[Snort-users] tag:session problem

Al Lewis (allewi) allewi at ...589...
Fri Nov 25 08:01:52 EST 2016


Have you tried setting the tag timer?

Please see the README.tag section:

Note that the stream preprocessor is not checked for the existence of a
session.  A session here is based only on socket (IP address:port) pairs, so
that a session could end, but if a new session is started using the same socket
pair, packets will continue to get tagged.


tagged_packet_limit = 256

When an event is triggered on this rule, Snort will tag packets containing an
IP address that matches the source IP address of the packet that caused this
rule to alert for the next 100 seconds or 256 packets, whichever comes first.

Albert Lewis
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Maxim <hittlle at ...7427...<mailto:hittlle at ...7427...>>
Date: Thursday, November 24, 2016 at 8:28 PM
To: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: [Snort-users] tag:session problem

Hi snort team,
I come across a weird problem and need your help. I write the following rule to capture the bidirectional packets of the same session if the attacker triggers this rule
             alert tcp any any -> any 80 (msg:"bidirectional-packet-test";sid:10000001; rev:1; content:"test";http_uri; classtype: web-application-attack; flowbits: isnotset,foo;flowbits: set,foo;tag:session,exclusive;)
The purpose of this rule if to capture both the HTTP request and corresponding HTTP response packets. I launch snort as follows
              snort -c /etc/snort/snort.conf -D
after that, I use postman to simulate a request to my target, then I checked snort.log, and I can see both the request and response packets as expected. Then I use postman to send the same
HTTP request again, this time, I only see the request packet, but cannot find the response packet. I checked the stream5_tcp configuration items, and there is only a timeout item which I think
has something to do with this, I updated it from 180 seconds to 30 seconds and then omitted it and tried again, but I failed. Am I missing anything? Thanks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161125/6dbd49f4/attachment.html>

More information about the Snort-users mailing list