Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tag:session problem

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 25 Nov 2016 13:01:52 +0000
Hello,

Have you tried setting the tag timer?


Please see the README.tag section:


Note that the stream preprocessor is not checked for the existence of a
session.  A session here is based only on socket (IP address:port) pairs, so
that a session could end, but if a new session is started using the same socket
pair, packets will continue to get tagged.


Examples
--------

tag:host,100,seconds,src
tagged_packet_limit = 256

When an event is triggered on this rule, Snort will tag packets containing an
IP address that matches the source IP address of the packet that caused this
rule to alert for the next 100 seconds or 256 packets, whichever comes first.




Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Maxim <hittlle () 163 com<mailto:hittlle () 163 com>>
Date: Thursday, November 24, 2016 at 8:28 PM
To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] tag:session problem

Hi snort team,
I come across a weird problem and need your help. I write the following rule to capture the bidirectional packets of 
the same session if the attacker triggers this rule
             alert tcp any any -> any 80 (msg:"bidirectional-packet-test";sid:10000001; rev:1; content:"test";http_uri; 
classtype: web-application-attack; flowbits: isnotset,foo;flowbits: set,foo;tag:session,exclusive;)
The purpose of this rule if to capture both the HTTP request and corresponding HTTP response packets. I launch snort as 
follows
              snort -c /etc/snort/snort.conf -D
after that, I use postman to simulate a request to my target, then I checked snort.log, and I can see both the request 
and response packets as expected. Then I use postman to send the same
HTTP request again, this time, I only see the request packet, but cannot find the response packet. I checked the 
stream5_tcp configuration items, and there is only a timeout item which I think
has something to do with this, I updated it from 180 seconds to 30 seconds and then omitted it and tried again, but I 
failed. Am I missing anything? Thanks.





------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: