[Snort-users] Post-Detection keyword [logto] not working

Emiliano Fausto emiliano.fausto at ...11827...
Fri Apr 17 08:32:30 EDT 2015


Hi Albert,

in fact, I tried it setting up this rule:

log tcp any any -> any 8000 (content:"testing.txt"; msg:"Testing rule
triggered"; session:printable; sid:12345;)

And it's logging to the file snort.log.1428976882 the packet as it is, but
it's not prepending the alert message, nor the alert SID.

Anyway, I'll be using unified2, and, as I need the plain message I'll then
schedule a job that takes this binary file and decompile it to a text file
using the tool: u2spewfoo.

Thanks a lot for your help!
Emiliano.

On Thu, Apr 16, 2015 at 7:31 PM, Al Lewis (allewi) <allewi at ...589...> wrote:

>  Hello Emiliano,
>
>
>
> Have you tried using the session keyword?
>
>
>
> http://manual.snort.org/node34.html#SECTION00472000000000000000
>
>
>
> From the manual:
>
>
>
> “The session keyword is built to extract user data from TCP Sessions.
> There are many cases where seeing what users are typing in telnet, rlogin,
> ftp, or even web sessions is very useful.
>
>
>
> There are three available argument keywords for the session rule option:
> printable, binary, or all.
>
>
>
> The printable keyword only prints out data that the user would normally
> see or be able to type. The binary keyword prints out data in a binary
> format. The all keyword substitutes non-printable characters with their
> hexadecimal equivalents.”
>
>
>
>
>
> Use the “ -l “ (the letter L) to set the log directory.
>
>
>
>
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589...
>
>
>
> *From:* Emiliano Fausto [mailto:emiliano.fausto at ...11827...]
> *Sent:* Thursday, April 16, 2015 2:33 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Post-Detection keyword [logto] not working
>
>
>
> Hello there,
>
>
>
> maybe using the logto keyword wasn't the best option as it's not working
> properly in version 2.9.7, and besides there isn't too much example
> documentation about it.
>
>
>
> So... does anyone knows if there's any possibility to keep a log file
> containing something like:
>
> ALERT_FAST information
>
> PACKET_CAPTURES that triggered the alert
>
> ...
>
>
>
> Let's say, something like:
>
> [**] [1-3434343-0] Testing [**] [Priority: 0]  04/16-20:03:144335
> 172.16.101.102:55322 -> 172.16.101.103:8000
>
> GET /file_which_trigger.txt HTTP/1.1
>
> User-Agent: Wget/1.16.3 (linux-gnu)
>
> Accept: */*
>
> Accept-Encoding: identity
>
> Host: 172.16.101.102:8000
>
> Connection: Keep-Alive
>
>
>
> And for  each ALERT TRIGGERED, the  corresponding packet information.
>
>
>
> Thanks in advance to who can help me on this!
>
> Emiliano.
>
>
>
> On Tue, Apr 14, 2015 at 8:29 AM, James Lay <jlay at ...13475...>
> wrote:
>
> On Mon, 2015-04-13 at 20:14 -0300, Emiliano Fausto wrote:
>
> Hi James,
>
>
>
>  thanks for the quick answer. Unfortunately I didn't configured the
> BINARY output, because the documentation of logto says that it doesn't work
> with binary.
>
>
>
>  So the only output I set in the snort.conf was the alert_fast. Anyway, I
> also tried with alert_full, and log_tcpdump but nothing.
>
>
>
>  Thanks!
> Emiliano.
>
>
>
>  On Mon, Apr 13, 2015 at 6:50 PM, James Lay <jlay at ...13475...>
> wrote:
>
>  On 2015-04-13 03:27 PM, Emiliano Fausto wrote:
>
>   Hi there,
>
>    I'm having troubles to get the "logto" keyword working properly.
>
>    I'm using snort version 2.9.7, and what I've tried was:
>
>    1) Just letting this rule in the snort.conf file:
>
>    alert tcp any any <> any 8000 (content:"testing"; nocase;
> logto:testing; sid:1;)
>
>    I started a web server, serving the file testing.txt listening in the
> port 8000, and issue a GET from a web-browser, but the SNORT didn't create
> a file called testing with the packet capture.
>
>    Instead it created a snort.log.1231243 with this information.
>
>    2) I ran SNORT with user root (just to make sure it wasn't a
> permission problem)
>
>    3) I pre-created the file testing with: "touch /var/log/snort/testing"
> (because I read there were problems in the past with this). But the file
> was 0 bytes after the GET was issued.
>
>    4) I tried changing the place of the logto keyword, (first of all
> other keyword, after the last keyword, etc.) nothing.
>
>    5) I tried with:
>
>    logto:"testing"
>
>    logto:testing
>
>    logto:"/var/log/snort/testing"
>
>    But nothing worked.
>
>    6) When I changed the rule to this line:
>
>    output alert_fast: /var/log/snort/alerts
>
>    alert tcp any any <> any 8000 (content:"testing"; nocase; msg:"rule
> successful triggered"; sid:1;)
>
>    It did generate the rule message "rule successful triggered" in
> /var/log/snort/alerts after issueing a GET with a browser. That's how I
> know it's being triggered correctly.
>
>    But for some reason, the problem is when I try to use the logto.
>
>    Does anyone has this post-detection keyword working? Does anyone
> experienced some trouble with it?
>
>    I review all the 41 related mails in the snort-users list, but there's
> nothing there that helped me.
>
>    I also think that could be  useful the way I start the snort, I just
> reduced it to:
>
>    snort  -k none -i eth0 -c /etc/snort/snort.conf
>
>    Is there anything I'm missing? I read once and again the snort manual,
> but there's nothing else I could find that give me a hint on this.
>
>    Thanks in advance for any help you could give me on that.
>
>    Emiliano.
>
>   Betting you have something like this:
>
> output unified2:
>
> In your snort.conf.  Per the docs:
>
>  3.7.1 logto
>
> The logto keyword tells Snort to log all packets that trigger this rule to
> a special output log file. This is especially handy for combining data from
> things like NMAP activity, HTTP CGI scans, etc. It should be noted that
> this option does not work when Snort is in binary logging mode.
>
>
> Unified is binary mode, so it looks like logging unified isn't going to
> work in conjunction with logto.  Can someone on the list confirm this?
>
> James
>
>
>
> Well there goes that idea then.  I'll defer to someone else on the list
> then.
>
> James
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150417/6dfddf45/attachment.html>


More information about the Snort-users mailing list