[Snort-users] Post-Detection keyword [logto] not working

Al Lewis (allewi) allewi at ...589...
Thu Apr 16 18:31:25 EDT 2015

Hello Emiliano,

Have you tried using the session keyword?


From the manual:

“The session keyword is built to extract user data from TCP Sessions. There are many cases where seeing what users are typing in telnet, rlogin, ftp, or even web sessions is very useful.

There are three available argument keywords for the session rule option: printable, binary, or all.

The printable keyword only prints out data that the user would normally see or be able to type. The binary keyword prints out data in a binary format. The all keyword substitutes non-printable characters with their hexadecimal equivalents.”

Use the “ -l “ (the letter L) to set the log directory.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Emiliano Fausto [mailto:emiliano.fausto at ...11827...]
Sent: Thursday, April 16, 2015 2:33 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Post-Detection keyword [logto] not working

Hello there,

maybe using the logto keyword wasn't the best option as it's not working properly in version 2.9.7, and besides there isn't too much example documentation about it.

So... does anyone knows if there's any possibility to keep a log file containing something like:

ALERT_FAST information
PACKET_CAPTURES that triggered the alert

Let's say, something like:
[**] [1-3434343-0] Testing [**] [Priority: 0]  04/16-20:03:144335<> -><>
GET /file_which_trigger.txt HTTP/1.1
User-Agent: Wget/1.16.3 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Connection: Keep-Alive

And for  each ALERT TRIGGERED, the  corresponding packet information.

Thanks in advance to who can help me on this!

On Tue, Apr 14, 2015 at 8:29 AM, James Lay <jlay at ...13475...<mailto:jlay at ...13475...>> wrote:
On Mon, 2015-04-13 at 20:14 -0300, Emiliano Fausto wrote:
Hi James,

thanks for the quick answer. Unfortunately I didn't configured the BINARY output, because the documentation of logto says that it doesn't work with binary.

So the only output I set in the snort.conf was the alert_fast. Anyway, I also tried with alert_full, and log_tcpdump but nothing.


On Mon, Apr 13, 2015 at 6:50 PM, James Lay <jlay at ...13475...<mailto:jlay at ...13475...>> wrote:
On 2015-04-13 03:27 PM, Emiliano Fausto wrote:
Hi there,
I'm having troubles to get the "logto" keyword working properly.
I'm using snort version 2.9.7, and what I've tried was:
1) Just letting this rule in the snort.conf file:
alert tcp any any <> any 8000 (content:"testing"; nocase; logto:testing; sid:1;)
I started a web server, serving the file testing.txt listening in the port 8000, and issue a GET from a web-browser, but the SNORT didn't create a file called testing with the packet capture.
Instead it created a snort.log.1231243 with this information.
2) I ran SNORT with user root (just to make sure it wasn't a permission problem)
3) I pre-created the file testing with: "touch /var/log/snort/testing" (because I read there were problems in the past with this). But the file was 0 bytes after the GET was issued.
4) I tried changing the place of the logto keyword, (first of all other keyword, after the last keyword, etc.) nothing.
5) I tried with:
But nothing worked.
6) When I changed the rule to this line:
output alert_fast: /var/log/snort/alerts
alert tcp any any <> any 8000 (content:"testing"; nocase; msg:"rule successful triggered"; sid:1;)
It did generate the rule message "rule successful triggered" in /var/log/snort/alerts after issueing a GET with a browser. That's how I know it's being triggered correctly.
But for some reason, the problem is when I try to use the logto.
Does anyone has this post-detection keyword working? Does anyone experienced some trouble with it?
I review all the 41 related mails in the snort-users list, but there's nothing there that helped me.
I also think that could be  useful the way I start the snort, I just reduced it to:
snort  -k none -i eth0 -c /etc/snort/snort.conf
Is there anything I'm missing? I read once and again the snort manual, but there's nothing else I could find that give me a hint on this.
Thanks in advance for any help you could give me on that.
Betting you have something like this:

output unified2:

In your snort.conf.  Per the docs:

3.7.1 logto
The logto keyword tells Snort to log all packets that trigger this rule to a special output log file. This is especially handy for combining data from things like NMAP activity, HTTP CGI scans, etc. It should be noted that this option does not work when Snort is in binary logging mode.

Unified is binary mode, so it looks like logging unified isn't going to work in conjunction with logto.  Can someone on the list confirm this?


Well there goes that idea then.  I'll defer to someone else on the list then.


BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150416/8537300a/attachment.html>

More information about the Snort-users mailing list