Snort mailing list archives
Re: preprocessor file_inspect does not capture file
From: Lương Minh Tuấn <not.soledad () gmail com>
Date: Wed, 2 Dec 2015 19:27:51 +0700
your email make me confuse :D thanks a billion tons YM! On 12/2/2015 6:06 PM, Y M wrote:
Awesome.Just to clarify, I'm not in the snort team, just another person on the list, though, all credits goes to them.YM Sent from MobileOn Wed, Dec 2, 2015 at 3:03 AM -0800, "Lương Minh Tuấn" <not.soledad () gmail com <mailto:not.soledad () gmail com>> wrote:Thank snort team a thousand thousand tons, option '-k none' makes snort works like a charmOn 12/2/2015 5:10 PM, Y M wrote:Hmm..just for testing purposes, calculate the sha256 hashes of the files, and add the hashes to the black list, and then re-run Snort.Another thing to try is to use "-k none" when running Snort to read the pcap.YM Sent from Mobile _____________________________From: Lương Minh Tuấn <not.soledad () gmail com <mailto:not.soledad () gmail com>>Sent: Wednesday, December 2, 2015 1:05 PMSubject: Re: [Snort-users] preprocessor file_inspect does not capture fileTo: Y M <snort () outlook com <mailto:snort () outlook com>>Cc: <snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>>I tried many times, add, remove every options: type_id, signature to test if preprocessor can detect something but no luck, nothing in snort exit stat.The nearest test result with type_id, signature on: - configuration I tried: exactly like document: /preprocessor file_inspect: type_id, signature, \/ / // capture_disk /home/file_capture/tmp/, \/ / // capture_queue_size 5000/ - snort say that file_inspect maybe good: /File config:/ / // file type: ENABLED/ / // file signature: ENABLED/ / // file capture: ENABLED/ / // file capture directory: /home/file_capture/tmp// / // file capture disk size: 300 (Default) megabytes/ / // file sent to host: DISABLED (Default), port number: 0/ / // // File service: file type enabled./ / // File service: file signature enabled./ / // File service: file capture enabled./ / // File capture thread started tid=0x7f5add080700 (pid=20478)/- After uploading, downloading a pdf, a pcap, and a zip file, exit stats are:/ File Preprocessor Statistics/ / // Total file type callbacks: 0/ / // Total file signature callbacks: 0/ / // Total files would saved to disk: 0/ / // Total files saved to disk: 0/ / // Total file data saved to disk: 0 bytes/ / // Total files duplicated: 0/ / // Total files reserving failed: 0/ / // Total file capture min: 0/ / // Total file capture max: 0/ / // Total file capture memcap: 0/ / // Total files reading failed: 0/ / // Total file agent memcap failures: 0/ / // Total files sent: 0/ / // Total file data sent: 0/ / // Total file transfer failures: 0/ ///===============================================================================/ ///Files processed: none/ ///===============================================================================/Thanks On 12/2/2015 4:26 PM, Y M wrote: Do you have file type and file signature enabled? For instance, I don't see the type_id in the preprocessor configurations you posted. Documentation says that capturing depends on type and signature being enabled, I.e: Unknown file types will not be captured. YM Sent from Mobile _____________________________ From: Lương Minh Tuấn < not.soledad () gmail com <mailto:not.soledad () gmail com>> Sent: Wednesday, December 2, 2015 11:09 AM Subject: Re: [Snort-users] preprocessor file_inspect does not capture file To: Y M < snort () outlook com <mailto:snort () outlook com>> Cc: < snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>> Hi YM, file_captrue_min and file_capture_max is set with default value, 0 and 1GB. the path in capture_disk exist with full permission (I set to 777 for testing). README.file says that with block of config which I posted, snort can capture any file, but in my case, it does not work. I tried using signature in file_magic.conf to write a normal rule, snort detect ok, and with keyword tag, i can even capture all file in tcpdump. On 12/2/2015 2:16 PM, Y M wrote: I haven't played enough with the file_inspect preprocessor but what is the size of the file in relation to things like "file_capture_min", "file_capture_max"? Also, does the path in "capture_disk" exist? Finally, as far as I understand, only those files that have their hashes in the black or grey lists will be captured. Please anyone, correct me if I am wrong. YM Sent from Mobile _____________________________ From: Lương Minh Tuấn < not.soledad () gmail com <mailto:not.soledad () gmail com>> Sent: Wednesday, December 2, 2015 9:46 AM Subject: [Snort-users] preprocessor file_inspect does not capture file To: < snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>> Hi everybody, I had problem when using file_inspect to capture file send over FTP. Please help me resolv. Here's my Snort info: - Server OS: $cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) - Snort version: 2.9.7.6, build options: --enable-file-inspect --enable-open-appid --enable-sourcefire - configuration file: exactly from snortrules-snapshot-2976.tar.gz, add file_inspect config as discuss in README.file: include file_magic.conf preprocessor file_inspect: signature, \ capture_queue_size 5000, \ capture_disk /home/file_capture/tmp/ Snort does not detect or process any file, here's my exit stat: File Preprocessor Statistics Total file type callbacks: 0 Total file signature callbacks: 0 Total files would saved to disk: 0 Total files saved to disk: 0 Total file data saved to disk: 0 bytes Total files duplicated: 0 Total files reserving failed: 0 Total file capture min: 0 Total file capture max: 0 Total file capture memcap: 0 Total files reading failed: 0 Total file agent memcap failures: 0 Total files sent: 0 Total file data sent: 0 Total file transfer failures: 0 =============================================================================== Files processed: none I tried to build snort v2.9.7.0, 2.9.6.2 and latest 2.9.8.0 but no luck. Please help me! Thanks and best regards!-- Lương Minh TuấnEmail: not.soledad () gmail com <mailto:not.soledad () gmail com> Skype: minhtuan208 ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 01)
- Re: preprocessor file_inspect does not capture file Y M (Dec 01)
- Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
- Re: preprocessor file_inspect does not capture file Y M (Dec 02)
- Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
- Re: preprocessor file_inspect does not capture file Y M (Dec 02)
- Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
- Re: preprocessor file_inspect does not capture file Y M (Dec 02)
- Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
- preprocessor file_inspect: file capture from FTP traffic differs from original Lương Minh Tuấn (Dec 10)
- Re: preprocessor file_inspect: file capture from FTP traffic differs from original Hui cao (Dec 11)
- Re: preprocessor file_inspect: file capture from FTP traffic differs from original Lương Minh Tuấn (Dec 11)
- Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
- Re: preprocessor file_inspect does not capture file Y M (Dec 01)