Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert

[Maxim <hittlle () 163 com>]

Hi Albert,
Thanks for your help. Attached please kindly find my snort.lua. My question is not that snort doesn't record any 
packets to unified2 file, but the first packet that triggeres the alert. What I am doing is this: if a packet fire a 
rule, tell snort to record the bidirectional packets (packets belonging to the same session) of that session. So, I 
write the following rule:


             alert tcp any any -> any 80 ( msg:"test-http-req-body"; content:"abc";http_client_body; 
flowbits:isnotset,105;flowbits:set,105;tag:session;sid: 105;rev:1;)


As you can see, I used flowbits and tag:session to accomplish this. And ran snort this way:
            /opt/snort3.0/bin/snort -c /var/log/snort/snort.lua -i eth0 -D -l /var/log/snort/


As you can see from the attached unified2 log file, I can see the alert, and the HTTP response packet. But I cannot 
find the request packet payload information there. Am I missing something here? Thanks.
       






At 2017-01-05 19:17:23, "Al Lewis (allewi)" <allewi () cisco com> wrote:

Hello Maxim,


Please see the section under the snort3 manual for loggers:


https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/860/original/snort_manual.html?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1483618124&Signature=4RZ4GTblHk9jmFlDhjHddxo%2BA28%3D#_logger_modules




Its impossible to say what the issue is without a copy of your configuration. 


Attached is a basic config that should log any tcp packet.


All I did was run it with this below:


./bin/snort -c etc/snort/maxim.lua -r /home/alewis/Downloads/CURL.pcap -l .




And it produced log files as these (unified log is there):




alewis@box3:/var/tmp/snort++$ ls
alert_full.txt  bin  core  etc  include  lib  log_codecs.txt  share  unified2.log
alewis@box3:/var/tmp/snort++$ 





Albert Lewis

ENGINEER.SOFTWARE ENGINEERING

SOURCEfire, Inc. now part of Cisco

Email: allewi () cisco com 



From: Maxim <hittlle () 163 com>
Date: Thursday, January 5, 2017 at 3:19 AM
To: 'snort-users' <snort-users () lists sourceforge net>
Subject: [SUSPECTED SPAM] [Snort-users] snort3.0 doesn't log the triggering packet of an alert



Hi snort experts,
    I just tried snort 3.0, and found that it doesn't log the triggering packet of an alert if I use unified2 logger. 
Is it a bug or am I missing any required configurations? It's very different from snort 2.9.8.0. Many thanks.

Attachment: snort.lua
Description:

Attachment: unified2.log.1483669389
Description:

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!