HTTP Inspect - encodings (Note: stream-reassembled packets included):</div><div>    POST methods:                         0         </div><div>    GET methods:                          10        </div><div>    HTTP Request Headers extracted:       10        </div><div>    HTTP Request Cookies extracted:       0         </div><div>    Post parameters extracted:            0         </div><div>    HTTP response Headers extracted:      10        </div><div>    HTTP Response Cookies extracted:      0         </div><div>    Unicode:                              0         </div><div>    Double unicode:                       0         </div><div>    Non-ASCII representable:              0         </div><div>    Directory traversals:                 0         </div><div>    Extra slashes ("//"):                 0         </div><div>    Self-referencing paths ("./"):        0         </div><div>    HTTP Response Gzip packets extracted: 0         </div><div>    Gzip Compressed Data Processed:       n/a       </div><div>    Gzip Decompressed Data Processed:     n/a       </div><div>    Total packets processed:              2944      </div><div>===============================================================================</div><div>SMTP Preprocessor Statistics</div><div>  Total sessions                                    : 0</div><div>  Max concurrent sessions                           : 0</div><div>===============================================================================</div><div>dcerpc2 Preprocessor Statistics</div><div>  Total sessions: 0</div><div>===============================================================================</div><div>===============================================================================</div><div>SIP Preprocessor Statistics</div><div>  Total sessions: 0</div><div>===============================================================================</div><div>File Preprocessor Statistics</div><div>  Total file type callbacks:            0          </div><div>  Total file signature callbacks:       10         </div><div>  Total files would saved to disk:      10         </div><div>  Total files saved to disk:            10         </div><div>  Total file data saved to disk:        47473897  bytes</div><div>  Total files duplicated:               0          </div><div>  Total files reserving failed:         0          </div><div>  Total file capture min:               0          </div><div>  Total file capture max:               0          </div><div>  Total file capture memcap:            0          </div><div>  Total files reading failed:           0          </div><div>  Total file agent memcap failures:     0          </div><div>  Total files sent:                     0          </div><div>  Total file data sent:                 0          </div><div>  Total file transfer failures:         0          </div><div>===============================================================================</div><div>File type stats:</div><div>         Type              Download   (Bytes)      Upload     (Bytes)</div><div>            Total          0          0            0          0          </div><div><br></div><div>File signature stats:</div><div>         Type              Download   Upload </div><div>Undecided file type, continue...(  0)          10         0          </div><div>            Total          10         0          </div><div><br></div><div>File type verdicts:</div><div>        UNKNOWN:           0          </div><div>            LOG:           0          </div><div>           STOP:           0          </div><div>          BLOCK:           0          </div><div>         REJECT:           0          </div><div>        PENDING:           0          </div><div>   STOP CAPTURE:           0          </div><div>          Total:           0          </div><div><br></div><div>File signature verdicts:</div><div>        UNKNOWN:           10         </div><div>            LOG:           0          </div><div>           STOP:           0          </div><div>          BLOCK:           0          </div><div>         REJECT:           0          </div><div>        PENDING:           0          </div><div>   STOP CAPTURE:           0          </div><div>          Total:           10         </div><div><br></div><div>Total files processed:             10         </div><div>Total files data processed:        47473024  bytes </div><div>Total files buffered:              10         </div><div>Total files released:              10         </div><div>Total files freed:                 0          </div><div>Total files captured:              10         </div><div>Total files within one packet:     4          </div><div>Total buffers allocated:           1455       </div><div>Total buffers freed:               0          </div><div>Total buffers released:            1455       </div><div>Maximum file buffers used:         787        </div><div>Total buffers free errors:         0          </div><div>Total buffers release errors:      0          </div><div>Total memcap failures:             0          </div><div>Total memcap failures at reserve:  0          </div><div>Total reserve failures:            0          </div><div>Total file capture size min:       0          </div><div>Total file capture size max:       0          </div><div>Total capture max before reserve:  0          </div><div>Total file signature max:          0          </div><div>Maximum buffers can allocate:      3196       </div><div>Number of buffers in use:          0          </div><div>Number of buffers in free list:    1741       </div><div>Number of buffers in release list: 1455       </div><div>===============================================================================</div><div>Snort exiting</div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><span style="font-size:12.8000001907349px">Pablo Cantos</span><br></div><div><a href="http://redborder.org" target="_blank">redborder.org</a> / <a href="mailto:pcantos@...16842..." target="_blank">pcantos@...16842...</a></div></div></div></div></div></div>
<br><div class="gmail_quote">2015-05-08 15:26 GMT+02:00 Hui cao <span dir="ltr"><<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    What's the exit stats?<br>
    <br>
    Best,<br>
    Hui.<div><div class="h5"><br>
    <br>
    <div>On 05/08/2015 08:58 AM, Pablo Cantos
      Polaino wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">Thanks for your reply Hui,
        <div><br>
        </div>
        <div>I'm attaching the full configuration now. I've used a
          default conf, and included the file preprocessor configuration
          that I mentioned before.
          <div><br>
          </div>
          <div>As you can see in the conf file, for normalize
            preprocessor, there was the following line in the default
            conf, so I suppose I shouldn't change this:</div>
          <div>preprocessor normalize_tcp: ips ecn stream<br>
          </div>
          <div><br>
          </div>
          <div>About debug, I haven't build snort in debug mode since I
            haven't be able to go deeper into this. I will try this when
            I come back to the office, but in any case, I'm interested
            on use Snort in a normal mode, not in debug mode.</div>
          <div><br>
          </div>
        </div>
        <div>I forgot to mention I'm using the last version: 2.9.7.2.</div>
        <div><br>
        </div>
        <div>Best Regards,</div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div>
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div><span style="font-size:12.8000001907349px">Pablo
                      Cantos</span><br>
                  </div>
                  <div><a href="http://redborder.org" target="_blank">redborder.org</a>
                    / <a href="mailto:pcantos@...16842..." target="_blank">pcantos@...16842...</a></div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">2015-05-08 14:40 GMT+02:00 Hui Cao
          (huica) <span dir="ltr"><<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div style="word-wrap:break-word">
              <div style="font-size:14px;font-family:Calibri,sans-serif;color:rgb(0,0,0)">
                What’s the full snort configuration?</div>
              <div style="font-size:14px;font-family:Calibri,sans-serif;color:rgb(0,0,0)">
                <br>
              </div>
              <div>If you build snort with debug, you should add:<span style="line-height:20.7900009155273px">config paf_max:
                  16384</span></div>
              <div>In addition, it would be better to add: <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0CCQQFjAC&url=http%3A%2F%2Ft73100.security-ids-snort-general.securityupdate.info%2Fpreprocessor-normalize-tcp-ips-t73100.html&ei=B65MVdGDEJObyAT5g4GQBg&usg=AFQjCNEvwb_tSISxggsZbXdfA2SJs7Pm1A&sig2=0_WSEYBph2TfDNTtcatjhw" style="white-space:nowrap;background-color:rgb(255,255,255);text-decoration:none" target="_blank"><font color="#000000">preprocessor
                    normalize_tcp: ips</font></a></div>
              <div style="font-size:14px;font-family:Calibri,sans-serif;color:rgb(0,0,0)">
                <br>
              </div>
              <div style="font-size:14px;font-family:Calibri,sans-serif;color:rgb(0,0,0)">
                Best,</div>
              <div style="font-size:14px;font-family:Calibri,sans-serif;color:rgb(0,0,0)">
                Hui.</div>
              <span style="font-size:14px;font-family:Calibri,sans-serif;color:rgb(0,0,0)">
                <div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
                  <span style="font-weight:bold">From: </span>Pablo
                  Cantos Polaino <<a href="mailto:pcantos@...16842..." target="_blank">pcantos@...16842...</a>><br>
                  <span style="font-weight:bold">Date: </span>Friday,
                  May 8, 2015 at 8:26 AM<br>
                  <span style="font-weight:bold">To: </span>"<a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a>"
                  <<a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a>><br>
                  <span style="font-weight:bold">Subject: </span>[Snort-users]
                  File preprocessor fails to capture files<br>
                </div>
                <div>
                  <div>
                    <div><br>
                    </div>
                    <div>
                      <div>
                        <div dir="ltr">
                          <div>Hello all,</div>
                          <div><br>
                          </div>
                          <div>I'm doing some tests over the file
                            preprocessor and these are the conf options
                            that I'm using related to file preprocessor:</div>
                          <div><br>
                          </div>
                          <div>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">include
                              file_magic.conf<br>
                              config <a>file:\</a><br>
                                  file_type_depth 4294967295, \<br>
                                  file_signature_depth 4294967295, \<br>
                                  file_capture_max 4294967295<br>
                              preprocessor file_inspect:\<br>
                                  capture_queue_size 50000, \<br>
                                  signature, \<br>
                                  capture_disk /var/log/snort/files/
                              50000</blockquote>
                          </div>
                          <div><br>
                          </div>
                          <div>This time what I'm trying to do is to
                            capture every file detected by file
                            preprocessor in the directory
                            /var/log/snort/files.</div>
                          <div><br>
                          </div>
                          <div>For these tests, I've used the following
                            files:</div>
                          <div><br>
                          </div>
                          <div>
                            <div>wget <a href="ftp://ftp.hp.com/pub/information_storage/software/video/video1.avi" target="_blank">
ftp://ftp.hp.com/pub/information_storage/software/video/video1.avi</a></div>
                            <div>wget <a href="ftp://ftp.hp.com/pub/information_storage/software/video/MakeUp.mov" target="_blank">
ftp://ftp.hp.com/pub/information_storage/software/video/MakeUp.mov</a></div>
                            <div>wget <a href="ftp://ftp.hp.com/pub/information_storage/software/video/Fighter.mpg" target="_blank">
ftp://ftp.hp.com/pub/information_storage/software/video/Fighter.mpg</a></div>
                            <div>wget <a href="http://releases.ubuntu.com/14.04/ubuntu-14.04.2-desktop-amd64.iso" target="_blank">
http://releases.ubuntu.com/14.04/ubuntu-14.04.2-desktop-amd64.iso</a></div>
                            <div>wget <a href="http://scholar.princeton.edu/sites/default/files/oversize_pdf_test_0.pdf" target="_blank">
http://scholar.princeton.edu/sites/default/files/oversize_pdf_test_0.pdf</a></div>
                            <div>wget <a href="https://10.0.70.110/client/VMware-viclient.exe" target="_blank">https://10.0.70.110/client/VMware-viclient.exe</a>
                              --no-check-certificate</div>
                            <div>wget <a href="http://cpansearch.perl.org/src/MIKEM/Device-SNP-1.3/datadesigner/tux-sw.bmp" target="_blank">http://cpansearch.perl.org/src/MIKEM/Device-SNP-1.3/datadesigner/tux-sw.bmp</a></div>
                          </div>
                          <div><br>
                          </div>
                          <div>I addition, I've got a pcap traffic
                            capture which includes all the 7 files
                            above.</div>
                          <div><br>
                          </div>
                          <div>When I run Snort reading this pcap, I got
                            the following:</div>
                          <div><br>
                          </div>
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Captured
                            files:</blockquote>
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
                          </blockquote>
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">#
                            ls -lS<br>
                          </blockquote>
                          <div>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">-rw-------
                              1 root root 24211979 May  8 11:14
                              8452B621DC334D1FD44470A80540CBEF2F6869AF851B9E8C684EF9402016F692<br>
                              -rw------- 1 root root 13045613 May  8
                              11:14
                              5CF142947C2957EE648457A91B69FB82F088F31205030F9A77B2AD827228C6E9<br>
                              -rw------- 1 root root  6352738 May  8
                              11:14
                              DB57C532919D9ABABAC127F29DBDC05ED832394880E46CAD81A5DDE713CCB4BE<br>
                              -rw------- 1 root root  2936119 May  8
                              11:14
                              B4127F43A3F455523B81179CC11AA4F28FC27F4C041D20E28AA08A32D85CB757<br>
                              -rw------- 1 root root   495316 May  8
                              11:14
                              A294AA3D01CD8902BF842D320E7F2C043AF9EAD95D0E7198C3B71A0DBC9D253C<br>
                              -rw------- 1 root root   424526 May  8
                              11:14
                              8863DB1EC4B02D5BCC1FB4BD03D220F7458136342CDD47CE507A5B886C6BB56C<br>
                              -rw------- 1 root root     2817 May  8
                              11:14
                              D03CDB1F2584A2C06E866931EC5F31F141D9D08F237E04708C7C19D94FFA62F5<br>
                              -rw------- 1 root root     1958 May  8
                              11:14
                              369FDD6FB34BB5E1F0EC79D063FE0115AEF35AA20972BE8E4739417594F692AA<br>
                              -rw------- 1 root root     1958 May  8
                              11:14
                              EF49069F43D349C83873A6784351F16ADC39B8358ACFAE3A30EA4DD684C29DCC<br>
                            </blockquote>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">-rw-------
                              1 root root      446 May  8 11:14
                              8D490C71A27631CF6A476F68C409655CB63BF32C17846A3C3C125A79046DB2C1</blockquote>
                            <div> </div>
                          </div>
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Downloaded
                            files:<br>
                          </blockquote>
                          <div>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
                            </blockquote>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">#
                              ls -l<br>
                            </blockquote>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">-rw-r--r--
                              1 root root    2187725 May  8 11:01
                              Fighter.mpg<br>
                            </blockquote>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">-rw-r--r--
                              1 root root   14955972 May  8 11:01
                              MakeUp.mov<br>
                              -rw-r--r-- 1 root root  375187792 May  8
                              11:02 VMware-viclient.exe<br>
                              -rw-r--r-- 1 root root  101688487 Jul 10
                               2014 oversize_pdf_test_0.pdf </blockquote>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">-rw-r--r--
                              1 root root        446 Mar 22  2013
                              tux-sw.bmp</blockquote>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">-rw-r--r--
                              1 root root 1044381696 Feb 18 20:12
                              ubuntu-14.04.2-desktop-amd64.iso<br>
                              -rw-r--r-- 1 root root    6094376 May  8
                              11:01 video1.avi<br>
                              # sha256sum *<br>
                            </blockquote>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">55bdca20aa0ffd8fa3b12029d1e122696a936abc29dd4ec4a5bd878836a5d36f
                               Fighter.mpg<br>
                            </blockquote>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">88a43830b006a4ade60874ffb10a0d5afd06245d0bc460da90015ed73df08d58
                               MakeUp.mov<br>
                              57bc6123a563056e32fb317c20d1e3b96af723b2b2c9732033e3ab9ce8f8e625
                               VMware-viclient.exe<br>
                              fa43e683e94372d81210a275cc37112bf2df9c971d377506aab8ae47e5fb0d34
                               oversize_pdf_test_0.pdf<br>
                              8d490c71a27631cf6a476f68c409655cb63bf32c17846a3c3c125a79046db2c1
                               tux-sw.bmp</blockquote>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">39eeb28bdb8af630850e75e54b9864ca07640a2bb10bd10055763236b99f9b1d
                               ubuntu-14.04.2-desktop-amd64.iso<br>
                              bb13418aeb4535c0d1f5c491ad69dd87041a8a1ba7dacc6bc763337beaed7dca
                               video1.avi</blockquote>
                            <div><br>
                            </div>
                            <div>As you can see, Snort just captures
                              correctly the smallest file, that fits in
                              a single packet. The others captured files
                              do not coincide with the captured files
                              (in number and size, and hence in sha256)</div>
                          </div>
                          <div><br>
                          </div>
                          <div>If I run Snort sniffing from my network
                            interface and I download the 7 files by
                            using the wget command, I got the following:<br>
                          </div>
                          <div><br>
                          </div>
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Captured
                            files:<br>
                          </blockquote>
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> </blockquote>
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">-rw-------
                            1 root root 446 May  8 11:30
                            8D490C71A27631CF6A476F68C409655CB63BF32C17846A3C3C125A79046DB2C1</blockquote>
                          <div><br>
                          </div>
                          <div>This case, Snort just captures the
                            smallest file, that fits in a single packet.</div>
                          <div><br>
                          </div>
                          <div>I've gone deep into the code and I've
                            found out the problem could come from a
                            strange behavior of the Frag3 preprocessor
                            when dealing with packets that contain
                            files.</div>
                          <div><br>
                          </div>
                          <div>I see two different issues here:</div>
                          <div><br>
                          </div>
                          <div>1.- When sniffing from an interface,
                            Snort is only able to capture files which
                            fit in one single packet.</div>
                          <div>2.- When reading from a network capture
                            file, Snort is able to capture files in
                            general, but it does it in a wrong way when
                            the file take up more than one packet.</div>
                          <div><br>
                          </div>
                          <div>I'd like to know if you were aware of
                            these strange behaviors.</div>
                          <div><br>
                          </div>
                          <div>Best Regards,</div>
                          <br clear="all">
                          <div>
                            <div>
                              <div dir="ltr">
                                <div>
                                  <div dir="ltr">
                                    <div><span style="font-size:12.8000001907349px">Pablo
                                        Cantos</span><br>
                                    </div>
                                    <div><a href="http://redborder.org" target="_blank">redborder.org</a>
                                      / <a href="mailto:pcantos@...16842..." target="_blank">
                                        pcantos@...16842...</a></div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </span>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>