Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-devel > 03 > 080758.html (Request Expert snort.org Support)

[Snort-devel] Tagging Query/Problem?

From: Dave Ryan <dave(at)mongers.org>
Date: Wed Aug 27 2003 - 09:20:09 EDT


Hi,

Whilst attempting to do develop some policy based rules using the tagging functionality (I assume this is now the preferred method), I noticed some odd behaviour.

If this is not an issue and I am simply doing something wrong (hopefully this is the case), please let me know.

Example


Sample Rule:

    target tcp $HOME_NET any -> $EXTERNAL_NET 110 \ 

        (msg:"Target Aquired - Tagging"; \
        content:"USER"; nocase; content:"someuser" \
        tag: host, 60, seconds, src;)

Sample Ruletype:

    target { 

        type alert
        output alert_full: tagged.alert
        output log_tcpdump: tagged.log

    }

Scenario


I want to log all traffic associated with the src address, as per the sample rule above.
Do you need help?X

Issue


When using the above rule and ruletype together, the initial packet matched is alerted and logged. However, further packets are not logged. The interesting part is this:

Snort analyzed 320 out of 320 packets, dropping 0(0.000%) packets 

Breakdown by protocol:                Action Stats:
    TCP: 306        (95.625%)         ALERTS: 1
    UDP: 0          (0.000%)          LOGGED: 175
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 2          (0.625%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 11         (3.438%)
DISCARD: 0          (0.000%)

This would indicate that tagging has been activated and is logging packets based on the initial alert. However, in the binary dump, only the original packet is being logged.

[Note: I've enabled and disabled all the plugins, result is still the
same]

Additional Info


I've used similar ruletypes to log binary data to separate log files before (without the tagging option), no problems.

I've enabled normal "output log_tcpdump: .." outside of a special ruletype and this works fine (i.e. all tagged packets are dumped to the binary logfile).

Doesn't seem to be much point running the binary through gdb as the system does not core, normal exit after a CTRL-C.

I did run it via ktrace and it I can see where it writes the initial packet dump. However, subsequent writes are for snort during it's exit. There are plenty of "read" operations, so it seems like snort is happily incrementing the log counter but is not writing the data out to file.

Do you need more help?X

System Info


-*> Snort! <*-
Version 2.0.1 (Build 88)

[Note: I enabled debugging (noticed a minor error with debugging and
vlan code, fixed in -CURRENT), but the "tag" keyword is not registered]

Ran with the following arguments: "snort -P 0 -c /path/to/snort.conf"

FreeBSD 4.8/i386

If you need any additional information let me know.

Cheers,
Dave. 

-- 
http://dave.mongers.org


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Received on Wed Aug 27 09:30:07 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:09 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library