Snort mailing list archives

Previous By Date Next
Previous By Thread Next

File extract troubleshot

From: valentin.giraud () armaturetech com
Date: Wed, 06 Apr 2016 12:41:30 +0200
Hi snort team!

I have some trouble to capture files:
I downloaded some rtf, pdf and exe files in order to capture them with snort. But it's not captured. Yet the alert is "identified" : 

[**] [1:10000003:0] WEB-MISC rtf download attempt [**]
[Priority: 0]
04/06-12:25:36.788506 10.1.10.8:40630 -> 97.88.242.114:80
TCP TTL:43 TOS:0x0 ID:39946 IpLen:20 DgmLen:404 DF
***A**** Seq: 0x7BB49AB9  Ack: 0x713EA3EE  Win: 0x7580  TcpLen: 32





Here is the output when i close snort:
****

File type stats:
         Type              Download   (Bytes)      Upload     (Bytes)
         RTF( 23)          2          1428622      0          0
            Total          2          1428622      0          0

File signature stats:
         Type              Download   Upload
            Total          0          0

File type verdicts:
        UNKNOWN:           2
            LOG:           0
           STOP:           0
          BLOCK:           0
         REJECT:           0
        PENDING:           0
   STOP CAPTURE:           0
          Total:           2

File signature verdicts:
        UNKNOWN:           1
            LOG:           0
           STOP:           0
          BLOCK:           0
         REJECT:           0
        PENDING:           0
   STOP CAPTURE:           0
          Total:           1

Total files processed:             65
Total files data processed:        1510357   bytes
Total files buffered:              2
Total files released:              0
Total files freed:                 2
Total files captured:              0
Total files within one packet:     0
Total buffers allocated:           17
Total buffers freed:               17
Total buffers released:            0
Maximum file buffers used:         16
Total buffers free errors:         0
Total buffers release errors:      0
Total memcap failures:             0
Total memcap failures at reserve:  0
Total reserve failures:            0
Total file capture size min:       0
Total file capture size max:       0
Total capture max before reserve:  1
Total file signature max:          0
Maximum buffers can allocate:      3198
Number of buffers in use:          0
Number of buffers in free list:    3198
Number of buffers in release list: 0

****
I am running snort 2.9.8.2. i upload my snort.conf file and the local rules that i've add. 

Any idea why this is not captured?

Sincerely,
Valentin.

Attachment: local.rules
Description:

Attachment: snort.conf
Description: 

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: