Re: preprocessor file_inspect: file capture from FTP traffic differs from original

[Lương Minh Tuấn <not.soledad () gmail com>]

Thanks for reply Hui, but I run snort in IDS mode, so normalize_tcp may 
not work. Anyway, I used a default configuration, so normalize 
preprocessor is:
    preprocessor normalize_ip4
    preprocessor normalize_tcp: ips ecn stream
    preprocessor normalize_icmp4
    preprocessor normalize_ip6
    preprocessor normalize_icmp6

Thanks,
Minh Tuan Luong
On 12/11/2015 9:21 PM, Hui cao wrote:
> Do you have the following configured?
>
> preprocessor normalize_tcp: ips
>
> *Best,
> Hui.*
>
> On 12/10/2015 11:04 PM, Lương Minh Tuấn wrote:
> > Hi everybody,
> >       I have a problem with file_inspect preprocessor, when snort
> > captures file from FTP traffic, the file written to disk differs from
> > the original file, the file data, SHA256 is not true. The problem
> > happended with almost file transfer via FTP, but HTTP still works well.
> > I'm using snort version 2.9.7.6 and tried with 2.9.8.0 but no luck.
> >       Here's my snort server information:
> >       - OS: Centos 7 64bit, installed snort and vsftpd, tried with both
> > real server and virtual vmware guest.
> >       - file service and file_inspect configuration:
> >           configfile:\
> >           file_type_depth 42949672, \
> >           file_signature_depth 42949672, \
> >           file_capture_max 42949672, \
> >           file_capture_memcap 200
> >
> >           preprocessor file_inspect:\
> >                 type_id, \
> >                 signature, \
> >                 capture_queue_size 5000, \
> >                 capture_disk /home/file_capture/tmp/ 1024
> >
> >      Is there anything need to configure to make snort work better?
> > almost file captured from FTP is not true, so it cannot match block
> > list, also cannot be used to further analyzing.
> > Please help, thank you!
> >
> > Minh Tuan Luong
> >
> > ---
> > This email has been checked for viruses by Avast antivirus software.
> > https://www.avast.com/antivirus
> >
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!