Snort mailing list archives
Re: Problem with session tagging - multiple alerts in session
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 11 Apr 2016 10:24:54 +0000
Hello, Do you have an example of this problem (conf and pcap) that you can provide? Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Amir Kravitz [mailto:amirkravitz () gmx com] Sent: Monday, April 11, 2016 1:45 AM To: Al Lewis (allewi) Cc: snort-sigs () lists sourceforge net Subject: Re: RE: [Snort-sigs] Problem with session tagging - multiple alerts in session Hi, I'm not using the same sid for both rules. I made a mistake only in my example... Sent: Wednesday, April 06, 2016 at 12:55 PM From: "Al Lewis (allewi)" <allewi () cisco com<mailto:allewi () cisco com>> To: "Amir Kravitz" <amirkravitz () gmx com<mailto:amirkravitz () gmx com>> Cc: "snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>" <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> Subject: RE: [Snort-sigs] Problem with session tagging - multiple alerts in session Hello, If you use the rules you have below it probably doesn’t work because you are using the SAME sid number over and only ONE rule is matching. Try changing the SID numbers to unique ones first and see if that helps. Thanks! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com<mailto:allewi () cisco com> From: Amir Kravitz [mailto:amirkravitz () gmx com] Sent: Wednesday, April 06, 2016 2:41 AM To: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> Subject: [Snort-sigs] Problem with session tagging - multiple alerts in session Hi, I'm trying to post again after my last attempt came out as a http source.. I'm new to snort. I'm trying to use tag:session to log all the packet in the sesssion. I found out that not all the packets in the session were logged as part of the session. When other packets in the tagged session generated new alerts, they were logged with an event-id of the new alert (they just genereted) and not with the tagged session event-id. How can I identify all the packets in the session (even if some of them generated other alert) ? I'm using the rules: alert tcp any any -> any any ( content:"AAA" ; sid:10000001; tag:session,10,seconds; ) alert tcp any any -> any any ( content:"BBB" ; sid:10000001; ) Thanks, Amir
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Problem with session tagging - multiple alerts in session Amir Kravitz (Apr 05)
- <Possible follow-ups>
- Problem with session tagging - multiple alerts in session Amir Kravitz (Apr 05)
- Re: Problem with session tagging - multiple alerts in session Al Lewis (allewi) (Apr 06)
- Re: Problem with session tagging - multiple alerts in session Amir Kravitz (Apr 10)
- Re: Problem with session tagging - multiple alerts in session Al Lewis (allewi) (Apr 11)
- Re: Problem with session tagging - multiple alerts in session Al Lewis (allewi) (Apr 06)