[Snort-users] Including packet contents in alert msgs
gbinder at ...462...
Wed Oct 18 15:39:41 EDT 2000
Anthony Pardini on Wed, Oct 18, 2000 at 11:47:38AM -0500:
> in an attempt to look for login names being used I came up with this rule.
> It only logs the prompt, not the response to the prompt. How would I be
> able to log the username ?
as far as I know, the alert format does not allow backreferences of
any kind to the packet (header(s) and payload). Even though this
would definitely be a very neat feature ...
But even if it could, that wouldn't necessarily solve your problem,
since the response to the login: prompt will most likely not be in the
same packet as the prompt itself, so your code would match the wrong
packet in the first place. Even worse, in a protocol like telnet every
single character of the login prompt will be in a different packet.
You will probably want to sniff log traffic to/from the port in
question (using the -b option with snort) in tcpdump format, alert
yourself with snort using the method you described, and then use a
program like ethereal or dsniff to decode the protocol.
Gregor Binder <gbinder at ...462...> http://www.sysfive.com/~gbinder/
sysfive.com GmbH UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany TEL +49-40-63647482
More information about the Snort-users