RE: Re: Snort-users digest, Vol 1 #3410 - 2 msgs

["Slighter, Tim" <tslighter () itc nrcs usda gov>]

could you instead specify in the snort.conf file so that the data is logged
and alerted as specified in this line:

output database: log, mysql, user=root password=test dbname=db
host=localhost

that way you should have your alerts in the ACID database but at the same
time an alert file in /var/log/snort.  Use snort -r with that file.  What I
have done is configured specific ruletypes in snort.conf and adjusted the
rules of interest accordingly.  ie:  Transfer Encoding chunked would be
something like this:

chunked tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Transfer-Encoding\: chunked"; flow:to_server,established;
content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase;
classtype:web-application-attack; reference:bugtraq,4474;
reference:cve,CAN-2002-0079; reference:bugtraq,5033;
reference:cve,CAN-2002-0392; sid:1807; rev:1;)

And the setup the respective ruletype in snort.conf:

ruletype chunked
{
type log
output log_tcpdump: chunked.log
output database: log, mysql, user=snort dbname=snort host=localhost
}

by doing this you will have your alert to the ACID DB and also a TCPDUMP
format file in /var/log/snort with a filename chunked.log.xxxx.  For even
more info, throw in the "tag" option in the rule to capture raw data from
the session following the incident.

-----Original Message-----
From: Marc Quibell [mailto:mquibell () fbfs com]
Sent: Tuesday, August 05, 2003 7:36 AM
To: snort-users () lists sourceforge net
Cc: pauls () utdallas edu
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #3410 - 2 msgs





Hi Paul,
Bwaaahahahahaaaa! (j/k).

I think you're asking Snort to do more than it was designed to do, and
sorry, I
don't know if it's really possible. Maybe one of the Snort experts can help
better. I know that when I need more info on a tcp/udp session, I'll run
TCPDUMP
to look into it further.

"is there a way to reassemble packets that have been fed from snort to
mysql?"
Huh? Really, I don't believe any packets are disassembled in the process.
Maybe
you mean, "is there a way to reconstruct the entire session that kicked off
this
alert"? If this is the case, I would highly doubt there would be a way to do
that.

Marc



Date: Mon, 04 Aug 2003 20:28:14 -0500
From: Paul Schmehl <pauls () utdallas edu>
Reply-To: Paul Schmehl <pauls () utdallas edu>
To: snort-users () lists sourceforge net
Subject: [Snort-users] Weird question

Now promise you won't laugh......is there a way to reassemble packets that
have been fed from snort to mysql?  Believe or not, the networking guys
want something they can look at in tcpdump or ethereal.  (Yes, I know how
to enable that.  I want to look at stuff that's already in the database.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu





-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users