[Snort-users] Something is wrong with snort logging?
snort at ...15979...
Tue Nov 8 04:28:00 EST 2016
A quick look at this it could be a number of things. Your rule does not specify where in the payload/HTTP request to look for the content "clntnetid=", so the HTTP body could be a few bytes or a large number of bytes. Snort will usually capture 3-5 (maybe?) packets that triggered the rule. The HTTP body may have few bytes that fit into these 3-5 packets or they are further down the HTTP stream. It maybe (again) similar to the log_uri buffer length where in some occeasions get the uri logged and in others it won't due lengthy URIs.
- Are you logging in binary format (unified2)? How doe the data look there? Your log looks like it is in Full format.
- What are the configurations of your http_processor?
While this response more guesses than answers, i hope it puts you in the right direction.
From: fatema bannatwala <fatema.bannatwala at ...11827...>
Sent: Monday, November 7, 2016 9:45:53 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Something is wrong with snort logging?
I have a snort rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely Successful Generic Phish 2016-09-23"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"clntnetid="; depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0; classtype:trojan-activity; sid:10001030; rev:1;)
The following event shouldn't trigger without a "clntnetid" in the string so it
looks like some data isn't getting logged into the snort tables:
[1:10001030:1] Custom Likely Successful Generic Phish 2016-09-23
2016-11-07 04:26:06.103000-05:00 220.127.116.11:54862<http://18.104.22.168:54862/> -> 22.214.171.124:80<http://126.96.36.199/>
TCP: Data Triggering Snort Rule: POST /wp-admin/css/wep-et.php
143::~~Connection: keep-alive::~~Accept: text/h
Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X)
AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70
en-us::~~DNT: 1::~~Accept-Encoding: gzip, deflate::~~::~~
Other event that triggered this alert had "clntnetid" in the data string.
Not sure if the events that are triggering this alert are having that string in data and snort is not logging it in database, or something is not correct with the rule that is causing it to trigger for the events NOT having that particular string in the data.
Snort version - 188.8.131.52
barnyard version - 2-1.9
pulledpork - 0.7.0
Did anyone knows what might be going on?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users