[Snort-users] [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert

Maxim hittlle at ...7427...
Thu Jan 5 21:41:59 EST 2017


Hi Albert,
Thanks for your help. Attached please kindly find my snort.lua. My question is not that snort doesn't record any packets to unified2 file, but the first packet that triggeres the alert. What I am doing is this: if a packet fire a rule, tell snort to record the bidirectional packets (packets belonging to the same session) of that session. So, I write the following rule:


             alert tcp any any -> any 80 ( msg:"test-http-req-body"; content:"abc";http_client_body; flowbits:isnotset,105;flowbits:set,105;tag:session;sid: 105;rev:1;)


As you can see, I used flowbits and tag:session to accomplish this. And ran snort this way:
            /opt/snort3.0/bin/snort -c /var/log/snort/snort.lua -i eth0 -D -l /var/log/snort/


As you can see from the attached unified2 log file, I can see the alert, and the HTTP response packet. But I cannot find the request packet payload information there. Am I missing something here? Thanks.
       






At 2017-01-05 19:17:23, "Al Lewis (allewi)" <allewi at ...589...> wrote:

Hello Maxim,


Please see the section under the snort3 manual for loggers:


https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/860/original/snort_manual.html?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1483618124&Signature=4RZ4GTblHk9jmFlDhjHddxo%2BA28%3D#_logger_modules




Its impossible to say what the issue is without a copy of your configuration. 


Attached is a basic config that should log any tcp packet.


All I did was run it with this below:


./bin/snort -c etc/snort/maxim.lua -r /home/alewis/Downloads/CURL.pcap -l .




And it produced log files as these (unified log is there):




alewis at ...17722...:/var/tmp/snort++$ ls
alert_full.txt  bin  core  etc  include  lib  log_codecs.txt  share  unified2.log
alewis at ...17722...:/var/tmp/snort++$ 





Albert Lewis

ENGINEER.SOFTWARE ENGINEERING

SOURCEfire, Inc. now part of Cisco

Email: allewi at ...589... 



From: Maxim <hittlle at ...7427...>
Date: Thursday, January 5, 2017 at 3:19 AM
To: 'snort-users' <snort-users at lists.sourceforge.net>
Subject: [SUSPECTED SPAM] [Snort-users] snort3.0 doesn't log the triggering packet of an alert



Hi snort experts,
    I just tried snort 3.0, and found that it doesn't log the triggering packet of an alert if I use unified2 logger. Is it a bug or am I missing any required configurations? It's very different from snort 2.9.8.0. Many thanks.




 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170106/caa4056d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.lua
Type: application/octet-stream
Size: 37660 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170106/caa4056d/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unified2.log.1483669389
Type: application/octet-stream
Size: 1464 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170106/caa4056d/attachment-0001.obj>


More information about the Snort-users mailing list