Snort mailing list archives

Re: Config Trouble

From: "Gaurav Nagare (gnagare)" <gnagare () cisco com>
Date: Thu, 31 Mar 2016 13:08:26 +0000

Hi Valentin,

I don¹t see 'config file:¹ in your configuration. Can you try adding that
config. Syntax is as shown below -
config file:\ 
            < file_type_depth  depth >,\
            < file_signature_depth  depth >, \
            < file_block_timeout  timeout >, \
            < file_capture_memcap  memcap >, \
            < file_capture_max  max >, \
            < file_capture_min  min >, \
            < file_capture_block_size  size >

Also, what are the contents of your file_magic.conf?

You had also mentioned that it does not work for every kind of file type.
You mean the file type is not identified at all or its identified
incorrectly?


Please let us know.


Thanks
Gaurav


On 30/03/16, 9:00 PM, "valentin.giraud () armaturetech com"
<valentin.giraud () armaturetech com> wrote:

Hi snort Team,

I am trying to configure file extract ,but i am having a "weird" issue.

I downloaded 3 examples ".zip" files with firefox:
peace_essay.ZIP  peace_problem.ZIP  peace.zip

and the file extract gave GIF extension file:
***
4029FE24DC2B05D8BFB80A9027A3578C62F23380A8C1CBB8F8CE20488B64EAE0: GIF
image data, version 89a, 5 x 5
8337212354871836E6763A41E615916C89BAC5B3F1F0ADF60BA43C7C806E1015: GIF
image data, version 89a, 1 x 1
E16105A1ED76519D369DA7E2FF2D554FE2BE88D604D1850AA11A0D9E470E7864: GIF
image data, version 89a, 20 x 19

***
When i run snort it says :

********
File config:
    file type: ENABLED
    file signature: DISABLED (Default)
    file capture: ENABLED
    file capture directory: /var/log/snort/filestore/
    file capture disk size: 300 (Default) megabytes
    file sent to host: DISABLED (Default), port number: 0

File service: file type enabled.
File service: file capture enabled.
File service: file signature enabled.
...

...
afpacket DAQ configured to passive.
Acquiring network traffic from "eth0".
Reload thread starting...
Reload thread started, thread 0x98f32b40 (12799)
File capture thread started tid=0x98731b40 (pid=12798)

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.0 GRE (Build 229)

...

*********

Actually, it does not work with every kind extension ( pdf do not work
for example...)

Have you any idea where i could be wrong?

I join my snort.conf file.

Regards,
Valentin.


PS: Sorry for my english in advance, i am not native.



------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Config Trouble valentin . giraud (Mar 30)
- Re: Config Trouble Gaurav Nagare (gnagare) (Mar 31)