[Snort-users] Something is wrong with snort logging?

fatema bannatwala fatema.bannatwala at ...11827...
Mon Nov 7 13:45:53 EST 2016


Hi,

I have a snort rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely
Successful Generic Phish 2016-09-23"; flow:to_server,established;
content:"POST"; http_method; content:".php"; http_uri;
content:"clntnetid="; depth:10; fast_pattern; http_client_body;
content:"&pword="; distance:0; classtype:trojan-activity; sid:10001030;
rev:1;)

The following event shouldn't trigger without a "clntnetid" in the string
so it
looks like some data isn't getting logged into the snort tables:

[1:10001030:1] Custom Likely Successful Generic Phish 2016-09-23
2016-11-07 04:26:06.103000-05:00 1.2.3.4:54862 <http://128.4.132.252:54862/>
 -> 185.8.63.111:80 <http://185.8.63.111/>
TCP: Data Triggering Snort Rule: POST /wp-admin/css/wep-et.php
HTTP/1.1::~~Host: www.anjo.lv::~~Content-Type:
application/x-www-form-urlencoded::~~Origin: null::~~Content-Length:
143::~~Connection: keep-alive::~~Accept: text/h
tml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::~~User-Agent:
Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X)
AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70
Safari/600.1.4::~~Accept-Language:
 en-us::~~DNT: 1::~~Accept-Encoding: gzip, deflate::~~::~~

Other event that triggered this alert had "clntnetid" in the data string.
Not sure if the events that are triggering this alert are having that
string in data and snort is not logging it in database, or something is not
correct with the rule that is causing it to trigger for the events NOT
having that particular string in the data.

Snort version - 2.9.8.3
barnyard version - 2-1.9
pulledpork - 0.7.0

Did anyone knows what might be going on?

Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161107/c1013a4f/attachment.html>


More information about the Snort-users mailing list