[Snort-users] [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert

Russ rucombs at ...589...
Mon Jan 9 09:03:01 EST 2017



On 1/9/17 2:53 AM, Maxim wrote:
> Hi Albert,
> In seciont 1.3.2 of snort3.0 manual,  there is a saying:
>    "-A u2 is the same as -A unified2 and will log events and triggering 
> packets in a binary file that you can feed to other tools for post 
> processing. Note that Snort 3 does not provide the raw packets for 
> alerts on PDUs; you will get the actual buffer that alerted. "
> I think it does something to do with this. Am I right?
Correct.  We can try to provide more information.  Please describe the 
info you need and how you use it.  In general, raw packets aren't 
terribly helpful, but we could log other buffers as well.
>
> Hittlle
>
>
>
>
> At 2017-01-09 11:46:42, "Maxim" <hittlle at ...7427...> wrote:
>
>     Hi Albert,
>     It is the HTTP request packet that fires the alert, so this packet
>     should be recorded, right? And all packets in the same session
>     after this offensive request packet should be logged, right? Many
>     thanks.
>
>
>
>
>
>     At 2017-01-07 06:37:19, "Al Lewis (allewi)" <allewi at ...589...
>     <mailto:allewi at ...589...>> wrote:
>
>         You can capture the session traffic with just the tagging.
>
>         I don’t think your problem is with the session/tagging
>         functionality. You need to create a rule that alerts THEN
>         starts recording.
>
>         Snort will not be able to go back and capture packets BEFORE
>         the rule alerted. So if you have a rule that alerts on a
>         response packet Snort will not be able to go back and
>         “recapture” the request or packets that happened BEFORE the alert.
>
>         See attached. It uses a telnet session to alert on the SYN
>         flag, then logs traffic for the next second.
>
>         I ran snort like this
>
>         "snort -c etc/snort/maxim.lua -r etc/snort/maxim.pcap -k none
>         -l . “
>
>          which produced the pcap, alert, codec and unified log files.
>
>
>         Hope this helps.
>
>         *Albert Lewis*
>
>         ENGINEER.SOFTWARE ENGINEERING
>
>         SOURCE*fire*, Inc. now part of *Cisco*
>
>         Email: allewi at ...589... <mailto:allewi at ...589...>
>
>
>         From: Maxim <hittlle at ...7427... <mailto:hittlle at ...7427...>>
>         Date: Thursday, January 5, 2017 at 9:41 PM
>         To: allewi <allewi at ...589... <mailto:allewi at ...589...>>
>         Cc: 'snort-users' <snort-users at lists.sourceforge.net
>         <mailto:snort-users at lists.sourceforge.net>>
>         Subject: Re:Re: [SUSPECTED SPAM] [Snort-users] snort3.0
>         doesn't log the triggering packet of an alert
>
>         Hi Albert,
>         Thanks for your help. Attached please kindly find my
>         snort.lua. My question is not that snort doesn't record any
>         packets to unified2 file, but the first packet that triggeres
>         the alert. What I am doing is this: if a packet fire a rule,
>         tell snort to record the bidirectional packets (packets
>         belonging to the same session) of that session. So, I write
>         the following rule:
>
>                      alert tcp any any -> any 80 (
>         msg:"test-http-req-body"; content:"abc";http_client_body;
>         flowbits:isnotset,105;flowbits:set,105;tag:session;sid:
>         105;rev:1;)
>
>         As you can see, I used flowbits and tag:session to accomplish
>         this. And ran snort this way:
>                     /opt/snort3.0/bin/snort -c
>         /var/log/snort/snort.lua -i eth0 -D -l /var/log/snort/
>
>         As you can see from the attached unified2 log file, I can see
>         the alert, and the HTTP response packet. But I cannot find the
>         request packet payload information there. Am I missing
>         something here? Thanks.
>
>
>
>
>
>         At 2017-01-05 19:17:23, "Al Lewis (allewi)" <allewi at ...589...
>         <mailto:allewi at ...589...>> wrote:
>
>             Hello Maxim,
>
>             Please see the section under the snort3 manual for loggers:
>
>             https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/860/original/snort_manual.html?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1483618124&Signature=4RZ4GTblHk9jmFlDhjHddxo%2BA28%3D#_logger_modules
>
>
>             Its impossible to say what the issue is without a copy of
>             your configuration.
>
>             Attached is a basic config that should log any tcp packet.
>
>             All I did was run it with this below:
>
>             ./bin/snort -c etc/snort/maxim.lua -r
>             /home/alewis/Downloads/CURL.pcap -l .
>
>
>             And it produced log files as these (unified log is there):
>
>
>             alewis at ...17722...:/var/tmp/snort++$ ls
>             alert_full.txt  bin  core  etc  include  lib
>              log_codecs.txt  share  unified2.log
>             alewis at ...17722...:/var/tmp/snort++$
>
>
>             *Albert Lewis*
>
>             ENGINEER.SOFTWARE ENGINEERING
>
>             SOURCE*fire*, Inc. now part of *Cisco*
>
>             Email: allewi at ...589... <mailto:allewi at ...589...>
>
>
>             From: Maxim <hittlle at ...7427... <mailto:hittlle at ...7427...>>
>             Date: Thursday, January 5, 2017 at 3:19 AM
>             To: 'snort-users' <snort-users at lists.sourceforge.net
>             <mailto:snort-users at lists.sourceforge.net>>
>             Subject: [SUSPECTED SPAM] [Snort-users] snort3.0 doesn't
>             log the triggering packet of an alert
>
>             Hi snort experts,
>                 I just tried snort 3.0, and found that it doesn't log
>             the triggering packet of an alert if I use unified2
>             logger. Is it a bug or am I missing any required
>             configurations? It's very different from snort 2.9.8.0.
>             Many thanks.
>
>
>
>
>
>
>
>
> 【网易自营|30天无忧退货】MUJI同款日式简约名片盒严选价仅29元,马上入>> 
> <http://you.163.com/item/detail?id=1043019&from=web_gg_mail_jiaobiao_7>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170109/639d831e/attachment.html>


More information about the Snort-users mailing list