[Snort-users] How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired

Loch Theary Theary.Loch at ...2990...
Thu Sep 9 00:30:26 EDT 2004


Hi there,

I think I find a workaround for my problem. I use binary output and "session:all" on some "suspicious" alerts.
Disk space is ok with that.

> /usr/sbin/snort  -b  -d -D  -i eth1 -u snort -g snort -c /etc/snort/snort.conf

Thank you all for your help,

Regards,
Theary

-----Message d'origine-----
De : Esler, Joel - Contractor [mailto:joel.esler at ...9426...]
Envoyé : mercredi 8 septembre 2004 23:33
À : Jason; Loch Theary
Cc : Hart Clarence (rti1clh); emf at ...367...;
snort-users at lists.sourceforge.net
Objet : RE: [Snort-users] How to dump a certain number of tcp packets
(for TCPDUMP) when an alert is fired


Why don't you use binary output and you can just do session tagging?

Joel

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...3204...ts.sourceforge.net] On Behalf Of Jason
Sent: Wednesday, September 08, 2004 3:20 PM
To: Loch Theary
Cc: Hart Clarence (rti1clh); emf at ...367...; snort-users at ...973...et
Subject: Re: [Snort-users] How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired


preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
output log_tcpdump: filename alert.pcap

ruletype suspect {
   type log
   output log_tcpdump: suspicious.pcap
}

ruletype redalert
{
   type log
   output log_tcpdump: redalert.pcap
}

suspect tcp any any -> any 22 (msg:"I see port 22"; tag:session, 30, 
seconds; )

redalert tcp any any -> any 80 (msg:"I see port 80"; tag:session, 30, 
seconds; )




Loch Theary wrote:

> Hi again,
> 
> Could you please publish a working snort.conf with the log_tcpdump 
> ruletype and the corresponding suspicious rules of your own ? because 
> I have created a suspicious ruletype in my snort.conf and then use it 
> in the local.rules, restart snort and it doesn't work at all !!!!!!!
> 
> I probably missed something but I can't figure out what ! :-(
> 
> Could you help ?
> 
> Regards,
> Theary
> 
> 
> -----Message d'origine-----
> De : Jason [mailto:security at ...5028...]
> Envoyé : lundi 6 septembre 2004 23:31
> À : Loch Theary
> Cc : Hart Clarence (rti1clh); emf at ...367...; 
> snort-users at lists.sourceforge.net Objet : Re: [Snort-users] How to 
> dump a certain number of tcp packets (for TCPDUMP) when an alert is 
> fired
> 
> 
> You still want log_tcpdump however you can create another output type
> for just the alerts you want to go into the tcpdump format file. You can 
> create as many alert types as you would like for different files for 
> different alerts... Just watch how they are ordered in the rare case you 
> hit a dependency.
> 
> http://www.snort.org/docs/snort_manual/node16.html#SECTION004210000000
> 00000000
> 
> Loch Theary wrote:
> 
> 
>>Yes, I've tried that. But in this case, you do log all packets in 
>>tcpdump format and not only the selected rules. And doing so, I don't 
>>how many hard disks you will need for a big big network ! And If you 
>>want to investigate further for some alerts, you will have to deal 
>>with all alert ...
>>
>>I'm wondering if there is other ways to deal with the tcpdump format 
>>than addinf the log_tcpdump directive in snort.conf.
>>
>>-----Message d'origine----- De : Jason [mailto:security at ...5028...]
>>Envoyé : lundi 6 septembre 2004 17:07 À : Loch Theary Cc : Hart
>>Clarence (rti1clh); emf at ...367...; 
>>snort-users at lists.sourceforge.net Objet : Re: [Snort-users] How to
>>dump a certain number of tcp packets (for TCPDUMP) when an alert is
>>fired
>>
>>
>>I think you need to remove logto from the rules and use this in 
>>snort.conf
>>
>>http://www.snort.org/docs/snort_manual/node13.html#SECTION003450000000
>>00000000
>>
>>
>>Loch Theary wrote:
>>
>>
>>
>>>My respects all,
>>>
>>>It's doesn't work even with the "logto" directive.
>>>
>>>
>>>
>>>
>>>>These are my modified alert rule:
>>>
>>>
>>>>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>>>>(msg:"WEB-MISC cross site scripting attempt"; 
>>>>flow:to_server,established; content:"<SCRIPT>"; nocase; 
>>>>logto:"/snort/logs/suspicious.tcpdump"; tag:session,50,packets; 
>>>>classtype:web-application-attack; sid:1497; rev:6;)
>>>
>>>
>>>>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>>>>(msg:"WEB-ATTACKS mail command attempt"; 
>>>>flow:to_server,established; content:"/bin/mail"; nocase; 
>>>>logto:"/snort/logs/suspicious.tcpdump"; tag:session,50,packets; 
>>>>classtype:web-application-attack; sid:1366; rev:5;)
>>>
>>>
>>>>I can determine what I am doing wrong ...
>>>
>>>
>>>Anyone can help ?
>>>
>>>Regards, Theary
>>>
>>>-----Message d'origine----- De : Hart Clarence (rti1clh)
>>>[mailto:CHart at ...12386...] Envoyé : vendredi 3 septembre 2004 15:40 À :
>>> 'emf at ...367...'; Loch Theary Cc : 
>>>snort-users at lists.sourceforge.net Objet : RE: [Snort-users] How to 
>>>dump a certain number of tcp packets (for TCPDUMP) when an alert is
>>> fired
>>>
>>>
>>>If you use the alert tag where are the log files going to go? (
>>>filenames /or database)
>>>
>>>
>>>C
>>>
>>>
>>>-----Original Message----- From: Erik Fichtner
>>>[mailto:emf at ...367...] Sent: Thursday, September 02, 2004
>>>12:55 PM To: Loch Theary Cc: snort-users at lists.sourceforge.net
>>>Subject: Re: [Snort-users] How to dump a certain number of tcp
>>>packets (for TCPDUMP) when an alert is fired
>>>
>>>
>>>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>>On Thu, Sep 02, 2004 at 05:05:02PM +0200, Loch Theary wrote:
>>>
>>>
>>>
>>>>Could you please tell me how to log a certain number of packets
>>>>when an alert is fired (tcp dump format) ?
>>>
>>>
>>>"tag:session,${NUMBER},packets;"
>>>
>>>- -- Erik Fichtner Principal Engineer, Information Security,
>>>ServerVault Corp. 703-652-5900 -----BEGIN PGP SIGNATURE-----
>>>Version: GnuPG v1.0.7 (FreeBSD)
>>>
>>>iD8DBQFBN1BXQ7EzrewLMS0RAo44AKDAQNM0GLBXm871a181TEspE0gdvwCgu8fk
>>>DM4p3ty2fTBlymbrsqyv5tA= =SBUM -----END PGP SIGNATURE-----
>>>
>>>
>>>------------------------------------------------------- This SF.Net  
>>>email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE 
>>>developer tools! Get your free copy of BEA WebLogic Workshop 8.1 
>>>today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
>>> _______________________________________________ Snort-users mailing 
>>>list Snort-users at lists.sourceforge.net Go to this URL to change user 
>>>options or unsubscribe: 
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>>------------------------------------------------------- This SF.Net  
>>>email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE 
>>>developer tools! Get your free copy of BEA WebLogic Workshop 8.1 
>>>today. http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
>>>_______________________________________________ Snort-users mailing  
>>>list Snort-users at lists.sourceforge.net Go to this URL to change user 
>>>options or unsubscribe: 
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive: 
>>>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>>>
>>
>>
>>
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today. 
> http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list