file carving

["Long, Kerry S" <kslong () mitre org>]

I got snort to carve files to a directory.  They are listed by their hash name.  This is not very useful without the 
file log which tells me what the file really is and what network session it is associated with.  Unfortunately I can't 
figure out how to get the log to print.  I have enabled it I think in snort.conf with these lines





dynamicoutput file /opt/snort/snort_dynamicpreprocessor/libsf_file_preproc.so

output filelog:/metadata/attachments/file





But I get nothing.  I am using the sample filemagic.conf file provided.





P.S.



I may still have to create alert rules for every entry in the magic file.  The instructions seem to indicate I need to 
do this for some reason.  I have not because it looks like I would have to do it for file inspect and file signature 
aspects of the preprocessor.  That would be painful 2*100+ rules





Thanks,





Kerry



------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!