[Snort-users] Including packet contents in alert msgs

Joe McAlerney joey at ...155...
Wed Oct 18 17:56:04 EDT 2000

Gregor Binder wrote:
> Anthony Pardini on Wed, Oct 18, 2000 at 11:47:38AM -0500:
> Anthony,
> > in an attempt to look for login names being used I came up with this rule.
> > It only logs the prompt, not the response to the prompt. How would I be
> > able to log the username ?
> as far as I know, the alert format does not allow backreferences of
> any kind to the packet (header(s) and payload). Even though this
> would definitely be a very neat feature ...
> But even if it could, that wouldn't necessarily solve your problem,
> since the response to the login: prompt will most likely not be in the
> same packet as the prompt itself, so your code would match the wrong
> packet in the first place. Even worse, in a protocol like telnet every
> single character of the login prompt will be in a different packet.
> You will probably want to sniff log traffic to/from the port in
> question (using the -b option with snort) in tcpdump format, alert
> yourself with snort using the method you described, and then use a
> program like ethereal or dsniff to decode the protocol.

You could use dynamic rules to catch all traffic after the "login" rule
was set off.  Like Gregor said, it would log each character in a packet
for something like telnet, but it would get the job done.

activate tcp any any <> any any (content:"login"; activates: 1;)
dynamic tcp any any <> any any (activated_by: 1; count: 20; logto:

The problem is, there is no way to specify _which_ host to log tcp data
from in the dynamic rule.  If you know the machine(s) in question, you
might want to use them instead of "any".  With the above rules, you may
be sifting through normal tcp traffic to find the login data you want.
You may have to bump the packet count up from 20 to something higher to
make sure you collect the entire login.

As always, make sure this doesn't violate the acceptable use policy of
your organization.

-Joe M.

+--                              --+
| Joe McAlerney, Silicon Defense   |
| http://www.silicondefense.com/   |
+--                              --+

More information about the Snort-users mailing list