[Snort-users] Post-Detection keyword [logto] not working

James Lay jlay at ...13475...
Tue Apr 14 07:29:07 EDT 2015


On Mon, 2015-04-13 at 20:14 -0300, Emiliano Fausto wrote:
> Hi James,
> 
> 
> 
> thanks for the quick answer. Unfortunately I didn't configured the
> BINARY output, because the documentation of logto says that it doesn't
> work with binary.
> 
> 
> So the only output I set in the snort.conf was the alert_fast. Anyway,
> I also tried with alert_full, and log_tcpdump but nothing.
> 
> 
> Thanks!
> Emiliano.
> 
> 
> On Mon, Apr 13, 2015 at 6:50 PM, James Lay <jlay at ...13475...>
> wrote:
> 
>         On 2015-04-13 03:27 PM, Emiliano Fausto wrote:
>         
>         
>         > Hi there, 
>         > 
>         > I'm having troubles to get the "logto" keyword working
>         > properly.
>         > I'm using snort version 2.9.7, and what I've tried was:
>         > 1) Just letting this rule in the snort.conf file:
>         > alert tcp any any <> any 8000 (content:"testing"; nocase;
>         > logto:testing; sid:1;)
>         > I started a web server, serving the file testing.txt
>         > listening in the port 8000, and issue a GET from a
>         > web-browser, but the SNORT didn't create a file called
>         > testing with the packet capture.
>         > Instead it created a snort.log.1231243 with this
>         > information.
>         > 2) I ran SNORT with user root (just to make sure it wasn't a
>         > permission problem)
>         > 3) I pre-created the file testing with:
>         > "touch /var/log/snort/testing" (because I read there were
>         > problems in the past with this). But the file was 0 bytes
>         > after the GET was issued.
>         > 4) I tried changing the place of the logto keyword, (first
>         > of all other keyword, after the last keyword, etc.) nothing.
>         > 5) I tried with:
>         > logto:"testing"
>         > logto:testing
>         > logto:"/var/log/snort/testing"
>         > But nothing worked.
>         > 6) When I changed the rule to this line:
>         > output alert_fast: /var/log/snort/alerts
>         > alert tcp any any <> any 8000 (content:"testing"; nocase;
>         > msg:"rule successful triggered"; sid:1;)
>         > It did generate the rule message "rule successful triggered"
>         > in /var/log/snort/alerts after issueing a GET with a
>         > browser. That's how I know it's being triggered correctly.
>         > But for some reason, the problem is when I try to use the
>         > logto.
>         > Does anyone has this post-detection keyword working? Does
>         > anyone experienced some trouble with it?
>         > I review all the 41 related mails in the snort-users list,
>         > but there's nothing there that helped me.
>         > I also think that could be  useful the way I start the
>         > snort, I just reduced it to:
>         > snort  -k none -i eth0 -c /etc/snort/snort.conf
>         > Is there anything I'm missing? I read once and again the
>         > snort manual, but there's nothing else I could find that
>         > give me a hint on this.
>         > Thanks in advance for any help you could give me on that.
>         > Emiliano.
>         
>         Betting you have something like this:
>         
>         output unified2:
>         
>         In your snort.conf.  Per the docs:
>         
>         
>         
>         3.7.1 logto
>         
>         The logto keyword tells Snort to log all packets that trigger
>         this rule to a special output log file. This is especially
>         handy for combining data from things like NMAP activity, HTTP
>         CGI scans, etc. It should be noted that this option does not
>         work when Snort is in binary logging mode.
>         
>         
>         Unified is binary mode, so it looks like logging unified isn't
>         going to work in conjunction with logto.  Can someone on the
>         list confirm this?
>         
>         James
>         


Well there goes that idea then.  I'll defer to someone else on the list
then.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150414/182691e5/attachment.html>


More information about the Snort-users mailing list