Snort mailing list archives
Re: file_inspect holds blocked files into its memory until snort stops
From: Berkay Koyutürk <berkay.koyuturk () labrisnetworks com>
Date: Mon, 11 Sep 2017 15:35:32 +0300
I updated my snort to 2.9.9.0 today and my problem evolved into new one. Now snort sees all of files that i downloaded but frees most of them. Here is my exit stats on snort:
File Preprocessor Statistics
Total file type callbacks: 0
Total file signature callbacks: 2
Total files would saved to disk: 2
Total files saved to disk: 0
Total file data saved to disk: 0 bytes
Total files duplicated: 2
Total files reserving failed: 0
Total file capture min: 0
Total file capture max: 0
Total file capture memcap: 0
Total files reading failed: 0
Total file agent memcap failures: 0
Total files sent: 0
Total file data sent: 0
Total file transfer failures: 0
========================================
File type stats:
Type Download (Bytes) Upload (Bytes)
Total 0 0 0 0
File signature stats:
Type Download Upload
Undecided file type, continue...( 0) 2 0
Total 2 0
File type verdicts:
UNKNOWN: 0
LOG: 0
STOP: 0
BLOCK: 0
REJECT: 0
PENDING: 0
STOP CAPTURE: 0
Total: 0
File signature verdicts:
UNKNOWN: 0
LOG: 0
STOP: 0
BLOCK: 2
REJECT: 0
PENDING: 0
STOP CAPTURE: 0
Total: 2
Total files processed: 11
Total files data processed: 7128 bytes
Total files buffered: 11
Total files released: 2
Total files freed: 9
Total files captured: 2
Total files within one packet: 2
Total buffers allocated: 11
Total buffers freed: 9
Total buffers released: 2
Maximum file buffers used: 1
Total buffers free errors: 0
Total buffers release errors: 0
Total memcap failures: 0
Total memcap failures at reserve: 0
Total reserve failures: 0
Total file capture size min: 0
Total file capture size max: 0
Total capture max before reserve: 0
Total file signature max: 0
Maximum buffers can allocate: 2
Number of buffers in use: 0
Number of buffers in free list: 1
Number of buffers in release list: 1
=================================
As seen stats above I downloaded same file(648 bytes) eleven times. but
snort only blocked 2 of them with its signature. I didn't understand why
is this inconsistency occurs. Any help would be appreciated
On 07-09-2017 14:23, Joel Esler (jesler) wrote:
The first question I would ask is, why are you not using the most up to date version of Snort. If this issue was fixed in a later version, that may clear it up right away.*--**Joel Esler *| *Talos:* Manager | jesler () cisco com <mailto:jesler () cisco com>On Sep 7, 2017, at 1:56 AM, Berkay Koyutürk <berkay.koyuturk () labrisnetworks com <mailto:berkay.koyuturk () labrisnetworks com>> wrote:Hi everybody,As title says above I have a problem with file_inspect preprocessor. I am running snort with inline mod with file configurations below:#file config config file: \ file_type_depth 0, \ file_signature_depth 0, \ file_capture_memcap 1000, \ file_capture_max 4294967295, \ file_block_timeout 1, \ file_capture_min 0 #file_inspect preprocessor preprocessor file_inspect: \ signature, \ capture_disk /root/captured_files 1024, \ capture_queue_size 5000, \ blacklist sha_blacklist, \ greylist sha_greylist #file_inspect.rulesalert ( msg: “File signature “; sid: 1; gid: 147; rev: 1; metadata: rule-type preproc; )With these configurations I can successfully block downloading files if its sha256 sum is in sha_blacklist file. My problem is , while snort running it keeps holding this files on its memory and after a while for example 33 files with 10MB each, it stops blocking files even cant see them anymore. My snort exit stats is below:====================================== Total file type callbacks: 0 Total file signature callbacks: 33 Total files would saved to disk: 33 Total files saved to disk: 0 Total file data saved to disk: 0 bytes Total files duplicated: 33 Total files reserving failed: 0 Total file capture min: 0 Total file capture max: 0 Total file capture memcap: 0 Total files reading failed: 0 Total file agent memcap failures: 0 Total files sent: 0 Total file data sent: 0 Total file transfer failures: 0 ======================================== File type stats: Type Download (Bytes) Upload (Bytes) Total 0 0 0 0 File signature stats: Type Download Upload Undecided file type, continue...( 0) 33 0 Total 33 0 File type verdicts: UNKNOWN: 0 LOG: 0 STOP: 0 BLOCK: 0 REJECT: 0 PENDING: 0 STOP CAPTURE: 0 Total: 0 File signature verdicts: UNKNOWN: 0 LOG: 0 STOP: 0 BLOCK: 33 REJECT: 0 PENDING: 0 STOP CAPTURE: 0 Total: 33 Total files processed: 33 Total files data processed: 346030080 bytes Total files buffered: 33 Total files released: 33 Total files freed: 0 Total files captured: 33 Total files within one packet: 0 Total buffers allocated: 10560 Total buffers freed: 0 Total buffers released: 10560 Maximum file buffers used: 379 Total buffers free errors: 0 Total buffers release errors: 0 Total memcap failures: 0 Total memcap failures at reserve: 0 Total reserve failures: 0 Total file capture size min: 0 Total file capture size max: 0 Total capture max before reserve: 0 Total file signature max: 0 Maximum buffers can allocate: 31976 Number of buffers in use: 0 Number of buffers in free list: 21416 Number of buffers in release list: 10560 ====================================With this stat above I downloaded 52 files and first 36 are blocked but after that snort didn't even see them .I am using snort version 2.9.8.2 with daq inline mod. Am I forgetting some sort of configuration or is it a bug? Thanks for help_______________________________________________ Snort-users mailing list Snort-users () lists snort org <mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- file_inspect holds blocked files into its memory until snort stops Berkay Koyutürk (Sep 06)
- Re: file_inspect holds blocked files into its memory until snort stops Joel Esler (jesler) via Snort-users (Sep 07)
- Re: file_inspect holds blocked files into its memory until snort stops Berkay Koyutürk (Sep 11)
- Re: file_inspect holds blocked files into its memory until snort stops Berkay Koyutürk (Sep 25)
- Re: file_inspect holds blocked files into its memory until snort stops Al Lewis (allewi) via Snort-users (Sep 25)
- Re: file_inspect holds blocked files into its memory until snort stops Berkay Koyutürk (Sep 27)
- Re: file_inspect holds blocked files into its memory until snort stops Russ via Snort-users (Sep 27)
- Re: file_inspect holds blocked files into its memory until snort stops Berkay Koyutürk (Sep 27)
- Re: file_inspect holds blocked files into its memory until snort stops Berkay Koyutürk (Sep 11)
- Re: file_inspect holds blocked files into its memory until snort stops Joel Esler (jesler) via Snort-users (Sep 07)