[Snort-users] tag:session problem
Al Lewis (allewi)
allewi at ...589...
Fri Nov 25 08:01:52 EST 2016
Have you tried setting the tag timer?
Please see the README.tag section:
Note that the stream preprocessor is not checked for the existence of a
session. A session here is based only on socket (IP address:port) pairs, so
that a session could end, but if a new session is started using the same socket
pair, packets will continue to get tagged.
tagged_packet_limit = 256
When an event is triggered on this rule, Snort will tag packets containing an
IP address that matches the source IP address of the packet that caused this
rule to alert for the next 100 seconds or 256 packets, whichever comes first.
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>
From: Maxim <hittlle at ...7427...<mailto:hittlle at ...7427...>>
Date: Thursday, November 24, 2016 at 8:28 PM
To: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: [Snort-users] tag:session problem
Hi snort team,
I come across a weird problem and need your help. I write the following rule to capture the bidirectional packets of the same session if the attacker triggers this rule
alert tcp any any -> any 80 (msg:"bidirectional-packet-test";sid:10000001; rev:1; content:"test";http_uri; classtype: web-application-attack; flowbits: isnotset,foo;flowbits: set,foo;tag:session,exclusive;)
The purpose of this rule if to capture both the HTTP request and corresponding HTTP response packets. I launch snort as follows
snort -c /etc/snort/snort.conf -D
after that, I use postman to simulate a request to my target, then I checked snort.log, and I can see both the request and response packets as expected. Then I use postman to send the same
HTTP request again, this time, I only see the request packet, but cannot find the response packet. I checked the stream5_tcp configuration items, and there is only a timeout item which I think
has something to do with this, I updated it from 180 seconds to 30 seconds and then omitted it and tried again, but I failed. Am I missing anything? Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users