preprocessor file_inspect: file capture from FTP traffic differs from original

[Lương Minh Tuấn <not.soledad () gmail com>]

Hi everybody,
     I have a problem with file_inspect preprocessor, when snort 
captures file from FTP traffic, the file written to disk differs from 
the original file, the file data, SHA256 is not true. The problem 
happended with almost file transfer via FTP, but HTTP still works well. 
I'm using snort version 2.9.7.6 and tried with 2.9.8.0 but no luck.
     Here's my snort server information:
     - OS: Centos 7 64bit, installed snort and vsftpd, tried with both 
real server and virtual vmware guest.
     - file service and file_inspect configuration:
         config file:\
         file_type_depth 42949672, \
         file_signature_depth 42949672, \
         file_capture_max 42949672, \
         file_capture_memcap 200

         preprocessor file_inspect:\
               type_id, \
               signature, \
               capture_queue_size 5000, \
               capture_disk /home/file_capture/tmp/ 1024

    Is there anything need to configure to make snort work better? 
almost file captured from FTP is not true, so it cannot match block 
list, also cannot be used to further analyzing.
Please help, thank you!

Minh Tuan Luong

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!