Re: Something is wrong with snort logging?

[Y M <snort () outlook com>]

A quick look at this it could be a number of things. Your rule does not specify where in the payload/HTTP request to 
look for the content "clntnetid=", so the HTTP body could be a few bytes or a large number of bytes. Snort will usually 
capture 3-5 (maybe?) packets that triggered the rule. The HTTP body may have few bytes that fit into these 3-5 packets 
or they are further down the HTTP stream. It maybe (again) similar to the log_uri buffer length where in some 
occeasions get the uri logged and in others it won't due lengthy URIs.


- Are you logging in binary format (unified2)? How doe the data look there? Your log looks like it is in Full format.

- What are the configurations of your http_processor?


While this response more guesses than answers, i hope it puts you in the right direction.


YM


________________________________
From: fatema bannatwala <fatema.bannatwala () gmail com>
Sent: Monday, November 7, 2016 9:45:53 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Something is wrong with snort logging?

Hi,

I have a snort rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely Successful Generic Phish 2016-09-23"; 
flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"clntnetid="; depth:10; 
fast_pattern; http_client_body; content:"&pword="; distance:0; classtype:trojan-activity; sid:10001030; rev:1;)

The following event shouldn't trigger without a "clntnetid" in the string so it
looks like some data isn't getting logged into the snort tables:

[1:10001030:1] Custom Likely Successful Generic Phish 2016-09-23
2016-11-07 04:26:06.103000-05:00 1.2.3.4:54862<http://128.4.132.252:54862/> -> 185.8.63.111:80<http://185.8.63.111/>
TCP: Data Triggering Snort Rule: POST /wp-admin/css/wep-et.php
HTTP/1.1::~~Host: www.anjo.lv::~~Content-Type:
application/x-www-form-urlencoded::~~Origin: null::~~Content-Length:
143::~~Connection: keep-alive::~~Accept: text/h
tml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::~~User-Agent:
Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X)
AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70
Safari/600.1.4::~~Accept-Language:
 en-us::~~DNT: 1::~~Accept-Encoding: gzip, deflate::~~::~~

Other event that triggered this alert had "clntnetid" in the data string.
Not sure if the events that are triggering this alert are having that string in data and snort is not logging it in 
database, or something is not correct with the rule that is causing it to trigger for the events NOT having that 
particular string in the data.

Snort version - 2.9.8.3
barnyard version - 2-1.9
pulledpork - 0.7.0

Did anyone knows what might be going on?

Thanks,
Fatema.



------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!