[Snort-users] Post-Detection keyword [logto] not working
emiliano.fausto at ...11827...
Mon Apr 13 17:27:45 EDT 2015
I'm having troubles to get the "logto" keyword working properly.
I'm using snort version 2.9.7, and what I've tried was:
1) Just letting this rule in the snort.conf file:
alert tcp any any <> any 8000 (content:"testing"; nocase; logto:testing;
I started a web server, serving the file testing.txt listening in the port
8000, and issue a GET from a web-browser, but the SNORT didn't create a
file called testing with the packet capture.
Instead it created a snort.log.1231243 with this information.
2) I ran SNORT with user root (just to make sure it wasn't a permission
3) I pre-created the file testing with: "touch /var/log/snort/testing"
(because I read there were problems in the past with this). But the file
was 0 bytes after the GET was issued.
4) I tried changing the place of the logto keyword, (first of all other
keyword, after the last keyword, etc.) nothing.
5) I tried with:
But nothing worked.
6) When I changed the rule to this line:
output alert_fast: /var/log/snort/alerts
alert tcp any any <> any 8000 (content:"testing"; nocase; msg:"rule
successful triggered"; sid:1;)
It did generate the rule message "rule successful triggered" in
/var/log/snort/alerts after issueing a GET with a browser. That's how I
know it's being triggered correctly.
But for some reason, the problem is when I try to use the logto.
Does anyone has this post-detection keyword working? Does anyone
experienced some trouble with it?
I review all the 41 related mails in the snort-users list, but there's
nothing there that helped me.
I also think that could be useful the way I start the snort, I just
reduced it to:
snort -k none -i eth0 -c /etc/snort/snort.conf
Is there anything I'm missing? I read once and again the snort manual, but
there's nothing else I could find that give me a hint on this.
Thanks in advance for any help you could give me on that.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users