Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Help with HTTP extra data in unified2 log

From: Felipe Arturo Polanco via Snort-users <snort-users () lists snort org>
Date: Mon, 18 Mar 2019 17:41:49 -0400
Hi,

I've been trying to log the HTTP hostname whenever there is a match but so
far I haven't been successful.

I'm following this guide:
https://blog.snort.org/2011/09/snort-291-http-and-smtp-logging.html

This is the output I receive:

u2spewfoo ./alert2.log.1552943372

(Event)
        sensor id: 0    event id: 1     event second: 1552943448
event microsecond: 390589
        sig id: 1000002 gen id: 1       revision: 1      classification: 1
        priority: 3     ip source: 192.0.0.6    ip destination:
155.94.239.208
        src port: 52146 dest port: 80   protocol: 6     impact_flag: 32
blocked: 1


As you can see there is no extra data header, even though I configured it
in here:

portvar HTTP_PORTS [80,8080]
preprocessor http_inspect_server: <trimmed> u_encode yes     webroot no
 log_uri     log_hostname
output alert_unified2: filename alert2.log


This is my rule:
drop tcp any any -> any $HTTP_PORTS ( msg:"Alerting Test"; content:
"test-message12345"; react: msg; metadata:ruleset community; metadata:
internal-test; classtype:not-suspicious; sid:1000001;
rev:1;stream_reassemble:enable,both;)

Is there something else I should enable to get the extra data headers?

Thanks,

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: