[Snort-users] Include details of payload in log message?

Toby Riddell toby.riddell at ...17573...
Sun Jun 12 06:54:47 EDT 2016


Hi,

I want to detect activity by bittorrent clients on my home network. When
they start they open a port from the Internet using UPnP IGD, a sample
payload is:

<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
  <u:AddPortMapping
xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
    <NewRemoteHost></NewRemoteHost>
    <NewExternalPort>8999</NewExternalPort>
    <NewProtocol>TCP</NewProtocol>
    <NewInternalPort>8999</NewInternalPort>
    <NewInternalClient>192.168.1.30</NewInternalClient>
    <NewEnabled>1</NewEnabled>
    <NewPortMappingDescription>qBittorrent v3.3.4 at 192.168.1.30:8999
</NewPortMappingDescription>
    <NewLeaseDuration>0</NewLeaseDuration>
  </u:AddPortMapping>
</s:Body>
</s:Envelope>

I want to match AddPortMapping and insert the NewPortMappingDescription
(whether it is qBittorent or some other BT client) into the message. Is
this possible using Snort alone? Is there an add-on to Snort that will do
it for me?

(Google's bringing up nothing so I'm hopeful the mailing list can help :-))

Thanks.

Toby
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160612/f126f7df/attachment.html>


More information about the Snort-users mailing list