Snort mailing list archives

Re: File extraction during http/ftp transaction

From: Hui cao <huica () cisco com>
Date: Wed, 11 Mar 2015 11:39:51 -0400

Have you done make clean before you do a make?

Best,
Hui.

On 03/11/2015 11:38 AM, Rishabh Shah wrote:

Hi Hui,

I am hitting the same issue while executing make. These are thecommands that I issued:root@fwuser-virtual-machine:~/snort_src/snort-2.9.7.0# ./configure--enable-file-inspect --enable-open-appid --enable-sourcefire


root@fwuser-virtual-machine:~/snort_src/snort-2.9.7.0# make

/root/snort_src/snort-2.9.7.0/src/plugbase.c:216: undefined referenceto `SetupAppId'detection-plugins/libspd.a(detection_options.o): In function`detection_hash_free_func':/root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:553:undefined reference to `optionAppIdFree'detection-plugins/libspd.a(detection_options.o): In function`detection_option_hash_func':/root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:252:undefined reference to `optionAppIdHash'detection-plugins/libspd.a(detection_options.o): In function`detection_option_key_compare_func':/root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:409:undefined reference to `optionAppIdCompare'

collect2: error: ld returned 1 exit status
make[3]: *** [snort] Error 1
make[3]: Leaving directory `/root/snort_src/snort-2.9.7.0/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/snort_src/snort-2.9.7.0/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/snort_src/snort-2.9.7.0'
make: *** [all] Error 2

On Wed, Mar 11, 2015 at 8:40 PM, Hui cao <huica () cisco com<mailto:huica () cisco com>> wrote:


    Hi Rishabh,

    You need to add —enable-open-appid to you ./configure.

    ./configure --enable-file-inspect —enable-open-appid

    Best,
    Hui.

    On 03/11/2015 10:33 AM, Rishabh Shah wrote:

    Hi Joel,

    Thanks for your prompt reply. I did a ./configure
    --enable-file-inspect and while executing make, I saw the
    following error messages:

    */root/snort_src/snort-2.9.7.0/src/plugbase.c:216: undefined
    reference to `SetupAppId'*
    *detection-plugins/libspd.a(detection_options.o): In function
    `detection_hash_free_func':*
    */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:553:
    undefined reference to `optionAppIdFree'*
    *detection-plugins/libspd.a(detection_options.o): In function
    `detection_option_hash_func':*
    */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:252:
    undefined reference to `optionAppIdHash'*
    *detection-plugins/libspd.a(detection_options.o): In function
    `detection_option_key_compare_func':*
    */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:409:
    undefined reference to `optionAppIdCompare'*
    *collect2: error: ld returned 1 exit status*
    make[3]: *** [snort] Error 1
    make[3]: Leaving directory `/root/snort_src/snort-2.9.7.0/src'
    make[2]: *** [all-recursive] Error 1
    make[2]: Leaving directory `/root/snort_src/snort-2.9.7.0/src'
    make[1]: *** [all-recursive] Error 1
    make[1]: Leaving directory `/root/snort_src/snort-2.9.7.0'
    make: *** [all] Error 2

    I am not sure why am I seeing those messages as I see a reference
    to the above errors:

    root@fwuser-virtual-machine:~/snort_src/snort-2.9.7.0/src#
    <mailto:root@fwuser-virtual-machine:%7E/snort_src/snort-2.9.7.0/src#>
    grep -r "optionAppIdFree" .
    Binary file ./detection-plugins/detection_options.o matches
    Binary file ./detection-plugins/sp_appid.o matches
    ./detection-plugins/sp_appid.c:void
    optionAppIdFree(AppIdOptionData *optData)
    ./detection-plugins/sp_appid.c:  optionAppIdFree(optData);
    Binary file ./detection-plugins/libspd.a matches

./detection-plugins/detection_options.c:optionAppIdFree(key->option_data);

    ./detection-plugins/sp_appid.h:void
    optionAppIdFree(AppIdOptionData *optData);


    I appended the following line in snort.conf:
    *preprocessor file_inspect: type_id, signature, capture_disk
    /home/file_capture/tmp/, capture_queue_size 5000*

    While executing snort process, I got a core file with the
    following message:

    File config:
        file type: ENABLED
        file signature: ENABLED
        file capture: ENABLED
        file capture directory: /home/file_capture/tmp/
        file capture disk size: 300 (Default) megabytes
        file sent to host: DISABLED (Default), port number: 0

    *Segmentation fault (core dumped)*

    The traceback of the core file points to:

    root@fwuser-virtual-machine:~/snort_src# gdb snort -c core
    GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
    Copyright (C) 2014 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show
    copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from snort...done.

    warning: exec file is newer than core file.
    [New LWP 10904]

    warning: .dynamic section for
    "/usr/local/lib/snort_dynamicengine/libsf_engine.so" is not at
    the expected address (wrong library or version mismatch?)

    warning: .dynamic section for
    "/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so"
    is not at the expected address (wrong library or version mismatch?)
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library
    "/lib/x86_64-linux-gnu/libthread_db.so.1".
    Core was generated by `/usr/local/bin/snort -c
    /etc/snort/snort.conf -Q -i eth1:eth2 -l /var/log/snort'.
    Program terminated with signal SIGSEGV, Segmentation fault.
    #0  strlen () at ../sysdeps/x86_64/strlen.S:106
    106     ../sysdeps/x86_64/strlen.S: No such file or directory.
    (gdb) bt
    *#0  strlen () at ../sysdeps/x86_64/strlen.S:106*
    *#1  0x00007f6ab63050a6 in appIdStatsInit
    (appFileName=0x7f6ab6628170 <config+16> "appstats-unified.log",
    statsPeriod=10, rolloverSize=20971520, rolloverPeriod=86400) at
    appIdStats.c:264*
    *#2  0x00007f6ab62fa2d0 in AppIdCommonInit (memcap=268435456) at
    commonAppMatcher.c:297*
    *#3  0x00007f6ab6303798 in AppIdInit (sc=0x1eb9770,
    args=0x1f516e0 "app_stats_filename appstats-unified.log,
    app_stats_period 10, app_detector_dir /usr/local/lib/openappid")
    at spp_appid.c:157*
    *#4  0x000000000042048e in InitVarTables (p=0x1eb9770) at
    parser.c:5728*
    *#5  0x000000000046c3d0 in CheckAppId (option_data=0x0, p=0x0) at
    sp_appid.c:342*
    *#6  0x0000000000000000 in ?? ()*
    *(gdb) Quit*

    I had installed openappid as well.


    On Wed, Mar 11, 2015 at 7:00 PM, Joel Esler (jesler)
    <jesler () cisco com <mailto:jesler () cisco com>> wrote:

        On Mar 11, 2015, at 9:23 AM, Rishabh Shah
        <rishabh420 () gmail com <mailto:rishabh420 () gmail com>> wrote:

        Hi Snort Team,

        Is it possible to extract any file during http/ftp
        transactions? The HTTP preprocessor makes it possible to
        read the HTTP URI/content. Does snort have the intelligence
        to extract the file during any transfer?


        Beginning with 2.9.6.0, Snort has had the ability to extract
        files from streams and write them to disk.

        Check out the README: https://www.snort.org/faq/readme-file

        --
        *Joel Esler*
        Open Source Manager
        Threat Intelligence Team Lead
        Talos Group

--Regards,

    Rishabh Shah.


    ------------------------------------------------------------------------------
    Dive into the World of Parallel Programming The Go Parallel Website, sponsored
    by Intel and developed in partnership with Slashdot Media, is your hub for all
    things parallel software development, from weekly thought leadership blogs to
    news, videos, case studies, tutorials and more. Take a look and join the
    conversation now.http://goparallel.sourceforge.net/


    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net  <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

    Please visithttp://blog.snort.org  to stay current on all the latest Snort news!



    ------------------------------------------------------------------------------
    Dive into the World of Parallel Programming The Go Parallel
    Website, sponsored
    by Intel and developed in partnership with Slashdot Media, is your
    hub for all
    things parallel software development, from weekly thought
    leadership blogs to
    news, videos, case studies, tutorials and more. Take a look and
    join the
    conversation now. http://goparallel.sourceforge.net/
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

    Please visit http://blog.snort.org to stay current on all the
    latest Snort news!




--
Regards,
Rishabh Shah.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

File extraction during http/ftp transaction Rishabh Shah (Mar 11)
- Re: File extraction during http/ftp transaction Joel Esler (jesler) (Mar 11)
  - Re: File extraction during http/ftp transaction Rishabh Shah (Mar 11)
    - Re: File extraction during http/ftp transaction Hui cao (Mar 11)
    - Re: File extraction during http/ftp transaction Rishabh Shah (Mar 11)
    - Re: File extraction during http/ftp transaction Hui cao (Mar 11)
    - Re: File extraction during http/ftp transaction Rishabh Shah (Mar 11)
    - Re: File extraction during http/ftp transaction Hui cao (Mar 11)
    - Re: File extraction during http/ftp transaction Hui cao (Mar 11)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: File extraction during http/ftp transaction Rishabh Shah (Mar 11)
    - Re: File extraction during http/ftp transaction Joel Esler (jesler) (Mar 11)
    - Re: File extraction during http/ftp transaction Y M (Mar 11)