Snort mailing list archives
Re: not getting tagged packets in db ???
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Wed, 12 Jan 2011 15:14:52 +1300
A bit more information.... I have a local rule: alert tcp $HOME_NET any -> xx.yy.181.46 80 (msg:"LOCAL malware Infection - Win32/Autoit.EB.worm"; flow:to_server,established; tag:session,20,packets; classtype:trojan-activity; sid:9900046;) What is getting logged back to the database is just the packets *to* the server. i.e. those that trigger the actual rule and I am not seeing the responses which should be tagged ?? R On 12/01/2011, at 11:14 AM, Russell Fulton wrote:
I have been reworking all my snort infrastructure of the last couple of months and have just realised that I am no longer getting tagged packets in the database. Clearly I have broken something along the way... in snort.conf: output unified2: filename snort.log, limit 128 [rful011@mon263549 ~]$ cat /home/snort/conf/dmzo/barnyard.conf # enable daemon mode config daemon config hostname: mon263549 config interface: dmzo config alert_with_interface_name config reference_file: /home/snort/etc/reference.config config classification_file: /home/snort/etc/classification.config config gen_file: /home/snort/etc/gen-msg.map config sid_file: /home/snort/Rules/dmzo/sid-msg.map input unified2 output database: log, mysql, sensor_name=mon263549 dbname=snort user=snort host=snort-db.insec.auckland.ac.nz password=P1gsh1T detail=full ========================================================= Any idea what I am missing. Russell PS: resorting to tcpdump to get sample pcaps for that pesky bot that I have is an IP for at the moment... ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- not getting tagged packets in db ??? Russell Fulton (Jan 11)
- Re: not getting tagged packets in db ??? Russell Fulton (Jan 11)