Snort mailing list archives
Re: Tag Feature question
From: Martin Holste <mcholste () gmail com>
Date: Wed, 2 Mar 2011 18:27:42 -0600
If you want to "tag" all connections, I recommend running StreamDB (http://code.google.com/p/streamdb/). I just added object extraction and experimental automatic Virustotal submission for extracted objects like executables, PDF's, etc. On Wed, Mar 2, 2011 at 10:01 AM, Josh Blender <jsblists () gmail com> wrote:
Thank you. I think I actually figured this out, though. It seems that the tag option only works with the "alert" action and does not function at all with the "log" type. I suppose this may have something to do with my default output device being a mysql log, which is specifically said to not function with "tag", but I'm not quite sure. In any case, I have it doing what I need now. Thanks. On Wed, Mar 2, 2011 at 7:47 AM, Edward Fjellskål <edwardfjellskaal () gmail com> wrote:I published a blog post about the tag option: http://www.gamelinux.org/?p=329 "Packetcapture with Snort using the “tag” option" Hope this might give you an idea on how to turn your snort into a pcap device ;) E On Tue, Mar 1, 2011 at 5:33 PM, Josh Blender <jsblists () gmail com> wrote:Hi, I'm a pretty new Snort user and I'm trying to get the "tag:" feature to work so that I can capture the entire connection once a packet triggers a rule. Unfortunately, I've tested this in several ways, and I simply can't get this tag feature to work. In local.rules, I have: tagtest tcp any any -> {ip address} 80 (content:"/{url}"; tag:host,5,packets,src; sid:100002; rev:1) and I have a dedicated log file for catching this rule: ruletype tagtest { type log output log_tcpdump: tagtest.log } I've also tried using "tag:session,10,seconds" and various output methods (not database, as I understand that does not work properly). No matter what I do, I can not get Snort to log more than the first packet. The rule works perfectly - it triggers on traffic that I want it to trigger on, and it writes to the log files perfectly, but it just will NOT log anything more than 1 packet no matter what I do. Are there any preprocessor directives that are required to let tagging work? Anything else I might be missing that might prevent this from working? Thank you, Josh B ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Edward Bjarte Fjellskål Senior Security Analyst http://www.gamelinux.org/------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tag Feature question Josh Blender (Mar 01)
- Re: Tag Feature question Edward Fjellskål (Mar 02)
- Re: Tag Feature question Josh Blender (Mar 02)
- Re: Tag Feature question Martin Holste (Mar 02)
- Re: Tag Feature question Josh Blender (Mar 02)
- Re: Tag Feature question Edward Fjellskål (Mar 02)