The logto option tells Snort to log all packets that trigger this rule to a special output log file. This is especially handy for combining data from things like NMAP activity, HTTP CGI scans, etc. It should be noted that this option does not work when Snort is in binary logging mode.
logto:"filename";
The session keyword is built to extract user data from TCP Sessions. There are many cases where seeing what users are typing in telnet, rlogin, ftp, or even web sessions is very useful.
There are two available argument keywords for the session rule option, printable or all. The printable keyword only prints out data that the user would normally see or be able to type.
The all keyword substitutes non-printable characters with their hexadecimal equivalents.
session: [printable|all];
log tcp any any <> any 23 (session:printable;)
The resp keyword is used attempt to close sessions when an alert is triggered. In Snort, this is called flexible response.
Flexible Response supports the following mechanisms for attempting to close sessions:
Option | Description |
rst_snd | Send TCP-RST packets to the sending socket |
rst_rcv | Send TCP-RST packets to the receiving socket |
rst_all | Send TCP_RST packets in both directions |
icmp_net | Send a ICMP_NET_UNREACH to the sender |
icmp_host | Send a ICMP_HOST_UNREACH to the sender |
icmp_port | Send a ICMP_PORT_UNREACH to the sender |
icmp_all | Send all above ICMP packets to the sender |
These options can be combined to send multiple responses to the target host.
resp: <resp_mechanism>[,<resp_mechanism>[,<resp_mechanism>]];
This functionality is not built in by default. Use the -enable-flexresp flag to configure when building Snort to enable this functionality.
Be very careful when using Flexible Response. It is quite easy to get Snort into an infinite loop by defining a rule such as:
alert tcp any any -> any any (resp:rst_all;)
It is easy to be fooled into interfering with normal network traffic as well.
The following example attempts to reset any TCP connection to port 1524.
alert tcp any any -> any 1524 (flags:S; resp:rst_all;)
The react keyword based on flexible response (Flex Resp) implements flexible reaction to traffic that matches a Snort rule. The basic reaction is blocking interesting sites users want to access: New York Times, slashdot, or something really important - napster and porn sites. The Flex Resp code allows Snort to actively close offending connections and/or send a visible notice to the browser (warn modifier available soon). The notice may include your own comment. The following arguments (basic modifiers) are valid for this option:
react: <react_basic_modifier[, react_additional_modifier]>;
This functionality is not built in by default. Use the -enable-flexresp flag to configure when building Snort to enable this functionality.
Be very careful when using react. Causing a network traffic generation loop is very easy to do with this functionality.
The tag keyword allow rules to log more than just the single packet that
triggered the rule. Once a rule is triggered, additional traffic involving the
source and/or destination host is tagged. Tagged traffic is logged to
allow analysis of response codes and post-attack traffic. tagged alerts
will be sent to the same output plugins as the original alert, but it is the
responsibility of the output plugin to properly handle these special alerts.
Currently, the database output plugin, described in Section , does not properly handle tagged alerts.
tag: <type>, <count>, <metric>, [direction]
Note, any packets that generate an alert will not be tagged. For example, it may seem that the following rule will tag the first 600 seconds of any packet involving 10.1.1.1.
alert tcp any any <> any 10.1.1.1 (tag:host,600,seconds,src;)
However, since the rule will fire on every packet involving 10.1.1.1, no packets will get tagged. The flowbits option would be useful here.
alert tcp any any <> any 10.1.1.1 (flowbits:isnotset,tagged; flowbits:set,tagged; tag:host,600,seconds,src;)
This example logs the first 10 seconds of any telnet session.
alert tcp any any -> any 23 (flags:s,12; tag:session,10,seconds;)