Snort mailing list archives
Re: File extraction during http/ftp transaction
From: Rishabh Shah <rishabh420 () gmail com>
Date: Wed, 11 Mar 2015 20:03:07 +0530
Hi Joel, Thanks for your prompt reply. I did a ./configure --enable-file-inspect and while executing make, I saw the following error messages: */root/snort_src/snort-2.9.7.0/src/plugbase.c:216: undefined reference to `SetupAppId'* *detection-plugins/libspd.a(detection_options.o): In function `detection_hash_free_func':* */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:553: undefined reference to `optionAppIdFree'* *detection-plugins/libspd.a(detection_options.o): In function `detection_option_hash_func':* */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:252: undefined reference to `optionAppIdHash'* *detection-plugins/libspd.a(detection_options.o): In function `detection_option_key_compare_func':* */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:409: undefined reference to `optionAppIdCompare'* *collect2: error: ld returned 1 exit status* make[3]: *** [snort] Error 1 make[3]: Leaving directory `/root/snort_src/snort-2.9.7.0/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/root/snort_src/snort-2.9.7.0/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/snort_src/snort-2.9.7.0' make: *** [all] Error 2 I am not sure why am I seeing those messages as I see a reference to the above errors: root@fwuser-virtual-machine:~/snort_src/snort-2.9.7.0/src# grep -r "optionAppIdFree" . Binary file ./detection-plugins/detection_options.o matches Binary file ./detection-plugins/sp_appid.o matches ./detection-plugins/sp_appid.c:void optionAppIdFree(AppIdOptionData *optData) ./detection-plugins/sp_appid.c: optionAppIdFree(optData); Binary file ./detection-plugins/libspd.a matches ./detection-plugins/detection_options.c: optionAppIdFree(key->option_data); ./detection-plugins/sp_appid.h:void optionAppIdFree(AppIdOptionData *optData); I appended the following line in snort.conf: *preprocessor file_inspect: type_id, signature, capture_disk /home/file_capture/tmp/, capture_queue_size 5000* While executing snort process, I got a core file with the following message: File config: file type: ENABLED file signature: ENABLED file capture: ENABLED file capture directory: /home/file_capture/tmp/ file capture disk size: 300 (Default) megabytes file sent to host: DISABLED (Default), port number: 0 *Segmentation fault (core dumped)* The traceback of the core file points to: root@fwuser-virtual-machine:~/snort_src# gdb snort -c core GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from snort...done. warning: exec file is newer than core file. [New LWP 10904] warning: .dynamic section for "/usr/local/lib/snort_dynamicengine/libsf_engine.so" is not at the expected address (wrong library or version mismatch?) warning: .dynamic section for "/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so" is not at the expected address (wrong library or version mismatch?) [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/local/bin/snort -c /etc/snort/snort.conf -Q -i eth1:eth2 -l /var/log/snort'. Program terminated with signal SIGSEGV, Segmentation fault. #0 strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt *#0 strlen () at ../sysdeps/x86_64/strlen.S:106* *#1 0x00007f6ab63050a6 in appIdStatsInit (appFileName=0x7f6ab6628170 <config+16> "appstats-unified.log", statsPeriod=10, rolloverSize=20971520, rolloverPeriod=86400) at appIdStats.c:264* *#2 0x00007f6ab62fa2d0 in AppIdCommonInit (memcap=268435456) at commonAppMatcher.c:297* *#3 0x00007f6ab6303798 in AppIdInit (sc=0x1eb9770, args=0x1f516e0 "app_stats_filename appstats-unified.log, app_stats_period 10, app_detector_dir /usr/local/lib/openappid") at spp_appid.c:157* *#4 0x000000000042048e in InitVarTables (p=0x1eb9770) at parser.c:5728* *#5 0x000000000046c3d0 in CheckAppId (option_data=0x0, p=0x0) at sp_appid.c:342* *#6 0x0000000000000000 in ?? ()* *(gdb) Quit* I had installed openappid as well. On Wed, Mar 11, 2015 at 7:00 PM, Joel Esler (jesler) <jesler () cisco com> wrote:
On Mar 11, 2015, at 9:23 AM, Rishabh Shah <rishabh420 () gmail com> wrote: Hi Snort Team, Is it possible to extract any file during http/ftp transactions? The HTTP preprocessor makes it possible to read the HTTP URI/content. Does snort have the intelligence to extract the file during any transfer? Beginning with 2.9.6.0, Snort has had the ability to extract files from streams and write them to disk. Check out the README: https://www.snort.org/faq/readme-file -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Talos Group
-- Regards, Rishabh Shah.
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- File extraction during http/ftp transaction Rishabh Shah (Mar 11)
- Re: File extraction during http/ftp transaction Joel Esler (jesler) (Mar 11)
- Re: File extraction during http/ftp transaction Rishabh Shah (Mar 11)
- Re: File extraction during http/ftp transaction Hui cao (Mar 11)
- Re: File extraction during http/ftp transaction Rishabh Shah (Mar 11)
- Re: File extraction during http/ftp transaction Hui cao (Mar 11)
- Re: File extraction during http/ftp transaction Rishabh Shah (Mar 11)
- Re: File extraction during http/ftp transaction Hui cao (Mar 11)
- Re: File extraction during http/ftp transaction Hui cao (Mar 11)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: File extraction during http/ftp transaction Rishabh Shah (Mar 11)
- Re: File extraction during http/ftp transaction Joel Esler (jesler) (Mar 11)
- Re: File extraction during http/ftp transaction Y M (Mar 11)
- Re: File extraction during http/ftp transaction Rishabh Shah (Mar 11)
- Re: File extraction during http/ftp transaction Joel Esler (jesler) (Mar 11)