Snort mailing list archives
Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert
From: Maxim <hittlle () 163 com>
Date: Fri, 6 Jan 2017 10:41:59 +0800 (CST)
Hi Albert, Thanks for your help. Attached please kindly find my snort.lua. My question is not that snort doesn't record any packets to unified2 file, but the first packet that triggeres the alert. What I am doing is this: if a packet fire a rule, tell snort to record the bidirectional packets (packets belonging to the same session) of that session. So, I write the following rule: alert tcp any any -> any 80 ( msg:"test-http-req-body"; content:"abc";http_client_body; flowbits:isnotset,105;flowbits:set,105;tag:session;sid: 105;rev:1;) As you can see, I used flowbits and tag:session to accomplish this. And ran snort this way: /opt/snort3.0/bin/snort -c /var/log/snort/snort.lua -i eth0 -D -l /var/log/snort/ As you can see from the attached unified2 log file, I can see the alert, and the HTTP response packet. But I cannot find the request packet payload information there. Am I missing something here? Thanks. At 2017-01-05 19:17:23, "Al Lewis (allewi)" <allewi () cisco com> wrote: Hello Maxim, Please see the section under the snort3 manual for loggers: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/860/original/snort_manual.html?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1483618124&Signature=4RZ4GTblHk9jmFlDhjHddxo%2BA28%3D#_logger_modules Its impossible to say what the issue is without a copy of your configuration. Attached is a basic config that should log any tcp packet. All I did was run it with this below: ./bin/snort -c etc/snort/maxim.lua -r /home/alewis/Downloads/CURL.pcap -l . And it produced log files as these (unified log is there): alewis@box3:/var/tmp/snort++$ ls alert_full.txt bin core etc include lib log_codecs.txt share unified2.log alewis@box3:/var/tmp/snort++$ Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com From: Maxim <hittlle () 163 com> Date: Thursday, January 5, 2017 at 3:19 AM To: 'snort-users' <snort-users () lists sourceforge net> Subject: [SUSPECTED SPAM] [Snort-users] snort3.0 doesn't log the triggering packet of an alert Hi snort experts, I just tried snort 3.0, and found that it doesn't log the triggering packet of an alert if I use unified2 logger. Is it a bug or am I missing any required configurations? It's very different from snort 2.9.8.0. Many thanks.
Attachment:
snort.lua
Description:
Attachment:
unified2.log.1483669389
Description:
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort3.0 doesn't log the triggering packet of an alert Maxim (Jan 05)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Al Lewis (allewi) (Jan 05)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Maxim (Jan 05)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Al Lewis (allewi) (Jan 05)