Snort mailing list archives

Re: preprocessor file_inspect does not capture file

From: Lương Minh Tuấn <not.soledad () gmail com>
Date: Wed, 2 Dec 2015 18:03:40 +0700

Thank snort team a thousand thousand tons, option '-k none' makessnort works like a charm



On 12/2/2015 5:10 PM, Y M wrote:

Hmm..just for testing purposes, calculate the sha256 hashes of thefiles, and add the hashes to the black list, and then re-run Snort.

Another thing to try is to use "-k none" when running Snort to readthe pcap.


YM

Sent from Mobile

_____________________________

From: Lương Minh Tuấn <not.soledad () gmail com<mailto:not.soledad () gmail com>>

Sent: Wednesday, December 2, 2015 1:05 PM
Subject: Re: [Snort-users] preprocessor file_inspect does not capture file
To: Y M <snort () outlook com <mailto:snort () outlook com>>

Cc: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>

I tried many times, add, remove every options: type_id, signatureto test if preprocessor can detect something but no luck, nothing insnort exit stat.

    The nearest test result with type_id, signature on:
    - configuration I tried:
    exactly like document:

/preprocessor file_inspect: type_id, signature, \/ /
//                capture_disk /home/file_capture/tmp/, \/ /
//                capture_queue_size 5000/

    - snort say that file_inspect maybe good:
/File config:/ /
//    file type: ENABLED/ /
//    file signature: ENABLED/ /
//    file capture: ENABLED/ /
//    file capture directory: /home/file_capture/tmp// /
//    file capture disk size: 300 (Default) megabytes/ /
//    file sent to host: DISABLED (Default), port number: 0/ /
//
//    File service: file type enabled./ /
//    File service: file signature enabled./ /
//    File service: file capture enabled./ /
//    File capture thread started tid=0x7f5add080700 (pid=20478)/

- After uploading, downloading a pdf, a pcap, and a zip file, exitstats are:

/   File Preprocessor Statistics/ /
//  Total file type callbacks:            0/ /
//  Total file signature callbacks:       0/ /
//  Total files would saved to disk:      0/ /
//  Total files saved to disk:            0/ /
//  Total file data saved to disk:        0         bytes/ /
//  Total files duplicated:               0/ /
//  Total files reserving failed:         0/ /
//  Total file capture min:               0/ /
//  Total file capture max:               0/ /
//  Total file capture memcap:            0/ /
//  Total files reading failed:           0/ /
//  Total file agent memcap failures:     0/ /
//  Total files sent:                     0/ /
//  Total file data sent:                 0/ /
//  Total file transfer failures:         0/ /

//===============================================================================//

//Files processed: none/ /

//===============================================================================/


Thanks
On 12/2/2015 4:26 PM, Y M wrote:

    Do you have file type and file signature enabled? For instance, I
    don't see the type_id in the preprocessor configurations you posted.

    Documentation says that capturing depends on type and signature
    being enabled, I.e: Unknown file types will not be captured.

    YM

    Sent from Mobile

    _____________________________
    From: Lương Minh Tuấn < not.soledad () gmail com
    <mailto:not.soledad () gmail com>>
    Sent: Wednesday, December 2, 2015 11:09 AM
    Subject: Re: [Snort-users] preprocessor file_inspect does not
    capture file
    To: Y M < snort () outlook com <mailto:snort () outlook com>>
    Cc: < snort-users () lists sourceforge net
    <mailto:snort-users () lists sourceforge net>>


    Hi YM,
        file_captrue_min and file_capture_max is set with default
    value, 0 and 1GB. the path in capture_disk exist with full
    permission (I set to 777 for testing). README.file says that with
    block of config which I posted, snort can capture any file, but in
    my case, it does not work.
         I tried using signature in file_magic.conf to write a normal
    rule, snort detect ok, and with keyword tag, i can even capture
    all file in tcpdump.



    On 12/2/2015 2:16 PM, Y M wrote:

        I haven't played enough with the file_inspect preprocessor but
        what is the size of the file in relation to things like
        "file_capture_min", "file_capture_max"?

        Also, does the path in "capture_disk" exist?

        Finally, as far as I understand, only those files that have
        their hashes in the black or grey lists will be captured.
        Please anyone, correct me if I am wrong.

        YM

        Sent from Mobile

        _____________________________
        From: Lương Minh Tuấn < not.soledad () gmail com
        <mailto:not.soledad () gmail com>>
        Sent: Wednesday, December 2, 2015 9:46 AM
        Subject: [Snort-users] preprocessor file_inspect does not
        capture file
        To: < snort-users () lists sourceforge net
        <mailto:snort-users () lists sourceforge net>>


        Hi everybody,
        I had problem when using file_inspect to capture file send over
        FTP. Please help me resolv. Here's my Snort info:
        - Server OS:
        $cat /etc/redhat-release
        CentOS Linux release 7.1.1503 (Core)
        - Snort version: 2.9.7.6, build options: --enable-file-inspect
        --enable-open-appid --enable-sourcefire
        - configuration file:
        exactly from snortrules-snapshot-2976.tar.gz, add file_inspect
        config as discuss in README.file:
        include file_magic.conf
        preprocessor file_inspect: signature, \
        capture_queue_size 5000, \
        capture_disk /home/file_capture/tmp/

        Snort does not detect or process any file, here's my exit stat:
        File Preprocessor Statistics
        Total file type callbacks: 0
        Total file signature callbacks: 0
        Total files would saved to disk: 0
        Total files saved to disk: 0
        Total file data saved to disk: 0 bytes
        Total files duplicated: 0
        Total files reserving failed: 0
        Total file capture min: 0
        Total file capture max: 0
        Total file capture memcap: 0
        Total files reading failed: 0
        Total file agent memcap failures: 0
        Total files sent: 0
        Total file data sent: 0
        Total file transfer failures: 0
        ===============================================================================

        Files processed: none

        I tried to build snort v2.9.7.0, 2.9.6.2 and latest 2.9.8.0
        but no
        luck. Please help me!

        Thanks and best regards!

--Lương Minh Tuấn

        Email: not.soledad () gmail com <mailto:not.soledad () gmail com>
        Skype: minhtuan208


        ------------------------------------------------------------------------------

        Go from Idea to Many App Stores Faster with Intel(R) XDK
        Give your users amazing mobile app experiences with Intel(R) XDK.
        Use one codebase in this all-in-one HTML5 development
        environment.
        Design, debug & build mobile apps & 2D/3D high-impact games
        for multiple OSs.
        http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        <mailto:Snort-users () lists sourceforge net>
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users


        Please visit http://blog.snort.org to stay current on all the
        latest Snort news!

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 01)
- Re: preprocessor file_inspect does not capture file Y M (Dec 01)
  - Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
    - Re: preprocessor file_inspect does not capture file Y M (Dec 02)
    - Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
    - Re: preprocessor file_inspect does not capture file Y M (Dec 02)
    - Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
    - Re: preprocessor file_inspect does not capture file Y M (Dec 02)
    - Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
    - preprocessor file_inspect: file capture from FTP traffic differs from original Lương Minh Tuấn (Dec 10)
    - Re: preprocessor file_inspect: file capture from FTP traffic differs from original Hui cao (Dec 11)
    - Re: preprocessor file_inspect: file capture from FTP traffic differs from original Lương Minh Tuấn (Dec 11)