Snort mailing list archives
Snort, unified/database output plugins, session capture
From: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>
Date: Thu, 25 Mar 2004 12:45:23 +0000
Hi -I'm currently using Snort's unified output plugin to log to a binary file, which in turn mudpit is picking up and logging into a MySQL database.
I'd like to configure Snort to log the entire session for certain signatures (e.g. IIS cmd.exe access, sid 1002) so that analysts can determine whether an attack was successful or not. There seem to be a number of mechanisms for doing this; 'tag' and 'session' being the two most obvious to me. I presume that I need
preprocessor stream4_reassemble: both, ports default
regardless of which mechanism I use.
What is the preferred mechanism for logging sessions in this manner?
Do *any* of them even work when using unified or database logging? The
Snort 2.1.x manual indicates that 'tag' doesn't work with database
logging, and 'logto' doesn't work in binary mode. It says nothing about
'session'.
I've tried configuring snort to bypass mudpit and log directly into the MySQL database with the following modified signature:
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS( sid: 2000017; rev: 1; msg: "WEB-IIS cmd.exe access"; flow: to_server,established; content: "cmd.exe"; nocase; session: all; classtype: web-application-attack;)
and preprocessor stream4_reassemble: both, ports defaultoutput database: log, mysql, user=**** password=**** dbname=**** host=localhost port=3306 sensor_name=AUTO detail=full
but only the HTTP request appears to get logged (and shown in ACID - though I've verified this by querying the database directly). Switching from 'log' to 'alert' in the signature makes no difference.
I'm currently using Snort 2.0.6. Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort, unified/database output plugins, session capture AJ Butcher, Information Systems and Computing (Mar 25)
- Re: Snort, unified/database output plugins, session capture Andrew R. Baker (Mar 25)
- Re: Snort, unified/database output plugins, session capture AJ Butcher, Information Systems and Computing (Mar 25)
- Re: Snort, unified/database output plugins, session capture Andrew R. Baker (Mar 25)