[Snort-users] Including packet contents in alert msgs

Gregor Binder gbinder at ...462...
Wed Oct 18 15:39:41 EDT 2000

Anthony Pardini on Wed, Oct 18, 2000 at 11:47:38AM -0500:


> in an attempt to look for login names being used I came up with this rule. 
> It only logs the prompt, not the response to the prompt. How would I be 
> able to log the username ?

as far as I know, the alert format does not allow backreferences of
any kind to the packet (header(s) and payload). Even though this
would definitely be a very neat feature ...

But even if it could, that wouldn't necessarily solve your problem,
since the response to the login: prompt will most likely not be in the
same packet as the prompt itself, so your code would match the wrong
packet in the first place. Even worse, in a protocol like telnet every
single character of the login prompt will be in a different packet.

You will probably want to sniff log traffic to/from the port in
question (using the -b option with snort) in tcpdump format, alert
yourself with snort using the method you described, and then use a
program like ethereal or dsniff to decode the protocol.


Gregor Binder  <gbinder at ...462...>  http://www.sysfive.com/~gbinder/
sysfive.com GmbH             UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany       TEL +49-40-63647482

More information about the Snort-users mailing list