Snort mailing list archives

Re: Snort3 (3.1.8.0): file_log does not log all file events for captured files

From: "Russ Combs \(rucombs\) via Snort-devel" <snort-devel () lists snort org>
Date: Thu, 21 Oct 2021 13:05:28 +0000

Yes, that should go to snort-users. Include where you added that debug print and the shutdown stats. A wild guess is 
that you really only have two files.
________________________________
From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Meridoff via Snort-devel <snort-devel () lists 
snort org>
Sent: Tuesday, October 19, 2021 3:30 PM
To: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: [Snort-devel] Snort3 (3.1.8.0): file_log does not log all file events for captured files

Hello, maybe this message should be sent to snort-users? I don't know.

I have a running snort with an inspector file set to capturing files and logging all events.
But in fille.log there are only a few events (not all).

1.Here is my config part concerning file inspector:

file_id = { file_rules = file_magic , capture_dir = "/var/log/snort/captured" }
file_id.capture_block_size = 65536
file_id.capture_max_size = 10048576
file_id.capture_memcap = 150
file_id.capture_min_size = 0
file_id.signature_depth = 10485760
file_id.type_depth = 1460
file_id.max_files_cached = 50555
file_id.max_files_per_flow = 8
file_id.enable_signature = true
file_id.enable_type = true
file_id.enable_capture = true
file_id.block_timeout = 86400
file_id.lookup_timeout = 2
file_id.verdict_delay = 0

file_log={}
file_log.log_pkt_time = true

file_id.file_policy={}
file_id.file_policy[ 1] = { when = { file_type_id = 34}, use = {  verdict = "log",enable_file_signature = true, 
enable_file_capture = true} }
file_id.file_policy[2] = { when = { file_type_id = 62}, use = {  verdict = "log",enable_file_signature = true, 
enable_file_capture = true} }
file_id.file_policy[3] = { when = { file_type_id = 30}, use = {  verdict = "log",enable_file_signature = true, 
enable_file_capture = true} }
file_id.file_policy[4] = { when = { file_type_id = 150}, use = {  verdict = "log",enable_file_signature = true, 
enable_file_capture = true} }

2. Here is a part of my snort.log (I've added debug that prints to log as file was captured):
My debug print is in function void FileCapture::store_file()

Oct 19 15:30:28 srv snort[4639]: STORE_FILE: folder size=7843736 max_space=100485760
Oct 19 15:30:32 srv snort[4639]: STORE_FILE: folder size=8115968 max_space=100485760
Oct 19 15:56:08 srv snort[4639]: STORE_FILE: folder size=8323804 max_space=100485760
Oct 19 15:56:09 srv snort[4639]: STORE_FILE: folder size=8325102 max_space=100485760
Oct 19 15:56:10 srv snort[4639]: STORE_FILE: folder size=8326832 max_space=100485760
Oct 19 15:56:14 srv snort[4639]: STORE_FILE: folder size=8328536 max_space=100485760
Oct 19 16:08:49 srv snort[4639]: STORE_FILE: folder size=8329834 max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8330813 max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8333580 max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8334919 max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8337388 max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8345430 max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8347592 max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8350105 max_space=100485760
Oct 19 16:08:50 srv snort[4639]: STORE_FILE: folder size=8353673 max_space=100485760
Oct 19 16:09:15 srv snort[4639]: STORE_FILE: folder size=8356528 max_space=100485760
Oct 19 16:09:15 srv snort[4639]: STORE_FILE: folder size=8391405 max_space=100485760
Oct 19 16:09:15 srv snort[4639]: STORE_FILE: folder size=8425027 max_space=100485760
Oct 19 16:09:15 srv snort[4639]: STORE_FILE: folder size=8511552 max_space=100485760

Here folder_size - is the size of "captured" folder with captured files. And max_space is
max allowed disk space for captured files.

As we can see - capturing works. BUT:

3. Looking to file.log we can just  see the next several lines:
21/10/19-16:08:50.184720  192.168.1.2:50815<http://192.168.1.2:50815> -> xx.31.198.198:80, [Name: 
"/images/club/andrey_moto.gif"] [Verdict: Log/Unknown] [Type: GIF] [SHA: 
AD23015CB2D014479C6A2A760FB56B7E6993B90DF93A3F1015E9794D8CB55E22] [Size: 2469]
21/10/19-16:08:50.205512  192.168.1.2:50815<http://192.168.1.2:50815> -> xx.31.198.198:80, [Name: 
"/images/club/xelga.gif"] [Verdict: Log/Unknown] [Type: GIF] [SHA: 
C1B098F87F2FF7DBCF7ED851BA929574586E99AE0A473C273BBD32FD631C2E7C] [Size: 2513]

Why only 2 entries in file.log??
Thanks.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort3 (3.1.8.0): file_log does not log all file events for captured files Meridoff via Snort-devel (Oct 19)
- Re: Snort3 (3.1.8.0): file_log does not log all file events for captured files Russ Combs (rucombs) via Snort-devel (Oct 21)