Re: preprocessor file_inspect does not capture file

[Y M <snort () outlook com>]

Do you have file type and file signature enabled? For instance, I don't see the type_id in the preprocessor 
configurations you posted.

Documentation says that capturing depends on type and signature being enabled, I.e: Unknown file types will not be 
captured.

YM

Sent from Mobile

_____________________________
From: Lương Minh Tuấn <not.soledad () gmail com<mailto:not.soledad () gmail com>>
Sent: Wednesday, December 2, 2015 11:09 AM
Subject: Re: [Snort-users] preprocessor file_inspect does not capture file
To: Y M <snort () outlook com<mailto:snort () outlook com>>
Cc: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>


Hi YM,
    file_captrue_min and file_capture_max is set with default value, 0 and 1GB. the path in capture_disk exist with 
full permission (I set to 777 for testing). README.file says that with block of config which I posted, snort can 
capture any file, but in my case, it does not work.
     I tried using signature in file_magic.conf to write a normal rule, snort detect ok, and with keyword tag, i can 
even capture all file in tcpdump.



On 12/2/2015 2:16 PM, Y M wrote:
I haven't played enough with the file_inspect preprocessor but what is the size of the file in relation to things like 
"file_capture_min", "file_capture_max"?

Also, does the path in "capture_disk" exist?

Finally, as far as I understand, only those files that have their hashes in the black or grey lists will be captured. 
Please anyone, correct me if I am wrong.

YM

Sent from Mobile

_____________________________
From: Lương Minh Tuấn < not.soledad () gmail com<mailto:not.soledad () gmail com>>
Sent: Wednesday, December 2, 2015 9:46 AM
Subject: [Snort-users] preprocessor file_inspect does not capture file
To: < snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>


Hi everybody,
I had problem when using file_inspect to capture file send over
FTP. Please help me resolv. Here's my Snort info:
- Server OS:
$cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
- Snort version: 2.9.7.6, build options: --enable-file-inspect
--enable-open-appid --enable-sourcefire
- configuration file:
exactly from snortrules-snapshot-2976.tar.gz, add file_inspect
config as discuss in README.file:
include file_magic.conf
preprocessor file_inspect: signature, \
capture_queue_size 5000, \
capture_disk /home/file_capture/tmp/

Snort does not detect or process any file, here's my exit stat:
File Preprocessor Statistics
Total file type callbacks: 0
Total file signature callbacks: 0
Total files would saved to disk: 0
Total files saved to disk: 0
Total file data saved to disk: 0 bytes
Total files duplicated: 0
Total files reserving failed: 0
Total file capture min: 0
Total file capture max: 0
Total file capture memcap: 0
Total files reading failed: 0
Total file agent memcap failures: 0
Total files sent: 0
Total file data sent: 0
Total file transfer failures: 0
===============================================================================
Files processed: none

I tried to build snort v2.9.7.0, 2.9.6.2 and latest 2.9.8.0 but no
luck. Please help me!

Thanks and best regards!
--
Lương Minh Tuấn
Email: not.soledad () gmail com<mailto:not.soledad () gmail com>
Skype: minhtuan208


------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



Thanks and best regards!-- Lương Minh TuấnĐài khai thác mạng & Hỗ trợ dịch vụ VDCIT-VDCPhone: 0915130933Email: lmtuan 
() vdc com vn<mailto:lmtuan () vdc com vn>, luongminhtuan208 () gmail com<mailto:luongminhtuan208 () gmail com>Skype: 
minhtuan208


------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!