Snort mailing list archives
Re: tag:session problem
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 25 Nov 2016 13:01:52 +0000
Hello, Have you tried setting the tag timer? Please see the README.tag section: Note that the stream preprocessor is not checked for the existence of a session. A session here is based only on socket (IP address:port) pairs, so that a session could end, but if a new session is started using the same socket pair, packets will continue to get tagged. Examples -------- tag:host,100,seconds,src tagged_packet_limit = 256 When an event is triggered on this rule, Snort will tag packets containing an IP address that matches the source IP address of the packet that caused this rule to alert for the next 100 seconds or 256 packets, whichever comes first. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Maxim <hittlle () 163 com<mailto:hittlle () 163 com>> Date: Thursday, November 24, 2016 at 8:28 PM To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] tag:session problem Hi snort team, I come across a weird problem and need your help. I write the following rule to capture the bidirectional packets of the same session if the attacker triggers this rule alert tcp any any -> any 80 (msg:"bidirectional-packet-test";sid:10000001; rev:1; content:"test";http_uri; classtype: web-application-attack; flowbits: isnotset,foo;flowbits: set,foo;tag:session,exclusive;) The purpose of this rule if to capture both the HTTP request and corresponding HTTP response packets. I launch snort as follows snort -c /etc/snort/snort.conf -D after that, I use postman to simulate a request to my target, then I checked snort.log, and I can see both the request and response packets as expected. Then I use postman to send the same HTTP request again, this time, I only see the request packet, but cannot find the response packet. I checked the stream5_tcp configuration items, and there is only a timeout item which I think has something to do with this, I updated it from 180 seconds to 30 seconds and then omitted it and tried again, but I failed. Am I missing anything? Thanks.
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- tag:session problem Maxim (Nov 24)
- Re: tag:session problem Al Lewis (allewi) (Nov 25)