Snort mailing list archives
Re: file carving
From: Hui cao <huica () cisco com>
Date: Fri, 21 Feb 2014 11:11:00 -0500
Hi Kerry,When file signature or file capture in enabled, it only logs files that in the blacklist/greylist to minimize the performance impact logging all files. You can put the SHA into the blacklist /grelist to get it blocked/logged.
If you only enable file type, you can log file type alerts. File type alerts (for each file type rule) are similar to snort preprocessor rules. You have to enable them by creating alert rules. Ideally, you want to have some files with types like PDF, EXE etc, not picture files (BMP, JPEG etc). We just use this way to enable/disable file type alerts/logs
Best, Hui. On 02/21/2014 09:52 AM, Long, Kerry S wrote:
I got snort to carve files to a directory. They are listed by their hash name. This is not very useful without the file log which tells me what the file really is and what network session it is associated with. Unfortunately I can't figure out how to get the log to print. I have enabled it I think in snort.conf with these linesdynamicoutput file /opt/snort/snort_dynamicpreprocessor/libsf_file_preproc.sooutput filelog:/metadata/attachments/file But I get nothing. I am using the sample filemagic.conf file provided. P.S.I may still have to create alert rules for every entry in the magic file. The instructions seem to indicate I need to do this for some reason. I have not because it looks like I would have to do it for file inspect and file signature aspects of the preprocessor. That would be painful 2*100+ rulesThanks, Kerry ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- file carving Long, Kerry S (Feb 21)
- Re: file carving Hui cao (Feb 21)