Snort mailing list archives
preprocessor file_inspect: file capture from FTP traffic differs from original
From: Lương Minh Tuấn <not.soledad () gmail com>
Date: Fri, 11 Dec 2015 11:04:30 +0700
Hi everybody, I have a problem with file_inspect preprocessor, when snort captures file from FTP traffic, the file written to disk differs from the original file, the file data, SHA256 is not true. The problem happended with almost file transfer via FTP, but HTTP still works well. I'm using snort version 2.9.7.6 and tried with 2.9.8.0 but no luck. Here's my snort server information: - OS: Centos 7 64bit, installed snort and vsftpd, tried with both real server and virtual vmware guest. - file service and file_inspect configuration: config file:\ file_type_depth 42949672, \ file_signature_depth 42949672, \ file_capture_max 42949672, \ file_capture_memcap 200 preprocessor file_inspect:\ type_id, \ signature, \ capture_queue_size 5000, \ capture_disk /home/file_capture/tmp/ 1024 Is there anything need to configure to make snort work better? almost file captured from FTP is not true, so it cannot match block list, also cannot be used to further analyzing. Please help, thank you! Minh Tuan Luong --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 01)
- Re: preprocessor file_inspect does not capture file Y M (Dec 01)
- Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
- Re: preprocessor file_inspect does not capture file Y M (Dec 02)
- Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
- Re: preprocessor file_inspect does not capture file Y M (Dec 02)
- Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
- Re: preprocessor file_inspect does not capture file Y M (Dec 02)
- Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
- preprocessor file_inspect: file capture from FTP traffic differs from original Lương Minh Tuấn (Dec 10)
- Re: preprocessor file_inspect: file capture from FTP traffic differs from original Hui cao (Dec 11)
- Re: preprocessor file_inspect: file capture from FTP traffic differs from original Lương Minh Tuấn (Dec 11)
- Re: preprocessor file_inspect does not capture file Lương Minh Tuấn (Dec 02)
- Re: preprocessor file_inspect does not capture file Y M (Dec 01)