[Snort-sigs] Problem with session tagging - multiple alerts in session

Al Lewis (allewi) allewi at ...3865...
Mon Apr 11 06:24:54 EDT 2016


Hello,

Do you have an example of this problem (conf and pcap) that you can provide?


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3865...

From: Amir Kravitz [mailto:amirkravitz at ...4143...]
Sent: Monday, April 11, 2016 1:45 AM
To: Al Lewis (allewi)
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: RE: [Snort-sigs] Problem with session tagging - multiple alerts in session

Hi,

I'm not using the same sid for both rules. I made a mistake only in my example...

Sent: Wednesday, April 06, 2016 at 12:55 PM
From: "Al Lewis (allewi)" <allewi at ...3865...<mailto:allewi at ...3865...>>
To: "Amir Kravitz" <amirkravitz at ...4143...<mailto:amirkravitz at ...4143...>>
Cc: "snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>" <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>>
Subject: RE: [Snort-sigs] Problem with session tagging - multiple alerts in session
Hello,

If you use the rules you have below it probably doesn’t work because you are using the SAME sid number over and only ONE rule is matching.

Try changing the SID numbers to unique ones first and see if that helps.

Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3865...<mailto:allewi at ...3865...>

From: Amir Kravitz [mailto:amirkravitz at ...4143...]
Sent: Wednesday, April 06, 2016 2:41 AM
To: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>
Subject: [Snort-sigs] Problem with session tagging - multiple alerts in session

Hi,

I'm trying to post again after my last attempt came out as a http source..

I'm new to snort.
I'm trying to use tag:session to log all the packet in the sesssion.
I found out that not all the packets in the session were logged as part of the session.
When other packets in the tagged session generated new alerts, they were logged with an event-id of the new alert (they just genereted) and not with the tagged session event-id.
How can I identify all the packets in the session (even if some of them generated other alert) ?

I'm using the rules:
alert tcp any any -> any any ( content:"AAA" ; sid:10000001; tag:session,10,seconds; )
alert tcp any any -> any any ( content:"BBB" ; sid:10000001; )

Thanks,
Amir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160411/dc4245ec/attachment.html>


More information about the Snort-sigs mailing list