[Snort-users] logto 3.0

Carter Waxman (cwaxman) cwaxman at cisco.com
Tue Oct 17 09:55:30 EDT 2017


For the sake of updating the list… The last post was incorrect

There are a couple things going on.  Pasting your rule into logto.rules and running Snort like this:

$ src/snort -c install/etc/snort/snort.lua -R logto.rules

will get this:

Loading logto.rules:
ERROR: logto.rules:1 unknown rule keyword: logto.
ERROR: logto.rules:1 unknown rule keyword: sid=400000001.
Finished logto.rules.

So logto is no longer supported and your rule should look like this:

alert icmp any any -> any any ( sid:400000001; rev:1; )

One way to log to file is like this:

$ src/snort -c install/etc/snort/snort.lua -R logto.rules -r ~/Test/pcaps/ping.pcap --lua "alert_csv = { file = true }"

There are other options.  The --lua option is shown here but that could be in your conf.  See the manual for details, eg under Usage / Output Files.


From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of "Carter Waxman (cwaxman) via Snort-users" <snort-users at lists.snort.org>
Reply-To: "Carter Waxman (cwaxman)" <cwaxman at cisco.com>
Date: Tuesday, October 17, 2017 at 9:42 AM
To: kahleong_fong <kahleong_fong at yahoo.com.sg>, "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: Re: [Snort-users] logto 3.0

Hello,

It looks like this was not added to 3.0, however it should have been. Thank you for finding this. We will be adding it back in the future. Until then, it is possible to configure default log paths with the -l command line option.

-Carter

From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of kahleong_fong via Snort-users <snort-users at lists.snort.org>
Reply-To: kahleong_fong <kahleong_fong at yahoo.com.sg>
Date: Tuesday, October 17, 2017 at 3:24 AM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [Snort-users] logto 3.0

hi all,

It has been awhile since 2004 that I touched snort! I remembered the logto option to capture pkts  used to work.
In the 3.0 release , I just cannot seem to get it to capture the pkts to the file.


alert icmp any any -> any any (logto:/var/snort/log/logto_log;sid=400000001; rev:1;)

I am able to see the alerts however no pkts in the logto_log file.

please advise.
regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171017/c093570f/attachment.html>


More information about the Snort-users mailing list