Snort mailing list archives

file_inspect holds blocked files into its memory until snort stops

From: Berkay Koyutürk <berkay.koyuturk () labrisnetworks com>
Date: Thu, 7 Sep 2017 08:56:27 +0300

Hi everybody,

As title says above I have a problem with file_inspect preprocessor. Iam running snort with inline mod with file configurations below:


#file config

 config file: \
   file_type_depth 0, \
   file_signature_depth 0, \
   file_capture_memcap 1000, \
   file_capture_max 4294967295, \
   file_block_timeout 1, \
   file_capture_min 0

#file_inspect preprocessor

 preprocessor file_inspect: \
    signature, \
    capture_disk /root/captured_files 1024, \
    capture_queue_size 5000, \
    blacklist sha_blacklist, \
    greylist sha_greylist

#file_inspect.rules

alert ( msg: “File signature “; sid: 1; gid: 147; rev: 1; metadata:rule-type preproc; )

With these configurations I can successfully block downloading files ifits sha256 sum is in sha_blacklist file. My problem is , while snortrunning it keeps holding this files on its memory and after a while forexample 33 files with 10MB each, it stops blocking files even cant seethem anymore. My snort exit stats is below:


======================================
  Total file type callbacks:            0
  Total file signature callbacks:       33
  Total files would saved to disk:      33
  Total files saved to disk:            0
  Total file data saved to disk:        0         bytes
  Total files duplicated:               33
  Total files reserving failed:         0
  Total file capture min:               0
  Total file capture max:               0
  Total file capture memcap:            0
  Total files reading failed:           0
  Total file agent memcap failures:     0
  Total files sent:                     0
  Total file data sent:                 0
  Total file transfer failures:         0
========================================
File type stats:
         Type              Download   (Bytes)      Upload (Bytes)
            Total          0          0            0 0

File signature stats:
         Type              Download   Upload
Undecided file type, continue...(  0)          33 0
            Total          33         0

File type verdicts:
        UNKNOWN:           0
            LOG:           0
           STOP:           0
          BLOCK:           0
         REJECT:           0
        PENDING:           0
   STOP CAPTURE:           0
          Total:           0

File signature verdicts:
        UNKNOWN:           0
            LOG:           0
           STOP:           0
          BLOCK:           33
         REJECT:           0
        PENDING:           0
   STOP CAPTURE:           0
          Total:           33

Total files processed:             33
Total files data processed:        346030080 bytes
Total files buffered:              33
Total files released:              33
Total files freed:                 0
Total files captured:              33
Total files within one packet:     0
Total buffers allocated:           10560
Total buffers freed:               0
Total buffers released:            10560
Maximum file buffers used:         379
Total buffers free errors:         0
Total buffers release errors:      0
Total memcap failures:             0
Total memcap failures at reserve:  0
Total reserve failures:            0
Total file capture size min:       0
Total file capture size max:       0
Total capture max before reserve:  0
Total file signature max:          0
Maximum buffers can allocate:      31976
Number of buffers in use:          0
Number of buffers in free list:    21416
Number of buffers in release list: 10560
====================================

With this stat above I downloaded 52 files and first 36 are blocked butafter that snort didn't even see them .I am using snort version 2.9.8.2with daq inline mod. Am I forgetting some sort of configuration or is ita bug? Thanks for help



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

file_inspect holds blocked files into its memory until snort stops Berkay Koyutürk (Sep 06)
- Re: file_inspect holds blocked files into its memory until snort stops Joel Esler (jesler) via Snort-users (Sep 07)
  - Re: file_inspect holds blocked files into its memory until snort stops Berkay Koyutürk (Sep 11)
    - Re: file_inspect holds blocked files into its memory until snort stops Berkay Koyutürk (Sep 25)
    - Re: file_inspect holds blocked files into its memory until snort stops Al Lewis (allewi) via Snort-users (Sep 25)
    - Re: file_inspect holds blocked files into its memory until snort stops Berkay Koyutürk (Sep 27)
    - Re: file_inspect holds blocked files into its memory until snort stops Russ via Snort-users (Sep 27)
    - Re: file_inspect holds blocked files into its memory until snort stops Berkay Koyutürk (Sep 27)