[Snort-users] Help with HTTP extra data in unified2 log

Felipe Arturo Polanco felipeapolanco at gmail.com
Mon Mar 18 17:41:49 EDT 2019


Hi,

I've been trying to log the HTTP hostname whenever there is a match but so
far I haven't been successful.

I'm following this guide:
https://blog.snort.org/2011/09/snort-291-http-and-smtp-logging.html

This is the output I receive:

u2spewfoo ./alert2.log.1552943372

(Event)
        sensor id: 0    event id: 1     event second: 1552943448
event microsecond: 390589
        sig id: 1000002 gen id: 1       revision: 1      classification: 1
        priority: 3     ip source: 192.0.0.6    ip destination:
155.94.239.208
        src port: 52146 dest port: 80   protocol: 6     impact_flag: 32
blocked: 1


As you can see there is no extra data header, even though I configured it
in here:

portvar HTTP_PORTS [80,8080]
preprocessor http_inspect_server: <trimmed> u_encode yes     webroot no
 log_uri     log_hostname
output alert_unified2: filename alert2.log


This is my rule:
drop tcp any any -> any $HTTP_PORTS ( msg:"Alerting Test"; content:
"test-message12345"; react: msg; metadata:ruleset community; metadata:
internal-test; classtype:not-suspicious; sid:1000001;
rev:1;stream_reassemble:enable,both;)

Is there something else I should enable to get the extra data headers?

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190318/cdeedca8/attachment.html>


More information about the Snort-users mailing list