[Snort-users] Post-Detection keyword [logto] not working

Emiliano Fausto emiliano.fausto at ...11827...
Mon Apr 13 17:27:45 EDT 2015


Hi there,

I'm having troubles to get the "logto" keyword working properly.

I'm using snort version 2.9.7, and what I've tried was:

1) Just letting this rule in the snort.conf file:

alert tcp any any <> any 8000 (content:"testing"; nocase; logto:testing;
sid:1;)

I started a web server, serving the file testing.txt listening in the port
8000, and issue a GET from a web-browser, but the SNORT didn't create a
file called testing with the packet capture.

Instead it created a snort.log.1231243 with this information.

2) I ran SNORT with user root (just to make sure it wasn't a permission
problem)

3) I pre-created the file testing with: "touch /var/log/snort/testing"
(because I read there were problems in the past with this). But the file
was 0 bytes after the GET was issued.

4) I tried changing the place of the logto keyword, (first of all other
keyword, after the last keyword, etc.) nothing.

5) I tried with:
logto:"testing"
logto:testing
logto:"/var/log/snort/testing"
But nothing worked.

6) When I changed the rule to this line:

output alert_fast: /var/log/snort/alerts
alert tcp any any <> any 8000 (content:"testing"; nocase; msg:"rule
successful triggered"; sid:1;)

It did generate the rule message "rule successful triggered" in
/var/log/snort/alerts after issueing a GET with a browser. That's how I
know it's being triggered correctly.

But for some reason, the problem is when I try to use the logto.

Does anyone has this post-detection keyword working? Does anyone
experienced some trouble with it?

I review all the 41 related mails in the snort-users list, but there's
nothing there that helped me.

I also think that could be  useful the way I start the snort, I just
reduced it to:

snort  -k none -i eth0 -c /etc/snort/snort.conf

Is there anything I'm missing? I read once and again the snort manual, but
there's nothing else I could find that give me a hint on this.

Thanks in advance for any help you could give me on that.

Emiliano.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150413/e9b2b333/attachment.html>


More information about the Snort-users mailing list