[Snort-users] Snort-users Digest, Vol 128, Issue 4

Franco Esmores franco.esmores at ...16990...
Fri Jan 6 10:31:15 EST 2017

> Message: 1
> Date: Fri, 6 Jan 2017 10:41:59 +0800 (CST)
> From: Maxim  <hittlle at ...7427...>
> Subject: Re: [Snort-users] [SUSPECTED SPAM] snort3.0 doesn't log the
> 	triggering packet of an alert
> To: "Al Lewis (allewi)" <allewi at ...589...>
> Cc: "snort-users at lists.sourceforge.net"
> 	<snort-users at lists.sourceforge.net>
> Message-ID: <3487a5ce.2e6d.15971a77e7d.Coremail.hittlle at ...7427...>
> Content-Type: text/plain; charset="gbk"
> Hi Albert,
> Thanks for your help. Attached please kindly find my snort.lua. My question is not that snort doesn't record any packets to unified2 file, but the first packet that triggeres the alert. What I am doing is this: if a packet fire a rule, tell snort to record the bidirectional packets (packets belonging to the same session) of that session. So, I write the following rule:
>               alert tcp any any -> any 80 ( msg:"test-http-req-body"; content:"abc";http_client_body; flowbits:isnotset,105;flowbits:set,105;tag:session;sid: 105;rev:1;)

Try using a rule like this one

reject tcp any any -> $HOME_NET $HTTP_PORTS ( msg:"Possible wp-login.php 
Brute Force Attack"; sid:40338; classtype:web-application-activity;\
                        flow:to_server; content:"GET"; 
uricontent:"/wp-login.php"; flags:A,P; priority:2; rev:1)

In this case i use the CONTENT, and URICONTENT, either way, if i don't 
use "uricontent" to catch "wp-login.php" ( in this case ) it wont work.

More information about the Snort-users mailing list