Snort mailing list archives
Help with HTTP extra data in unified2 log
From: Felipe Arturo Polanco via Snort-users <snort-users () lists snort org>
Date: Mon, 18 Mar 2019 17:41:49 -0400
Hi, I've been trying to log the HTTP hostname whenever there is a match but so far I haven't been successful. I'm following this guide: https://blog.snort.org/2011/09/snort-291-http-and-smtp-logging.html This is the output I receive: u2spewfoo ./alert2.log.1552943372 (Event) sensor id: 0 event id: 1 event second: 1552943448 event microsecond: 390589 sig id: 1000002 gen id: 1 revision: 1 classification: 1 priority: 3 ip source: 192.0.0.6 ip destination: 155.94.239.208 src port: 52146 dest port: 80 protocol: 6 impact_flag: 32 blocked: 1 As you can see there is no extra data header, even though I configured it in here: portvar HTTP_PORTS [80,8080] preprocessor http_inspect_server: <trimmed> u_encode yes webroot no log_uri log_hostname output alert_unified2: filename alert2.log This is my rule: drop tcp any any -> any $HTTP_PORTS ( msg:"Alerting Test"; content: "test-message12345"; react: msg; metadata:ruleset community; metadata: internal-test; classtype:not-suspicious; sid:1000001; rev:1;stream_reassemble:enable,both;) Is there something else I should enable to get the extra data headers? Thanks,
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Help with HTTP extra data in unified2 log Felipe Arturo Polanco via Snort-users (Mar 18)