Snort mailing list archives
Post-Detection keyword [logto] not working
From: Emiliano Fausto <emiliano.fausto () gmail com>
Date: Mon, 13 Apr 2015 18:27:45 -0300
Hi there, I'm having troubles to get the "logto" keyword working properly. I'm using snort version 2.9.7, and what I've tried was: 1) Just letting this rule in the snort.conf file: alert tcp any any <> any 8000 (content:"testing"; nocase; logto:testing; sid:1;) I started a web server, serving the file testing.txt listening in the port 8000, and issue a GET from a web-browser, but the SNORT didn't create a file called testing with the packet capture. Instead it created a snort.log.1231243 with this information. 2) I ran SNORT with user root (just to make sure it wasn't a permission problem) 3) I pre-created the file testing with: "touch /var/log/snort/testing" (because I read there were problems in the past with this). But the file was 0 bytes after the GET was issued. 4) I tried changing the place of the logto keyword, (first of all other keyword, after the last keyword, etc.) nothing. 5) I tried with: logto:"testing" logto:testing logto:"/var/log/snort/testing" But nothing worked. 6) When I changed the rule to this line: output alert_fast: /var/log/snort/alerts alert tcp any any <> any 8000 (content:"testing"; nocase; msg:"rule successful triggered"; sid:1;) It did generate the rule message "rule successful triggered" in /var/log/snort/alerts after issueing a GET with a browser. That's how I know it's being triggered correctly. But for some reason, the problem is when I try to use the logto. Does anyone has this post-detection keyword working? Does anyone experienced some trouble with it? I review all the 41 related mails in the snort-users list, but there's nothing there that helped me. I also think that could be useful the way I start the snort, I just reduced it to: snort -k none -i eth0 -c /etc/snort/snort.conf Is there anything I'm missing? I read once and again the snort manual, but there's nothing else I could find that give me a hint on this. Thanks in advance for any help you could give me on that. Emiliano.
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Post-Detection keyword [logto] not working Emiliano Fausto (Apr 13)
- Re: Post-Detection keyword [logto] not working James Lay (Apr 13)
- Re: Post-Detection keyword [logto] not working Emiliano Fausto (Apr 13)
- Re: Post-Detection keyword [logto] not working James Lay (Apr 14)
- Re: Post-Detection keyword [logto] not working Emiliano Fausto (Apr 16)
- Re: Post-Detection keyword [logto] not working Al Lewis (allewi) (Apr 16)
- Re: Post-Detection keyword [logto] not working Emiliano Fausto (Apr 17)
- Re: Post-Detection keyword [logto] not working Emiliano Fausto (Apr 13)
- Re: Post-Detection keyword [logto] not working James Lay (Apr 13)