Snort mailing list archives

Re: Snort 3 file statistics and logging

From: Y M via Snort-devel <snort-devel () lists snort org>
Date: Fri, 27 Sep 2019 21:23:54 +0000

Thank you, Steven. I certainly didn’t pay attention to type id 287. This one worked as opposed to type id 22. I wonder 
why would one log while the other doesn’t although both successfully apply.

More reading for me on the trace options. I haven’t used these before. Are these considered day-to-day use or only for 
debugging?

Thanks a bunch.
YM

________________________________
From: Steven Baigal (sbaigal) <sbaigal () cisco com>
Sent: Friday, September 27, 2019 11:33 PM
To: Y M; snort-devel () lists snort org
Subject: Re: [Snort-devel] Snort 3 file statistics and logging

For the second issue, you need to add policy for PDF:
{ when = { file_type_id = 287 }, use = { verdict = 'log', } },

Regarding the 0 bytes stats, try to remove the policy and add trace to file_id:
file_id = {
    enable_type = true,
    enable_signature = true,
    file_rules = file_magic,
    trace_type = true,
    trace_signature = true,
    trace_stream = true,
}
Steven B.
From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Y M via Snort-devel <snort-devel () lists snort 
org>
Reply-To: Y M <snort () outlook com>
Date: Friday, September 27, 2019 at 1:56 PM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] Snort 3 file statistics and logging

Hello,

Two odd behaviors are observed regarding file inspector statistics in snort output and logging via file logger.

First, from the below file statistics, file type stats (files) reflect the detected files, which is correct. The file 
type stats (bytes) is reporting zero bytes for some files, although the files have completed the transfers and exist in 
the inspected pcap.

--------------------------------------------------
File Statistics
--------------------------------------------------
file type stats (files)
         Type              Download   Upload
       MSEXE( 21)          3          0
         RTF( 23)          0          3
         ZIP( 29)          1          1
         PDF(287)          2          1
            Total          6          5
--------------------------------------------------
file type stats (bytes)
         Type              Download   Upload
       MSEXE( 21)          2593303    0
         RTF( 23)          0          0
         ZIP( 29)          0          0
         PDF(287)          465066     232533
            Total          3058369    232533
--------------------------------------------------

Second, it appears that file logging for a PDF file policy does not create a line for detected PDF files. Different PDF 
files also don't get logged although they are detected. Other file types/policies over the same protocols get logged as 
expected. Example file policy:

file_id =
{
    file_rules = file_magic,
    file_policy =
    {
        { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
        { when = { file_type_id = 29 }, use = { verdict = 'log', enable_file_signature = true } },
        { when = { sha256 = "omitted" }, use = { verdict = 'log' } }
    }
}

file_log =
{
    log_pkt_time = true,
    log_sys_time = false
}

The expected log lines in file.log from the above policies:

  1.  Log PDF files when detected.
  2.  Log ZIP files when detected.
  3.  Log the file with the specified hash.
In the above example, everything gets logged except for PDF files.

Below are the file statistics.

--------------------------------------------------
File Statistics
--------------------------------------------------
file type stats (files)
         Type              Download   Upload
       MSEXE( 21)          1          0
         PDF(287)          1          1
            Total          2          1
--------------------------------------------------
file type stats (bytes)
         Type              Download   Upload
       MSEXE( 21)          1123608    0
         PDF(287)          232533     232533
            Total          1356141    232533
--------------------------------------------------
file signature stats
         Type              Download   Upload
       MSEXE( 21)          1          0
         PDF(287)          1          1
            Total          2          1

This used to work on earlier versions of Snort 3. Running Snort with --warn-all does not yield and warnings associated 
with the file inspector. The command used to run Snort:

snort -c snort.lua -r test.pcap -l /var/log/snort --plugin-path /usr/local/snort/extra -k none

And Snort version is 3.0.0 (Build 261)

Thank you.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort 3 file statistics and logging Y M via Snort-devel (Sep 27)
- <Possible follow-ups>
- Re: Snort 3 file statistics and logging Steven Baigal (sbaigal) via Snort-devel (Sep 27)
  - Re: Snort 3 file statistics and logging Y M via Snort-devel (Sep 27)