Snort mailing list archives

Snort3 (3.1.8.0): file_log does not log all file events for captured files

From: Meridoff via Snort-devel <snort-devel () lists snort org>
Date: Tue, 19 Oct 2021 22:30:27 +0300

Hello, maybe this message should be sent to snort-users? I don't know.

I have a running snort with an inspector file set to capturing files and
logging all events.
But in fille.log there are only a few events (not all).

*1.Here is my config *part concerning file inspector:

file_id = { file_rules = file_magic , capture_dir =
"/var/log/snort/captured" }
file_id.capture_block_size = 65536
file_id.capture_max_size = 10048576
file_id.capture_memcap = 150
file_id.capture_min_size = 0
file_id.signature_depth = 10485760
file_id.type_depth = 1460
file_id.max_files_cached = 50555
file_id.max_files_per_flow = 8
file_id.enable_signature = true
file_id.enable_type = true
file_id.enable_capture = true
file_id.block_timeout = 86400
file_id.lookup_timeout = 2
file_id.verdict_delay = 0

file_log={}
file_log.log_pkt_time = true

file_id.file_policy={}
file_id.file_policy[ 1] = { when = { file_type_id = 34}, use = {  verdict =
"log",enable_file_signature = true, enable_file_capture = true} }
file_id.file_policy[2] = { when = { file_type_id = 62}, use = {  verdict =
"log",enable_file_signature = true, enable_file_capture = true} }
file_id.file_policy[3] = { when = { file_type_id = 30}, use = {  verdict =
"log",enable_file_signature = true, enable_file_capture = true} }
file_id.file_policy[4] = { when = { file_type_id = 150}, use = {  verdict =
"log",enable_file_signature = true, enable_file_capture = true} }

2. Here is a part of my *snort.log *(I've added debug that prints to log as
file was captured):
My debug print is in function *void FileCapture::store_file()*

Oct 19 15:30:28 srv snort[4639]: STORE_FILE: folder size=7843736
max_space=100485760
Oct 19 15:30:32 srv snort[4639]: STORE_FILE: folder size=8115968
max_space=100485760
Oct 19 15:56:08 srv snort[4639]: STORE_FILE: folder size=8323804
max_space=100485760
Oct 19 15:56:09 srv snort[4639]: STORE_FILE: folder size=8325102
max_space=100485760
Oct 19 15:56:10 srv snort[4639]: STORE_FILE: folder size=8326832
max_space=100485760
Oct 19 15:56:14 srv snort[4639]: STORE_FILE: folder size=8328536
max_space=100485760
Oct 19 16:08:49 srv snort[4639]: STORE_FILE: folder size=8329834
max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8330813
max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8333580
max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8334919
max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8337388
max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8345430
max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8347592
max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8350105
max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8353673
max_space=100485760
Oct 19 16:09:15 srv snort[4639]: STORE_FILE: folder size=8356528
max_space=100485760
Oct 19 16:09:15 srv snort[4639]: STORE_FILE: folder size=8391405
max_space=100485760
Oct 19 16:09:15 srv snort[4639]: STORE_FILE: folder size=8425027
max_space=100485760
Oct 19 16:09:15 srv snort[4639]: STORE_FILE: folder size=8511552
max_space=100485760

Here folder_size - is the size of "captured" folder with captured files.
And max_space is
max allowed disk space for captured files.

As we can see - capturing works. *BUT:*

3. *Looking to file.log* we can just  see the next several lines:
21/10/19-16:08:50.184720  192.168.1.2:50815 -> xx.31.198.198:80, [Name:
"/images/club/andrey_moto.gif"] [Verdict: Log/Unknown] [Type: GIF] [SHA:
AD23015CB2D014479C6A2A760FB56B7E6993B90DF93A3F1015E9794D8CB55E22] [Size:
2469]
21/10/19-16:08:50.205512  192.168.1.2:50815 -> xx.31.198.198:80, [Name:
"/images/club/xelga.gif"] [Verdict: Log/Unknown] [Type: GIF] [SHA:
C1B098F87F2FF7DBCF7ED851BA929574586E99AE0A473C273BBD32FD631C2E7C] [Size:
2513]

Why only 2 entries in file.log??
Thanks.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort3 (3.1.8.0): file_log does not log all file events for captured files Meridoff via Snort-devel (Oct 19)
- Re: Snort3 (3.1.8.0): file_log does not log all file events for captured files Russ Combs (rucombs) via Snort-devel (Oct 21)