Snort mailing list archives
Re: Snort 3 file statistics and logging
From: "Steven Baigal \(sbaigal\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 27 Sep 2019 20:33:03 +0000
For the second issue, you need to add policy for PDF:
{ when = { file_type_id = 287 }, use = { verdict = 'log', } },
Regarding the 0 bytes stats, try to remove the policy and add trace to file_id:
file_id = {
enable_type = true,
enable_signature = true,
file_rules = file_magic,
trace_type = true,
trace_signature = true,
trace_stream = true,
}
Steven B.
From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Y M via Snort-devel <snort-devel () lists snort
org>
Reply-To: Y M <snort () outlook com>
Date: Friday, September 27, 2019 at 1:56 PM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] Snort 3 file statistics and logging
Hello,
Two odd behaviors are observed regarding file inspector statistics in snort output and logging via file logger.
First, from the below file statistics, file type stats (files) reflect the detected files, which is correct. The file
type stats (bytes) is reporting zero bytes for some files, although the files have completed the transfers and exist in
the inspected pcap.
--------------------------------------------------
File Statistics
--------------------------------------------------
file type stats (files)
Type Download Upload
MSEXE( 21) 3 0
RTF( 23) 0 3
ZIP( 29) 1 1
PDF(287) 2 1
Total 6 5
--------------------------------------------------
file type stats (bytes)
Type Download Upload
MSEXE( 21) 2593303 0
RTF( 23) 0 0
ZIP( 29) 0 0
PDF(287) 465066 232533
Total 3058369 232533
--------------------------------------------------
Second, it appears that file logging for a PDF file policy does not create a line for detected PDF files. Different PDF
files also don't get logged although they are detected. Other file types/policies over the same protocols get logged as
expected. Example file policy:
file_id =
{
file_rules = file_magic,
file_policy =
{
{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
{ when = { file_type_id = 29 }, use = { verdict = 'log', enable_file_signature = true } },
{ when = { sha256 = "omitted" }, use = { verdict = 'log' } }
}
}
file_log =
{
log_pkt_time = true,
log_sys_time = false
}
The expected log lines in file.log from the above policies:
1. Log PDF files when detected.
2. Log ZIP files when detected.
3. Log the file with the specified hash.
In the above example, everything gets logged except for PDF files.
Below are the file statistics.
--------------------------------------------------
File Statistics
--------------------------------------------------
file type stats (files)
Type Download Upload
MSEXE( 21) 1 0
PDF(287) 1 1
Total 2 1
--------------------------------------------------
file type stats (bytes)
Type Download Upload
MSEXE( 21) 1123608 0
PDF(287) 232533 232533
Total 1356141 232533
--------------------------------------------------
file signature stats
Type Download Upload
MSEXE( 21) 1 0
PDF(287) 1 1
Total 2 1
This used to work on earlier versions of Snort 3. Running Snort with --warn-all does not yield and warnings associated
with the file inspector. The command used to run Snort:
snort -c snort.lua -r test.pcap -l /var/log/snort --plugin-path /usr/local/snort/extra -k none
And Snort version is 3.0.0 (Build 261)
Thank you.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort 3 file statistics and logging Y M via Snort-devel (Sep 27)
- <Possible follow-ups>
- Re: Snort 3 file statistics and logging Steven Baigal (sbaigal) via Snort-devel (Sep 27)
- Re: Snort 3 file statistics and logging Y M via Snort-devel (Sep 27)