Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users Digest, Vol 128, Issue 4

From: Franco Esmores <franco.esmores () donweb com>
Date: Fri, 6 Jan 2017 12:31:15 -0300
---------------------------------------------------

Message: 1
Date: Fri, 6 Jan 2017 10:41:59 +0800 (CST)
From: Maxim  <hittlle () 163 com>
Subject: Re: [Snort-users] [SUSPECTED SPAM] snort3.0 doesn't log the
      triggering packet of an alert
To: "Al Lewis (allewi)" <allewi () cisco com>
Cc: "snort-users () lists sourceforge net"
      <snort-users () lists sourceforge net>
Message-ID: <3487a5ce.2e6d.15971a77e7d.Coremail.hittlle () 163 com>
Content-Type: text/plain; charset="gbk"

Hi Albert,
Thanks for your help. Attached please kindly find my snort.lua. My question is not that snort doesn't record any 
packets to unified2 file, but the first packet that triggeres the alert. What I am doing is this: if a packet fire a 
rule, tell snort to record the bidirectional packets (packets belonging to the same session) of that session. So, I 
write the following rule:


              alert tcp any any -> any 80 ( msg:"test-http-req-body"; content:"abc";http_client_body; 
flowbits:isnotset,105;flowbits:set,105;tag:session;sid: 105;rev:1;)

        



Try using a rule like this one

reject tcp any any -> $HOME_NET $HTTP_PORTS ( msg:"Possible wp-login.php 
Brute Force Attack"; sid:40338; classtype:web-application-activity;\
                        flow:to_server; content:"GET"; 
uricontent:"/wp-login.php"; flags:A,P; priority:2; rev:1)

In this case i use the CONTENT, and URICONTENT, either way, if i don't 
use "uricontent" to catch "wp-login.php" ( in this case ) it wont work.



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: