[Snort-users] Post-Detection keyword [logto] not working

Emiliano Fausto emiliano.fausto at ...11827...
Mon Apr 13 19:14:14 EDT 2015


Hi James,

thanks for the quick answer. Unfortunately I didn't configured the BINARY
output, because the documentation of logto says that it doesn't work with
binary.

So the only output I set in the snort.conf was the alert_fast. Anyway, I
also tried with alert_full, and log_tcpdump but nothing.

Thanks!
Emiliano.

On Mon, Apr 13, 2015 at 6:50 PM, James Lay <jlay at ...13475...> wrote:

>  On 2015-04-13 03:27 PM, Emiliano Fausto wrote:
>
> Hi there,
> I'm having troubles to get the "logto" keyword working properly.
> I'm using snort version 2.9.7, and what I've tried was:
> 1) Just letting this rule in the snort.conf file:
> alert tcp any any <> any 8000 (content:"testing"; nocase; logto:testing;
> sid:1;)
> I started a web server, serving the file testing.txt listening in the port
> 8000, and issue a GET from a web-browser, but the SNORT didn't create a
> file called testing with the packet capture.
> Instead it created a snort.log.1231243 with this information.
> 2) I ran SNORT with user root (just to make sure it wasn't a permission
> problem)
> 3) I pre-created the file testing with: "touch /var/log/snort/testing"
> (because I read there were problems in the past with this). But the file
> was 0 bytes after the GET was issued.
> 4) I tried changing the place of the logto keyword, (first of all other
> keyword, after the last keyword, etc.) nothing.
> 5) I tried with:
> logto:"testing"
> logto:testing
> logto:"/var/log/snort/testing"
> But nothing worked.
> 6) When I changed the rule to this line:
> output alert_fast: /var/log/snort/alerts
>  alert tcp any any <> any 8000 (content:"testing"; nocase; msg:"rule
> successful triggered"; sid:1;)
>  It did generate the rule message "rule successful triggered" in
> /var/log/snort/alerts after issueing a GET with a browser. That's how I
> know it's being triggered correctly.
> But for some reason, the problem is when I try to use the logto.
> Does anyone has this post-detection keyword working? Does anyone
> experienced some trouble with it?
> I review all the 41 related mails in the snort-users list, but there's
> nothing there that helped me.
> I also think that could be  useful the way I start the snort, I just
> reduced it to:
> snort  -k none -i eth0 -c /etc/snort/snort.conf
> Is there anything I'm missing? I read once and again the snort manual, but
> there's nothing else I could find that give me a hint on this.
> Thanks in advance for any help you could give me on that.
> Emiliano.
>
> Betting you have something like this:
>
> output unified2:
>
> In your snort.conf.  Per the docs:
> 3.7.1 logto
>
> The logto keyword tells Snort to log all packets that trigger this rule to
> a special output log file. This is especially handy for combining data from
> things like NMAP activity, HTTP CGI scans, etc. It should be noted that
> this option does not work when Snort is in binary logging mode.
>
>
> Unified is binary mode, so it looks like logging unified isn't going to
> work in conjunction with logto.  Can someone on the list confirm this?
>
> James
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150413/15367424/attachment.html>


More information about the Snort-users mailing list