Re: preprocessor file_inspect does not capture file

[Y M <snort () outlook com>]

Awesome.

Just to clarify, I'm not in the snort team, just another person on the list, though, all credits goes to them.

YM

Sent from Mobile




On Wed, Dec 2, 2015 at 3:03 AM -0800, "Lương Minh Tuấn" <not.soledad () gmail com<mailto:not.soledad () gmail com>> 
wrote:


    Thank snort team a thousand thousand tons, option '-k none' makes snort works like a charm


On 12/2/2015 5:10 PM, Y M wrote:
Hmm..just for testing purposes, calculate the sha256 hashes of the files, and add the hashes to the black list, and 
then re-run Snort.

Another thing to try is to use "-k none" when running Snort to read the pcap.

YM

Sent from Mobile

_____________________________
From: Lương Minh Tuấn <not.soledad () gmail com<mailto:not.soledad () gmail com>>
Sent: Wednesday, December 2, 2015 1:05 PM
Subject: Re: [Snort-users] preprocessor file_inspect does not capture file
To: Y M <snort () outlook com<mailto:snort () outlook com>>
Cc: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>



    I tried many times, add, remove every options: type_id, signature to test if preprocessor can detect something but 
no luck, nothing in snort exit stat.
    The nearest test result with type_id, signature on:
    - configuration I tried:
    exactly like document:

    preprocessor file_inspect: type_id, signature, \
                capture_disk /home/file_capture/tmp/, \
                capture_queue_size 5000

    - snort say that file_inspect maybe good:
    File config:
    file type: ENABLED
    file signature: ENABLED
    file capture: ENABLED
    file capture directory: /home/file_capture/tmp/
    file capture disk size: 300 (Default) megabytes
    file sent to host: DISABLED (Default), port number: 0

    File service: file type enabled.
    File service: file signature enabled.
    File service: file capture enabled.
    File capture thread started tid=0x7f5add080700 (pid=20478)

    - After uploading, downloading a pdf, a pcap, and a zip file, exit stats are:
     File Preprocessor Statistics
  Total file type callbacks:            0
  Total file signature callbacks:       0
  Total files would saved to disk:      0
  Total files saved to disk:            0
  Total file data saved to disk:        0         bytes
  Total files duplicated:               0
  Total files reserving failed:         0
  Total file capture min:               0
  Total file capture max:               0
  Total file capture memcap:            0
  Total files reading failed:           0
  Total file agent memcap failures:     0
  Total files sent:                     0
  Total file data sent:                 0
  Total file transfer failures:         0
===============================================================================
Files processed: none
===============================================================================

Thanks
On 12/2/2015 4:26 PM, Y M wrote:
Do you have file type and file signature enabled? For instance, I don't see the type_id in the preprocessor 
configurations you posted.

Documentation says that capturing depends on type and signature being enabled, I.e: Unknown file types will not be 
captured.

YM

Sent from Mobile

_____________________________
From: Lương Minh Tuấn < not.soledad () gmail com<mailto:not.soledad () gmail com>>
Sent: Wednesday, December 2, 2015 11:09 AM
Subject: Re: [Snort-users] preprocessor file_inspect does not capture file
To: Y M < snort () outlook com<mailto:snort () outlook com>>
Cc: < snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>


Hi YM,
    file_captrue_min and file_capture_max is set with default value, 0 and 1GB. the path in capture_disk exist with 
full permission (I set to 777 for testing). README.file says that with block of config which I posted, snort can 
capture any file, but in my case, it does not work.
     I tried using signature in file_magic.conf to write a normal rule, snort detect ok, and with keyword tag, i can 
even capture all file in tcpdump.



On 12/2/2015 2:16 PM, Y M wrote:
I haven't played enough with the file_inspect preprocessor but what is the size of the file in relation to things like 
"file_capture_min", "file_capture_max"?

Also, does the path in "capture_disk" exist?

Finally, as far as I understand, only those files that have their hashes in the black or grey lists will be captured. 
Please anyone, correct me if I am wrong.

YM

Sent from Mobile

_____________________________
From: Lương Minh Tuấn < not.soledad () gmail com<mailto:not.soledad () gmail com>>
Sent: Wednesday, December 2, 2015 9:46 AM
Subject: [Snort-users] preprocessor file_inspect does not capture file
To: < snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>


Hi everybody,
I had problem when using file_inspect to capture file send over
FTP. Please help me resolv. Here's my Snort info:
- Server OS:
$cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
- Snort version: 2.9.7.6, build options: --enable-file-inspect
--enable-open-appid --enable-sourcefire
- configuration file:
exactly from snortrules-snapshot-2976.tar.gz, add file_inspect
config as discuss in README.file:
include file_magic.conf
preprocessor file_inspect: signature, \
capture_queue_size 5000, \
capture_disk /home/file_capture/tmp/

Snort does not detect or process any file, here's my exit stat:
File Preprocessor Statistics
Total file type callbacks: 0
Total file signature callbacks: 0
Total files would saved to disk: 0
Total files saved to disk: 0
Total file data saved to disk: 0 bytes
Total files duplicated: 0
Total files reserving failed: 0
Total file capture min: 0
Total file capture max: 0
Total file capture memcap: 0
Total files reading failed: 0
Total file agent memcap failures: 0
Total files sent: 0
Total file data sent: 0
Total file transfer failures: 0
===============================================================================
Files processed: none

I tried to build snort v2.9.7.0, 2.9.6.2 and latest 2.9.8.0 but no
luck. Please help me!

Thanks and best regards!
--
Lương Minh Tuấn
Email: not.soledad () gmail com<mailto:not.soledad () gmail com>
Skype: minhtuan208


------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!







------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!