Snort mailing list archives
Re: Snort-users Digest, Vol 128, Issue 4
From: Franco Esmores <franco.esmores () donweb com>
Date: Fri, 6 Jan 2017 12:31:15 -0300
---------------------------------------------------
Message: 1 Date: Fri, 6 Jan 2017 10:41:59 +0800 (CST) From: Maxim <hittlle () 163 com> Subject: Re: [Snort-users] [SUSPECTED SPAM] snort3.0 doesn't log the triggering packet of an alert To: "Al Lewis (allewi)" <allewi () cisco com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <3487a5ce.2e6d.15971a77e7d.Coremail.hittlle () 163 com> Content-Type: text/plain; charset="gbk" Hi Albert, Thanks for your help. Attached please kindly find my snort.lua. My question is not that snort doesn't record any packets to unified2 file, but the first packet that triggeres the alert. What I am doing is this: if a packet fire a rule, tell snort to record the bidirectional packets (packets belonging to the same session) of that session. So, I write the following rule: alert tcp any any -> any 80 ( msg:"test-http-req-body"; content:"abc";http_client_body; flowbits:isnotset,105;flowbits:set,105;tag:session;sid: 105;rev:1;)
Try using a rule like this one reject tcp any any -> $HOME_NET $HTTP_PORTS ( msg:"Possible wp-login.php Brute Force Attack"; sid:40338; classtype:web-application-activity;\ flow:to_server; content:"GET"; uricontent:"/wp-login.php"; flags:A,P; priority:2; rev:1) In this case i use the CONTENT, and URICONTENT, either way, if i don't use "uricontent" to catch "wp-login.php" ( in this case ) it wont work. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 128, Issue 4 Franco Esmores (Jan 06)