Snort mailing list archives
Re: logto 3.0
From: kahleong_fong via Snort-users <snort-users () lists snort org>
Date: Thu, 19 Oct 2017 01:56:32 +0000 (UTC)
hi carter,
thank you for the infos. I was expecting the logto to work since running snort with different separate cmd options just
to capture an event would be an adhoc/manual activity (ie. reactive) will be too late, as the event has gone by
already. A method to log these events to pcap file as part of the rules would be a proactive approach when triggered by
events.
thanks.cheers.
From: Carter Waxman (cwaxman) <cwaxman () cisco com>
To: kahleong_fong <kahleong_fong () yahoo com sg>; "snort-users () lists snort org" <snort-users () lists snort org>
Sent: Tuesday, 17 October 2017, 21:55
Subject: Re: [Snort-users] logto 3.0
#yiv0669897524 #yiv0669897524 -- _filtered #yiv0669897524 {panose-1:2 7 3 9 2 2 5 2 4 4;} _filtered #yiv0669897524
{panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv0669897524 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered
#yiv0669897524 {panose-1:2 0 5 3 0 0 0 2 0 4;}#yiv0669897524 #yiv0669897524 p.yiv0669897524MsoNormal, #yiv0669897524
li.yiv0669897524MsoNormal, #yiv0669897524 div.yiv0669897524MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;}#yiv0669897524 a:link, #yiv0669897524
span.yiv0669897524MsoHyperlink {color:#0563C1;text-decoration:underline;}#yiv0669897524 a:visited, #yiv0669897524
span.yiv0669897524MsoHyperlinkFollowed {color:#954F72;text-decoration:underline;}#yiv0669897524 pre
{margin:0in;margin-bottom:.0001pt;font-size:10.0pt;}#yiv0669897524 span.yiv0669897524HTMLPreformattedChar
{}#yiv0669897524 span.yiv0669897524EmailStyle19 {color:windowtext;}#yiv0669897524 span.yiv0669897524EmailStyle20
{color:windowtext;}#yiv0669897524 span.yiv0669897524msoIns {text-decoration:underline;color:teal;}#yiv0669897524
.yiv0669897524MsoChpDefault {font-size:10.0pt;} _filtered #yiv0669897524 {margin:1.0in 1.0in 1.0in
1.0in;}#yiv0669897524 div.yiv0669897524WordSection1 {}#yiv0669897524 For the sake of updating the list… The last post
was incorrect There are a couple things going on. Pasting your rule into logto.rules and running Snort like this:
$ src/snort -c install/etc/snort/snort.lua -R logto.rules
will get this:
Loading logto.rules:
ERROR: logto.rules:1 unknown rule keyword: logto.
ERROR: logto.rules:1 unknown rule keyword: sid=400000001.
Finished logto.rules.
So logto is no longer supported and your rule should look like this:
alert icmp any any -> any any ( sid:400000001; rev:1; )
One way to log to file is like this:
$ src/snort -c install/etc/snort/snort.lua -R logto.rules -r ~/Test/pcaps/ping.pcap --lua "alert_csv = { file = true }"
There are other options. The --lua option is shown here but that could be in your conf. See the manual for details,
eg under Usage / Output Files. From: Snort-users <snort-users-bounces () lists snort org> on behalf of "Carter
Waxman (cwaxman) via Snort-users" <snort-users () lists snort org>
Reply-To: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Tuesday, October 17, 2017 at 9:42 AM
To: kahleong_fong <kahleong_fong () yahoo com sg>, "snort-users () lists snort org" <snort-users () lists snort org>
Subject: Re: [Snort-users] logto 3.0 Hello, It looks like this was not added to 3.0, however it should have been.
Thank you for finding this. We will be adding it back in the future. Until then, it is possible to configure default
log paths with the -l command line option. -Carter From: Snort-users <snort-users-bounces () lists snort org> on
behalf of kahleong_fong via Snort-users <snort-users () lists snort org>
Reply-To: kahleong_fong <kahleong_fong () yahoo com sg>
Date: Tuesday, October 17, 2017 at 3:24 AM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] logto 3.0 hi all, It has been awhile since 2004 that I touched snort! I remembered the logto
option to capture pkts used to work. In the 3.0 release , I just cannot seem to get it to capture the pkts to the
file. alert icmp any any -> any any (logto:/var/snort/log/logto_log;sid=400000001; rev:1;)
I am able to see the alerts however no pkts in the logto_log file.
please advise.
regards
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- logto 3.0 kahleong_fong via Snort-users (Oct 17)
- Re: logto 3.0 Carter Waxman (cwaxman) via Snort-users (Oct 17)
- Re: logto 3.0 Carter Waxman (cwaxman) via Snort-users (Oct 17)
- Re: logto 3.0 kahleong_fong via Snort-users (Oct 18)
- Re: logto 3.0 Russ via Snort-users (Oct 18)
- Re: logto 3.0 Carter Waxman (cwaxman) via Snort-users (Oct 17)
- Re: logto 3.0 Carter Waxman (cwaxman) via Snort-users (Oct 17)