Re: Can Snort detect a download file from internet?

["Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>]

Hello,

See attached conf and pcap as an example. It is a http download of a PNG file (netbeans icon).

The two alerts you should get are below:

alewis@localhost snort-2.9.11-test]$ ./bin/snort -c etc/TAI.conf -r etc/TAI.pcap -Acmg -k none -q

10/13-09:55:36.078000  [**] [1:1000001:0] PNG file downloaded [**] [Priority: 0] {TCP} 173.37.145.84:80 -> 
192.168.0.1:27785
Stream reassembled packet
10/13-09:55:36.078000 00:11:22:33:44:55 -> 00:55:44:33:22:11 type:0x800 len:0x92E
173.37.145.84:80 -> 192.168.0.1:27785 TCP TTL:64 TOS:0x0 ID:26637 IpLen:20 DgmLen:2336
***A**** Seq: 0xC67  Ack: 0xB4A  Win: 0x16D0  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 6B 0D  HTTP/1.1 200 Ok.
0A 44 61 74 65 3A 20 57 65 64 2C 20 32 39 20 4A  .Date: Wed, 29 J
75 6C 20 32 30 30 39 20 31 33 3A 33 35 3A 32 36  ul 2009 13:35:26
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


10/13-09:55:36.156000  [**] [1:1000001:0] PNG file downloaded [**] [Priority: 0] {TCP} 173.37.145.84:80 -> 
192.168.0.1:27785
10/13-09:55:36.156000 00:11:22:33:44:55 -> 00:55:44:33:22:11 type:0x800 len:0x36
173.37.145.84:80 -> 192.168.0.1:27785 TCP TTL:64 TOS:0x0 ID:9066 IpLen:20 DgmLen:40
***A***F Seq: 0x155F  Ack: 0xB4A  Win: 0x16D0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Hope this helps.


Thanks.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Tai Ly via Snort-sigs <snort-sigs () lists snort 
org>
Reply-To: Tai Ly <haotai1803 () gmail com>
Date: Tuesday, May 22, 2018 at 8:41 PM
To: "snort-sigs () lists snort org" <snort-sigs () lists snort org>
Subject: Re: [Snort-sigs] Can Snort detect a download file from internet?

When I use normal rule like:
alert tcp any any -> any any (msg:"JPEG"; content:"|FF D8 FF E0|"; sid:1000001)
Also there is no alert.
It mean Snort does not catch data file when downloading from internet.
So I think I configured wrong in somewhere.
Do your guys have experience about this case?
Thank you.

On Tue, May 22, 2018 at 7:16 PM, Tai Ly <haotai1803 () gmail com<mailto:haotai1803 () gmail com>> wrote:
Thank you for your help.

I read this file and do some step as below:

- Add some line in the end of snort.conf
# File Inspect Configuration


preprocessor file_inspect: type_id, signature, \

  capture_queue_size 5000, \

  capture_disk /home/file_capture/tmp/


# File magic reference
include file_magic.conf

- and I try with 2 rules:
1. alert (msg: "JPEG file"; gid:146; sid:70;)
2. alert tcp any any -> any any (msg: "JPEG file"; file_type:JPEG; sid:1000001)

- I use this command to run snort:
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i wlan0

But when I download JPEG file from internet , there is no alert.
Do I missing somethings?


On Tue, May 22, 2018 at 6:45 PM, Tai Ly <haotai1803 () gmail com<mailto:haotai1803 () gmail com>> wrote:
Thank you for your help.

I read this file and do some step as below:

- Add some line in the end of snort.conf
# File Inspect Configuration


preprocessor file_inspect: type_id, signature, \

  capture_queue_size 5000, \

  capture_disk /home/file_capture/tmp/


# File magic reference
include file_magic.conf

- and I try with 2 rules:
1. alert (msg: "JPEG file"; gid:146; sid:70;)
2. alert tcp any any -> any any (msg: "JPEG file"; file_type:JPEG; sid:1000001)

- I use this command to run snort:
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i wlan0

But when I download JPEG file from internet , there is no alert.
Do I missing somethings?

On Tue, May 22, 2018 at 9:51 AM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote:
Yes. See the README.file in the docs directory.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of Hào 
Tài via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>>
Reply-To: Hào Tài <haotai1803 () gmail com<mailto:haotai1803 () gmail com>>
Date: Monday, May 21, 2018 at 8:50 PM
To: "snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>" <snort-sigs () lists snort 
org<mailto:snort-sigs () lists snort org>>
Subject: Re: [Snort-sigs] Can Snort detect a download file from internet?

Can everyone help me to confirm this point: " Can the Snort detect a file from the internet" ?
If yes , how do we config the Snort the get the content file?


On Sun, May 20, 2018 at 3:23 PM, Hào Tài <haotai1803 () gmail com<mailto:haotai1803 () gmail com>> wrote:
Hello everyone,

I am a newbie about Snort. I try to write the snort rule to catch a download JPG file from internet. Here is my rule:

> > alert tcp any any <> $HOME_NET any (msg:"JPEG"; content:"|FF D8 FF E0|"; sid:1000001)

But it does not work. Do I missing somethings or do I need to config somethings for Snort?
Can everybody help me to find out the problem? Thank you.

Regards,
Tai Ly

Attachment: TAI.conf
Description: TAI.conf

Attachment: TAI.pcap
Description: TAI.pcap

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!