[Snort-sigs] logging session using tagging

Christophe VG snort-rules at ...1343...
Mon Apr 28 07:30:11 EDT 2003


Hi all,

I'm encoutering some trouble while logging a session once a give trigger
is met. I'm using this rule:

log tcp any any <> any any (   \
  content: "TRIGGER";          \
  tag: session, 300, packets;  \
  session:printable;           \
  msg: "trigger triggered"; )

... which, in my opinion, should start logging the session as soon as it
sees the word TRIGGER in any communication.

Now I have the following problems:

1. the session is only fully dumped to file when the tcp connection is
closed. is it possible to force the dump to file immediately ? some sort
of flush ?

2. I only see the src's side of the session being logged
   eg using telnet to an smtp server to have some quick feedback

   [xtof at ...1481... xtof]$telnet smtpserver 25
   Trying 10.0.0.1....
   Connected to smtpserver.
   Escape character is '^]'.
   220 smtpserver ESMTP
   HELO
   250 smtpserver
   TRIGGER
   502 unimplemented (#5.5.1)
   test
   502 unimplemented (#5.5.1)
   test2
   502 unimplemented (#5.5.1)
   ^]
   telnet> Connection closed.

   results in a session log:

   [xtof at ...1482... xtof]#cat SESSION\:8432-25
   TRIGGER 
   HELO
   TRIGGER
   test
   test2

   while I was expecting :

   TRIGGER
   502 unimplemented (#5.5.1)
   test
   502 unimplemented (#5.5.1)
   test2
   502 unimplemented (#5.5.1)

One good thing is that I also have the HELO which occured in front of
the TRIGGER :) but I'd love to see the replies also show up in the
session log.

Anyone got a clue what's missing/wrong here ?
Thanks again in advance,
Christophe VG





More information about the Snort-sigs mailing list