Snort mailing list archives
Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 6 Jan 2017 22:37:19 +0000
You can capture the session traffic with just the tagging. I don’t think your problem is with the session/tagging functionality. You need to create a rule that alerts THEN starts recording. Snort will not be able to go back and capture packets BEFORE the rule alerted. So if you have a rule that alerts on a response packet Snort will not be able to go back and “recapture” the request or packets that happened BEFORE the alert. See attached. It uses a telnet session to alert on the SYN flag, then logs traffic for the next second. I ran snort like this "snort -c etc/snort/maxim.lua -r etc/snort/maxim.pcap -k none -l . “ which produced the pcap, alert, codec and unified log files. Hope this helps. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Maxim <hittlle () 163 com<mailto:hittlle () 163 com>> Date: Thursday, January 5, 2017 at 9:41 PM To: allewi <allewi () cisco com<mailto:allewi () cisco com>> Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re:Re: [SUSPECTED SPAM] [Snort-users] snort3.0 doesn't log the triggering packet of an alert Hi Albert, Thanks for your help. Attached please kindly find my snort.lua. My question is not that snort doesn't record any packets to unified2 file, but the first packet that triggeres the alert. What I am doing is this: if a packet fire a rule, tell snort to record the bidirectional packets (packets belonging to the same session) of that session. So, I write the following rule: alert tcp any any -> any 80 ( msg:"test-http-req-body"; content:"abc";http_client_body; flowbits:isnotset,105;flowbits:set,105;tag:session;sid: 105;rev:1;) As you can see, I used flowbits and tag:session to accomplish this. And ran snort this way: /opt/snort3.0/bin/snort -c /var/log/snort/snort.lua -i eth0 -D -l /var/log/snort/ As you can see from the attached unified2 log file, I can see the alert, and the HTTP response packet. But I cannot find the request packet payload information there. Am I missing something here? Thanks. At 2017-01-05 19:17:23, "Al Lewis (allewi)" <allewi () cisco com<mailto:allewi () cisco com>> wrote: Hello Maxim, Please see the section under the snort3 manual for loggers: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/860/original/snort_manual.html?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1483618124&Signature=4RZ4GTblHk9jmFlDhjHddxo%2BA28%3D#_logger_modules Its impossible to say what the issue is without a copy of your configuration. Attached is a basic config that should log any tcp packet. All I did was run it with this below: ./bin/snort -c etc/snort/maxim.lua -r /home/alewis/Downloads/CURL.pcap -l . And it produced log files as these (unified log is there): alewis@box3:/var/tmp/snort++$ ls alert_full.txt bin core etc include lib log_codecs.txt share unified2.log alewis@box3:/var/tmp/snort++$ Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Maxim <hittlle () 163 com<mailto:hittlle () 163 com>> Date: Thursday, January 5, 2017 at 3:19 AM To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [SUSPECTED SPAM] [Snort-users] snort3.0 doesn't log the triggering packet of an alert Hi snort experts, I just tried snort 3.0, and found that it doesn't log the triggering packet of an alert if I use unified2 logger. Is it a bug or am I missing any required configurations? It's very different from snort 2.9.8.0. Many thanks.
Attachment:
maxim.pcap
Description: maxim.pcap
Attachment:
maxim.lua
Description: maxim.lua
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Al Lewis (allewi) (Jan 06)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Maxim (Jan 08)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Maxim (Jan 08)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Russ (Jan 09)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert João Soares (Jan 09)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Maxim (Jan 10)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert João Soares (Jan 11)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert João Soares (Jan 11)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Maxim (Jan 08)
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Maxim (Jan 08)
- <Possible follow-ups>
- Re: [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert Al Lewis (allewi) (Jan 09)