[Snort-users] How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired

Jason security at ...5028...
Wed Sep 8 12:21:12 EDT 2004


preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
output log_tcpdump: filename alert.pcap

ruletype suspect {
   type log
   output log_tcpdump: suspicious.pcap
}

ruletype redalert
{
   type log
   output log_tcpdump: redalert.pcap
}

suspect tcp any any -> any 22 (msg:"I see port 22"; tag:session, 30, 
seconds; )

redalert tcp any any -> any 80 (msg:"I see port 80"; tag:session, 30, 
seconds; )




Loch Theary wrote:

> Hi again,
> 
> Could you please publish a working snort.conf with the log_tcpdump ruletype and the corresponding suspicious rules of your own ? because I have created a suspicious ruletype in my snort.conf and then use it in the local.rules, restart snort and it doesn't work at all !!!!!!!
> 
> I probably missed something but I can't figure out what ! :-(
> 
> Could you help ?
> 
> Regards,
> Theary
> 
> 
> -----Message d'origine-----
> De : Jason [mailto:security at ...5028...]
> Envoyé : lundi 6 septembre 2004 23:31
> À : Loch Theary
> Cc : Hart Clarence (rti1clh); emf at ...367...;
> snort-users at lists.sourceforge.net
> Objet : Re: [Snort-users] How to dump a certain number of tcp packets
> (for TCPDUMP) when an alert is fired
> 
> 
> You still want log_tcpdump however you can create another output type 
> for just the alerts you want to go into the tcpdump format file. You can 
> create as many alert types as you would like for different files for 
> different alerts... Just watch how they are ordered in the rare case you 
> hit a dependency.
> 
> http://www.snort.org/docs/snort_manual/node16.html#SECTION00421000000000000000
> 
> Loch Theary wrote:
> 
> 
>>Yes, I've tried that. But in this case, you do log all packets in
>>tcpdump format and not only the selected rules. And doing so, I don't
>>how many hard disks you will need for a big big network ! And If you
>>want to investigate further for some alerts, you will have to deal
>>with all alert ...
>>
>>I'm wondering if there is other ways to deal with the tcpdump format
>>than addinf the log_tcpdump directive in snort.conf.
>>
>>-----Message d'origine----- De : Jason [mailto:security at ...5028...] 
>>Envoyé : lundi 6 septembre 2004 17:07 À : Loch Theary Cc : Hart
>>Clarence (rti1clh); emf at ...367...; 
>>snort-users at lists.sourceforge.net Objet : Re: [Snort-users] How to
>>dump a certain number of tcp packets (for TCPDUMP) when an alert is
>>fired
>>
>>
>>I think you need to remove logto from the rules and use this in
>>snort.conf
>>
>>http://www.snort.org/docs/snort_manual/node13.html#SECTION00345000000000000000
>>
>>
>>Loch Theary wrote:
>>
>>
>>
>>>My respects all,
>>>
>>>It's doesn't work even with the "logto" directive.
>>>
>>>
>>>
>>>
>>>>These are my modified alert rule:
>>>
>>>
>>>>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
>>>>(msg:"WEB-MISC cross site scripting attempt"; 
>>>>flow:to_server,established; content:"<SCRIPT>"; nocase; 
>>>>logto:"/snort/logs/suspicious.tcpdump"; tag:session,50,packets; 
>>>>classtype:web-application-attack; sid:1497; rev:6;)
>>>
>>>
>>>>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
>>>>(msg:"WEB-ATTACKS mail command attempt"; 
>>>>flow:to_server,established; content:"/bin/mail"; nocase; 
>>>>logto:"/snort/logs/suspicious.tcpdump"; tag:session,50,packets; 
>>>>classtype:web-application-attack; sid:1366; rev:5;)
>>>
>>>
>>>>I can determine what I am doing wrong ...
>>>
>>>
>>>Anyone can help ?
>>>
>>>Regards, Theary
>>>
>>>-----Message d'origine----- De : Hart Clarence (rti1clh) 
>>>[mailto:CHart at ...12386...] Envoyé : vendredi 3 septembre 2004 15:40 À :
>>> 'emf at ...367...'; Loch Theary Cc : 
>>>snort-users at lists.sourceforge.net Objet : RE: [Snort-users] How to 
>>>dump a certain number of tcp packets (for TCPDUMP) when an alert is
>>> fired
>>>
>>>
>>>If you use the alert tag where are the log files going to go? ( 
>>>filenames /or database)
>>>
>>>
>>>C
>>>
>>>
>>>-----Original Message----- From: Erik Fichtner 
>>>[mailto:emf at ...367...] Sent: Thursday, September 02, 2004
>>>12:55 PM To: Loch Theary Cc: snort-users at lists.sourceforge.net
>>>Subject: Re: [Snort-users] How to dump a certain number of tcp
>>>packets (for TCPDUMP) when an alert is fired
>>>
>>>
>>>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>>On Thu, Sep 02, 2004 at 05:05:02PM +0200, Loch Theary wrote:
>>>
>>>
>>>
>>>>Could you please tell me how to log a certain number of packets 
>>>>when an alert is fired (tcp dump format) ?
>>>
>>>
>>>"tag:session,${NUMBER},packets;"
>>>
>>>- -- Erik Fichtner Principal Engineer, Information Security, 
>>>ServerVault Corp. 703-652-5900 -----BEGIN PGP SIGNATURE-----
>>>Version: GnuPG v1.0.7 (FreeBSD)
>>>
>>>iD8DBQFBN1BXQ7EzrewLMS0RAo44AKDAQNM0GLBXm871a181TEspE0gdvwCgu8fk 
>>>DM4p3ty2fTBlymbrsqyv5tA= =SBUM -----END PGP SIGNATURE-----
>>>
>>>
>>>------------------------------------------------------- This SF.Net
>>> email is sponsored by BEA Weblogic Workshop FREE Java Enterprise
>>>J2EE developer tools! Get your free copy of BEA WebLogic Workshop
>>>8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
>>> _______________________________________________ Snort-users
>>>mailing list Snort-users at lists.sourceforge.net Go to this URL to
>>>change user options or unsubscribe: 
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive: 
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>>------------------------------------------------------- This SF.Net
>>> email is sponsored by BEA Weblogic Workshop FREE Java Enterprise
>>>J2EE developer tools! Get your free copy of BEA WebLogic Workshop
>>>8.1 today. http://ads.osdn.com/?ad_idP47&alloc_id808&op=click 
>>>_______________________________________________ Snort-users mailing
>>> list Snort-users at lists.sourceforge.net Go to this URL to change
>>>user options or unsubscribe: 
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>>>
>>
>>
>>
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 





More information about the Snort-users mailing list