Snort mailing list archives
Re: Snort 3 file statistics and logging
From: "Steven Baigal \(sbaigal\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 27 Sep 2019 20:33:03 +0000
For the second issue, you need to add policy for PDF: { when = { file_type_id = 287 }, use = { verdict = 'log', } }, Regarding the 0 bytes stats, try to remove the policy and add trace to file_id: file_id = { enable_type = true, enable_signature = true, file_rules = file_magic, trace_type = true, trace_signature = true, trace_stream = true, } Steven B. From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Y M via Snort-devel <snort-devel () lists snort org> Reply-To: Y M <snort () outlook com> Date: Friday, September 27, 2019 at 1:56 PM To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: [Snort-devel] Snort 3 file statistics and logging Hello, Two odd behaviors are observed regarding file inspector statistics in snort output and logging via file logger. First, from the below file statistics, file type stats (files) reflect the detected files, which is correct. The file type stats (bytes) is reporting zero bytes for some files, although the files have completed the transfers and exist in the inspected pcap. -------------------------------------------------- File Statistics -------------------------------------------------- file type stats (files) Type Download Upload MSEXE( 21) 3 0 RTF( 23) 0 3 ZIP( 29) 1 1 PDF(287) 2 1 Total 6 5 -------------------------------------------------- file type stats (bytes) Type Download Upload MSEXE( 21) 2593303 0 RTF( 23) 0 0 ZIP( 29) 0 0 PDF(287) 465066 232533 Total 3058369 232533 -------------------------------------------------- Second, it appears that file logging for a PDF file policy does not create a line for detected PDF files. Different PDF files also don't get logged although they are detected. Other file types/policies over the same protocols get logged as expected. Example file policy: file_id = { file_rules = file_magic, file_policy = { { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } }, { when = { file_type_id = 29 }, use = { verdict = 'log', enable_file_signature = true } }, { when = { sha256 = "omitted" }, use = { verdict = 'log' } } } } file_log = { log_pkt_time = true, log_sys_time = false } The expected log lines in file.log from the above policies: 1. Log PDF files when detected. 2. Log ZIP files when detected. 3. Log the file with the specified hash. In the above example, everything gets logged except for PDF files. Below are the file statistics. -------------------------------------------------- File Statistics -------------------------------------------------- file type stats (files) Type Download Upload MSEXE( 21) 1 0 PDF(287) 1 1 Total 2 1 -------------------------------------------------- file type stats (bytes) Type Download Upload MSEXE( 21) 1123608 0 PDF(287) 232533 232533 Total 1356141 232533 -------------------------------------------------- file signature stats Type Download Upload MSEXE( 21) 1 0 PDF(287) 1 1 Total 2 1 This used to work on earlier versions of Snort 3. Running Snort with --warn-all does not yield and warnings associated with the file inspector. The command used to run Snort: snort -c snort.lua -r test.pcap -l /var/log/snort --plugin-path /usr/local/snort/extra -k none And Snort version is 3.0.0 (Build 261) Thank you.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort 3 file statistics and logging Y M via Snort-devel (Sep 27)
- <Possible follow-ups>
- Re: Snort 3 file statistics and logging Steven Baigal (sbaigal) via Snort-devel (Sep 27)
- Re: Snort 3 file statistics and logging Y M via Snort-devel (Sep 27)