[Snort-sigs] Web Traffic Rule

Michael Wisniewski wiz561 at ...2420...
Thu Feb 14 10:02:35 EST 2008


Jamie,

You are correct, I need to log traffic to external servers.

I'm going to check out urlsnarf because it looks like that might do
what I need it to do.

I know everybody is against me (and others) using snort to do
this...but can I pretty please have a rule that will log web traffic
and the URL path the users go to?  :-)

Thanks!

On Thu, Feb 14, 2008 at 2:13 AM, Jamie Riden <jamie.riden at ...2420...> wrote:
> Sounds like he needs to log traffic to *external* web servers.
>
>  Ideally, force everyone through squid or some other proxy, but
>  urlsnarf does look pretty handy in this case. You might want to
>  correlate against your DNS logs as well (if you have them) - DNS
>  entries can change between the incident and when you get to look at
>  them.
>
>  cheers,
>   Jamie
>
>
>  On 14/02/2008, Zakai Kinan <titanyen2000 at ...144...> wrote:
>  > the web server log does not work for you?
>  >
>  >
>  >  ZK
>  >
>  >
>  >
>  >
>  >  --- Michael Wisniewski <wiz561 at ...2420...> wrote:
>  >
>  >  > Hi!
>  >  >
>  >  > I need to monitor internet traffic with who goes to
>  >  > which URL and
>  >  > path. I've done a search here, and people say to use
>  >  > 'squid'. However,
>  >  > I already setup snort and would like to do other
>  >  > things with it in the
>  >  > future.
>  >  >
>  >  > If anybody can suggest a rule that I can use to
>  >  > accomplish this,
>  >  > please let me know.  I've tried this rule...
>  >  >
>  >  > alert tcp any any -> any 80 (msg:"general web
>  >  > traffic";content:"GET";sid:900001; rev:1;)
>  >  >
>  >  > And it works, but it logs the whole payload, and I'm
>  >  > just interested
>  >  > in the IP and the path the user went to.
>  >  >
>  >  > Thanks...
>
>  --
>  Jamie Riden / jamesr at ...3216... / jamie at ...3294...
>  UK Honeynet Project: http://www.ukhoneynet.org/
>
>
>
>  -------------------------------------------------------------------------
>  This SF.net email is sponsored by: Microsoft
>  Defy all challenges. Microsoft(R) Visual Studio 2008.
>  http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>  _______________________________________________
>  Snort-sigs mailing list
>  Snort-sigs at lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list