[Snort-users] Including packet contents in alert msgs - anoth er one for the wishlist!

Erik Engberg Erik.Engberg at ...511...
Thu Oct 19 14:44:13 EDT 2000

Another one for the wishlist...

wouldn´t it be kinda nice to let a program like dsniff do this?

Dsniff got plenty of real nice features (check the page).

It could be tweaked to log to the same place as snort or maybe
snortsnarf/aircert developers could incorporate dsniff logreading (hint,
hint ;). I guess making it a preprocessor could be an option but I´m not too
sure about that one...


-----Original Message-----
From: Joe McAlerney [mailto:joey at ...155...]
Sent: den 18 oktober 2000 23:56
To: Anthony Pardini
Cc: Gregor Binder; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Including packet contents in alert msgs

Gregor Binder wrote:
> Anthony Pardini on Wed, Oct 18, 2000 at 11:47:38AM -0500:
> Anthony,
> > in an attempt to look for login names being used I came up with this
> > It only logs the prompt, not the response to the prompt. How would I be
> > able to log the username ?
> as far as I know, the alert format does not allow backreferences of
> any kind to the packet (header(s) and payload). Even though this
> would definitely be a very neat feature ...
> But even if it could, that wouldn't necessarily solve your problem,
> since the response to the login: prompt will most likely not be in the
> same packet as the prompt itself, so your code would match the wrong
> packet in the first place. Even worse, in a protocol like telnet every
> single character of the login prompt will be in a different packet.
> You will probably want to sniff log traffic to/from the port in
> question (using the -b option with snort) in tcpdump format, alert
> yourself with snort using the method you described, and then use a
> program like ethereal or dsniff to decode the protocol.

You could use dynamic rules to catch all traffic after the "login" rule
was set off.  Like Gregor said, it would log each character in a packet
for something like telnet, but it would get the job done.

activate tcp any any <> any any (content:"login"; activates: 1;)
dynamic tcp any any <> any any (activated_by: 1; count: 20; logto:

The problem is, there is no way to specify _which_ host to log tcp data
from in the dynamic rule.  If you know the machine(s) in question, you
might want to use them instead of "any".  With the above rules, you may
be sifting through normal tcp traffic to find the login data you want.
You may have to bump the packet count up from 20 to something higher to
make sure you collect the entire login.

As always, make sure this doesn't violate the acceptable use policy of
your organization.

-Joe M.

+--                              --+
| Joe McAlerney, Silicon Defense   |
| http://www.silicondefense.com/   |
+--                              --+
Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list