Snort mailing list archives

Re: File preprocessor fails to capture files

From: "Hui Cao (huica)" <huica () cisco com>
Date: Fri, 8 May 2015 19:49:07 +0000

Hi Pablo,

When listening from interfaces, you have lots of discards. Because file processing relies on data that are reassembled 
correctly, it won’t be called for those sessions that miss file data.

In the case of PCAP, no sure why file type is not identified. It is interesting to see 47M file data for only 3326 
packets. That is 24K per packet. I guess in this case, it will always hit PAF_MAX for each packet which might set each 
packet as single PDU(file). Can you try this setting?

config paf_max: 60000

Best,
Hui.

From: Pablo Cantos Polaino <pcantos () redborder org<mailto:pcantos () redborder org>>
Date: Friday, May 8, 2015 at 3:29 PM
To: Hui Cao <huica () cisco com<mailto:huica () cisco com>>
Cc: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] File preprocessor fails to capture files

   IP4 Disc:       122145 ( 49.331%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:       122145 ( 49.331%)

         TCP Segments Used: 6919
              TCP Discards: 48
                  TCP Gaps: 6459

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

File preprocessor fails to capture files Pablo Cantos Polaino (May 08)
- Re: File preprocessor fails to capture files Hui Cao (huica) (May 08)
  - Re: File preprocessor fails to capture files Pablo Cantos Polaino (May 08)
    - Re: File preprocessor fails to capture files Hui cao (May 08)
    - Re: File preprocessor fails to capture files Pablo Cantos Polaino (May 08)
    - Re: File preprocessor fails to capture files Hui Cao (huica) (May 08)
    - Re: File preprocessor fails to capture files Pablo Cantos Polaino (May 08)
    - Re: File preprocessor fails to capture files Hui Cao (huica) (May 08)
    - Re: File preprocessor fails to capture files Pablo Cantos Polaino (May 15)
    - Re: File preprocessor fails to capture files Russ (May 15)
    - Re: File preprocessor fails to capture files Pablo Cantos Polaino (May 16)
    - Re: File preprocessor fails to capture files Russ (May 17)
    - Re: File preprocessor fails to capture files Pablo Cantos Polaino (May 18)