Snort mailing list archives

Re: File extract troubleshot

From: "Hui Cao (huica)" <huica () cisco com>
Date: Wed, 6 Apr 2016 13:45:36 +0000

Based on the config, you can only capture file size up to 1M. You might
hit on one of those files based on snort output (Total capture max before
reserve:  1). You can try to increase that to 10M.

Best,
Hui.

On 4/6/16, 6:41 AM, "valentin.giraud () armaturetech com"
<valentin.giraud () armaturetech com> wrote:

Hi snort team!

I have some trouble to capture files:
I downloaded some  rtf, pdf and exe files in order to capture them with
snort. But it's not captured. Yet the alert is "identified" :

[**] [1:10000003:0] WEB-MISC rtf download attempt [**]
[Priority: 0]
04/06-12:25:36.788506 10.1.10.8:40630 -> 97.88.242.114:80
TCP TTL:43 TOS:0x0 ID:39946 IpLen:20 DgmLen:404 DF
***A**** Seq: 0x7BB49AB9  Ack: 0x713EA3EE  Win: 0x7580  TcpLen: 32





Here is the output when i close snort:
****

File type stats:
         Type              Download   (Bytes)      Upload     (Bytes)
         RTF( 23)          2          1428622      0          0
            Total          2          1428622      0          0

File signature stats:
         Type              Download   Upload
            Total          0          0

File type verdicts:
        UNKNOWN:           2
            LOG:           0
           STOP:           0
          BLOCK:           0
         REJECT:           0
        PENDING:           0
   STOP CAPTURE:           0
          Total:           2

File signature verdicts:
        UNKNOWN:           1
            LOG:           0
           STOP:           0
          BLOCK:           0
         REJECT:           0
        PENDING:           0
   STOP CAPTURE:           0
          Total:           1

Total files processed:             65
Total files data processed:        1510357   bytes
Total files buffered:              2
Total files released:              0
Total files freed:                 2
Total files captured:              0
Total files within one packet:     0
Total buffers allocated:           17
Total buffers freed:               17
Total buffers released:            0
Maximum file buffers used:         16
Total buffers free errors:         0
Total buffers release errors:      0
Total memcap failures:             0
Total memcap failures at reserve:  0
Total reserve failures:            0
Total file capture size min:       0
Total file capture size max:       0
Total capture max before reserve:  1
Total file signature max:          0
Maximum buffers can allocate:      3198
Number of buffers in use:          0
Number of buffers in free list:    3198
Number of buffers in release list: 0

****

I am running snort 2.9.8.2. i upload my snort.conf file and the local
rules that i've add.

Any idea why this is not captured?

Sincerely,
Valentin.



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

File extract troubleshot valentin . giraud (Apr 06)
- Re: File extract troubleshot Hui Cao (huica) (Apr 06)