[Snort-sigs] logging session using tagging

From: Christophe VG <snort-rules(at)valid.be>
Date: Mon Apr 28 2003 - 10:23:38 EDT

Hi all,

I'm encoutering some trouble while logging a session once a give trigger is met. I'm using this rule:

log tcp any any <> any any (   \
  content: "TRIGGER";          \
  tag: session, 300, packets;  \
  session:printable;           \

  msg: "trigger triggered"; )

... which, in my opinion, should start logging the session as soon as it sees the word TRIGGER in any communication.

Now I have the following problems:

1. the session is only fully dumped to file when the tcp connection is closed. is it possible to force the dump to file immediately ? some sort of flush ?
2. I only see the src's side of the session being logged eg using telnet to an smtp server to have some quick feedback

[xtof@host xtof]$telnet smtpserver 25
   Trying 10.0.0.1....
   Connected to smtpserver.
   Escape character is '^]'.
   220 smtpserver ESMTP
   HELO
   250 smtpserver
   TRIGGER
   502 unimplemented (#5.5.1)
   test
   502 unimplemented (#5.5.1)
   test2
   502 unimplemented (#5.5.1)
   ^]
   telnet> Connection closed.

   results in a session log:

[xtof@ids xtof]#cat SESSION\:8432-25
   TRIGGER
   HELO
   TRIGGER
   test
   test2

   while I was expecting :

   TRIGGER
   502 unimplemented (#5.5.1)
   test
   502 unimplemented (#5.5.1)
   test2
   502 unimplemented (#5.5.1)

One good thing is that I also have the HELO which occured in front of the TRIGGER :) but I'd love to see the replies also show up in the session log.

Anyone got a clue what's missing/wrong here ? Thanks again in advance,
Christophe VG

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Mon Apr 28 11:24:54 2003