Snort mailing list archives

RE: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired

From: "Esler, Joel - Contractor" <joel.esler () rcert-s army mil>
Date: Wed, 8 Sep 2004 17:32:33 -0400

Why don't you use binary output and you can just do session tagging?

Joel

-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason
Sent: Wednesday, September 08, 2004 3:20 PM
To: Loch Theary
Cc: Hart Clarence (rti1clh); emf () servervault com; snort-users () lists sourceforge net
Subject: Re: [Snort-users] How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired


preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
output log_tcpdump: filename alert.pcap

ruletype suspect {
   type log
   output log_tcpdump: suspicious.pcap
}

ruletype redalert
{
   type log
   output log_tcpdump: redalert.pcap
}

suspect tcp any any -> any 22 (msg:"I see port 22"; tag:session, 30, 
seconds; )

redalert tcp any any -> any 80 (msg:"I see port 80"; tag:session, 30, 
seconds; )




Loch Theary wrote:

Hi again,

Could you please publish a working snort.conf with the log_tcpdump 
ruletype and the corresponding suspicious rules of your own ? because 
I have created a suspicious ruletype in my snort.conf and then use it 
in the local.rules, restart snort and it doesn't work at all !!!!!!!

I probably missed something but I can't figure out what ! :-(

Could you help ?

Regards,
Theary


-----Message d'origine-----
De : Jason [mailto:security () brvenik com]
Envoyé : lundi 6 septembre 2004 23:31
À : Loch Theary
Cc : Hart Clarence (rti1clh); emf () servervault com; 
snort-users () lists sourceforge net Objet : Re: [Snort-users] How to 
dump a certain number of tcp packets (for TCPDUMP) when an alert is 
fired


You still want log_tcpdump however you can create another output type
for just the alerts you want to go into the tcpdump format file. You can 
create as many alert types as you would like for different files for 
different alerts... Just watch how they are ordered in the rare case you 
hit a dependency.

http://www.snort.org/docs/snort_manual/node16.html#SECTION004210000000
00000000

Loch Theary wrote:

Yes, I've tried that. But in this case, you do log all packets in 
tcpdump format and not only the selected rules. And doing so, I don't 
how many hard disks you will need for a big big network ! And If you 
want to investigate further for some alerts, you will have to deal 
with all alert ...

I'm wondering if there is other ways to deal with the tcpdump format 
than addinf the log_tcpdump directive in snort.conf.

-----Message d'origine----- De : Jason [mailto:security () brvenik com]
Envoyé : lundi 6 septembre 2004 17:07 À : Loch Theary Cc : Hart
Clarence (rti1clh); emf () servervault com; 
snort-users () lists sourceforge net Objet : Re: [Snort-users] How to
dump a certain number of tcp packets (for TCPDUMP) when an alert is
fired


I think you need to remove logto from the rules and use this in 
snort.conf

http://www.snort.org/docs/snort_manual/node13.html#SECTION003450000000
00000000


Loch Theary wrote:

My respects all,

It's doesn't work even with the "logto" directive.

These are my modified alert rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC cross site scripting attempt"; 
flow:to_server,established; content:"<SCRIPT>"; nocase; 
logto:"/snort/logs/suspicious.tcpdump"; tag:session,50,packets; 
classtype:web-application-attack; sid:1497; rev:6;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-ATTACKS mail command attempt"; 
flow:to_server,established; content:"/bin/mail"; nocase; 
logto:"/snort/logs/suspicious.tcpdump"; tag:session,50,packets; 
classtype:web-application-attack; sid:1366; rev:5;)

I can determine what I am doing wrong ...



Anyone can help ?

Regards, Theary

-----Message d'origine----- De : Hart Clarence (rti1clh)
[mailto:CHart () ups com] Envoyé : vendredi 3 septembre 2004 15:40 À :
'emf () servervault com'; Loch Theary Cc : 
snort-users () lists sourceforge net Objet : RE: [Snort-users] How to 
dump a certain number of tcp packets (for TCPDUMP) when an alert is
fired


If you use the alert tag where are the log files going to go? (
filenames /or database)


C


-----Original Message----- From: Erik Fichtner
[mailto:emf () servervault com] Sent: Thursday, September 02, 2004
12:55 PM To: Loch Theary Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] How to dump a certain number of tcp
packets (for TCPDUMP) when an alert is fired


-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Thu, Sep 02, 2004 at 05:05:02PM +0200, Loch Theary wrote:

Could you please tell me how to log a certain number of packets
when an alert is fired (tcp dump format) ?



"tag:session,${NUMBER},packets;"

- -- Erik Fichtner Principal Engineer, Information Security,
ServerVault Corp. 703-652-5900 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFBN1BXQ7EzrewLMS0RAo44AKDAQNM0GLBXm871a181TEspE0gdvwCgu8fk
DM4p3ty2fTBlymbrsqyv5tA= =SBUM -----END PGP SIGNATURE-----


------------------------------------------------------- This SF.Net  
email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE 
developer tools! Get your free copy of BEA WebLogic Workshop 8.1 
today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________ Snort-users mailing 
list Snort-users () lists sourceforge net Go to this URL to change user 
options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------- This SF.Net  
email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE 
developer tools! Get your free copy of BEA WebLogic Workshop 8.1 
today. http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________ Snort-users mailing  
list Snort-users () lists sourceforge net Go to this URL to change user 
options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today. 
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired Loch Theary (Sep 02)
- Re: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired Erik Fichtner (Sep 02)
- <Possible follow-ups>
- RE: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired Loch Theary (Sep 06)
  - Re: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired Jason (Sep 06)
- RE: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired Loch Theary (Sep 06)
  - Re: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired Jason (Sep 06)
    - Re: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired Alex Butcher, ISC/ISYS (Sep 07)
- RE: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired Loch Theary (Sep 08)
  - Re: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired Jason (Sep 08)
- RE: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired Esler, Joel - Contractor (Sep 08)
- RE: How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired Loch Theary (Sep 09)