Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Web Traffic Rule

from [Michael Wisniewski] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Web Traffic Rule
Date: Thu, 14 Feb 2008 09:02:35 -0600 
Jamie,

You are correct, I need to log traffic to external servers.

I'm going to check out urlsnarf because it looks like that might do
what I need it to do.

I know everybody is against me (and others) using snort to do
this...but can I pretty please have a rule that will log web traffic
and the URL path the users go to?  :-)

Thanks!

On Thu, Feb 14, 2008 at 2:13 AM, Jamie Riden <jamie.riden@gmail.com> wrote:

Sounds like he needs to log traffic to *external* web servers.

 Ideally, force everyone through squid or some other proxy, but
 urlsnarf does look pretty handy in this case. You might want to
 correlate against your DNS logs as well (if you have them) - DNS
 entries can change between the incident and when you get to look at
 them.

 cheers,
  Jamie


 On 14/02/2008, Zakai Kinan <titanyen2000@yahoo.com> wrote:
 > the web server log does not work for you?
 >
 >
 >  ZK
 >
 >
 >
 >
 >  --- Michael Wisniewski <wiz561@gmail.com> wrote:
 >
 >  > Hi!
 >  >
 >  > I need to monitor internet traffic with who goes to
 >  > which URL and
 >  > path. I've done a search here, and people say to use
 >  > 'squid'. However,
 >  > I already setup snort and would like to do other
 >  > things with it in the
 >  > future.
 >  >
 >  > If anybody can suggest a rule that I can use to
 >  > accomplish this,
 >  > please let me know.  I've tried this rule...
 >  >
 >  > alert tcp any any -> any 80 (msg:"general web
 >  > traffic";content:"GET";sid:900001; rev:1;)
 >  >
 >  > And it works, but it logs the whole payload, and I'm
 >  > just interested
 >  > in the IP and the path the user went to.
 >  >
 >  > Thanks...

 --
 Jamie Riden / jamesr@europe.com / jamie@honeynet.org.uk
 UK Honeynet Project: http://www.ukhoneynet.org/



 -------------------------------------------------------------------------
 This SF.net email is sponsored by: Microsoft
 Defy all challenges. Microsoft(R) Visual Studio 2008.
 http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
 _______________________________________________
 Snort-sigs mailing list
 Snort-sigs@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/snort-sigs



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] testing snort signature with uri content, MD B Zaman L
Next by Date:  Re: [Snort-sigs] testing snort signature with uri content, Matthew Watchinski
Previous by Thread:  Re: [Snort-sigs] Web Traffic Rule, Jamie Riden
Next by Thread:  Re: [Snort-sigs] Web Traffic Rule, Jason Haar
Indexes:  [Date] [Thread] [Top] [All Lists]