[Snort-users] Post-Detection keyword [logto] not working

James Lay jlay at ...13475...
Mon Apr 13 17:50:19 EDT 2015


 

On 2015-04-13 03:27 PM, Emiliano Fausto wrote: 

> Hi there, 
> I'm
having troubles to get the "logto" keyword working properly. 
> I'm
using snort version 2.9.7, and what I've tried was: 
> 1) Just letting
this rule in the snort.conf file: 
> alert tcp any any <> any 8000
(content:"testing"; nocase; logto:testing; sid:1;) 
> I started a web
server, serving the file testing.txt listening in the port 8000, and
issue a GET from a web-browser, but the SNORT didn't create a file
called testing with the packet capture. 
> Instead it created a
snort.log.1231243 with this information. 
> 2) I ran SNORT with user
root (just to make sure it wasn't a permission problem) 
> 3) I
pre-created the file testing with: "touch /var/log/snort/testing"
(because I read there were problems in the past with this). But the file
was 0 bytes after the GET was issued. 
> 4) I tried changing the place
of the logto keyword, (first of all other keyword, after the last
keyword, etc.) nothing. 
> 5) I tried with: 
> logto:"testing" 
>
logto:testing 
> logto:"/var/log/snort/testing" 
> But nothing worked.

> 6) When I changed the rule to this line: 
> output alert_fast:
/var/log/snort/alerts 
> 
> alert tcp any any <> any 8000
(content:"testing"; nocase; msg:"rule successful triggered"; sid:1;) 
>
It did generate the rule message "rule successful triggered" in
/var/log/snort/alerts after issueing a GET with a browser. That's how I
know it's being triggered correctly. 
> But for some reason, the problem
is when I try to use the logto. 
> Does anyone has this post-detection
keyword working? Does anyone experienced some trouble with it? 
> I
review all the 41 related mails in the snort-users list, but there's
nothing there that helped me. 
> I also think that could be useful the
way I start the snort, I just reduced it to: 
> snort -k none -i eth0 -c
/etc/snort/snort.conf 
> Is there anything I'm missing? I read once and
again the snort manual, but there's nothing else I could find that give
me a hint on this. 
> Thanks in advance for any help you could give me
on that. 
> Emiliano.

Betting you have something like this: 

output
unified2: 

In your snort.conf. Per the docs: 

3.7.1 LOGTO

The logto
keyword tells Snort to log all packets that trigger this rule to a
special output log file. This is especially handy for combining data
from things like NMAP activity, HTTP CGI scans, etc. It should be noted
that this option does not work when Snort is in binary logging mode.


Unified is binary mode, so it looks like logging unified isn't going
to work in conjunction with logto. Can someone on the list confirm this?


James
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150413/ca81922c/attachment.html>


More information about the Snort-users mailing list