[Snort-users] Help with HTTP extra data in unified2 log

Felipe Arturo Polanco felipeapolanco at gmail.com
Mon Mar 18 17:41:49 EDT 2019


I've been trying to log the HTTP hostname whenever there is a match but so
far I haven't been successful.

I'm following this guide:

This is the output I receive:

u2spewfoo ./alert2.log.1552943372

        sensor id: 0    event id: 1     event second: 1552943448
event microsecond: 390589
        sig id: 1000002 gen id: 1       revision: 1      classification: 1
        priority: 3     ip source:    ip destination:
        src port: 52146 dest port: 80   protocol: 6     impact_flag: 32
blocked: 1

As you can see there is no extra data header, even though I configured it
in here:

portvar HTTP_PORTS [80,8080]
preprocessor http_inspect_server: <trimmed> u_encode yes     webroot no
 log_uri     log_hostname
output alert_unified2: filename alert2.log

This is my rule:
drop tcp any any -> any $HTTP_PORTS ( msg:"Alerting Test"; content:
"test-message12345"; react: msg; metadata:ruleset community; metadata:
internal-test; classtype:not-suspicious; sid:1000001;

Is there something else I should enable to get the extra data headers?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190318/cdeedca8/attachment.html>

More information about the Snort-users mailing list