[Snort-sigs] Web Traffic Rule

Jamie Riden jamie.riden at ...2420...
Thu Feb 14 03:13:38 EST 2008


Sounds like he needs to log traffic to *external* web servers.

Ideally, force everyone through squid or some other proxy, but
urlsnarf does look pretty handy in this case. You might want to
correlate against your DNS logs as well (if you have them) - DNS
entries can change between the incident and when you get to look at
them.

cheers,
 Jamie

On 14/02/2008, Zakai Kinan <titanyen2000 at ...144...> wrote:
> the web server log does not work for you?
>
>
>  ZK
>
>
>
>
>  --- Michael Wisniewski <wiz561 at ...2420...> wrote:
>
>  > Hi!
>  >
>  > I need to monitor internet traffic with who goes to
>  > which URL and
>  > path. I've done a search here, and people say to use
>  > 'squid'. However,
>  > I already setup snort and would like to do other
>  > things with it in the
>  > future.
>  >
>  > If anybody can suggest a rule that I can use to
>  > accomplish this,
>  > please let me know.  I've tried this rule...
>  >
>  > alert tcp any any -> any 80 (msg:"general web
>  > traffic";content:"GET";sid:900001; rev:1;)
>  >
>  > And it works, but it logs the whole payload, and I'm
>  > just interested
>  > in the IP and the path the user went to.
>  >
>  > Thanks...

-- 
Jamie Riden / jamesr at ...3216... / jamie at ...3294...
UK Honeynet Project: http://www.ukhoneynet.org/




More information about the Snort-sigs mailing list