[Snort-users] sniffing http sessions

Paul Doom elektrosatan at ...659...
Wed Oct 18 17:59:09 EDT 2000


> Is there some way of  processing the output of snort in order to
> reconstruct a (sniffed) http
> session through a www browser ?

Check out dsniff's webspy module. (Part of Dug Song's dsniff package:
http://www.monkey.org/~dugsong/dsniff/)

It grabs web traffic from the wire and feeds URLs into Netscape Navigator.
Real slick, and real amusing.

Just one of many cool features of the dsniff package, including mailsnarf
(SMTP -> mbox), filesnarf (NFS -> file), and urlsnarf (HTTP -> CLF log).

Finally, there is dsniff itself, which sniffs passwords for: FTP, Telnet,
SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, NFS,
YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting
Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, 
Oracle SQL*Net, Sybase and Microsoft SQL, parsing them into an easy to
read format. Yea, you can do it by hand, but it sure isn't as fun as
watching the usernames and passwords spill to the screen, ready to go.

Dsniff is a great package to use when you want to demo how insecure a
network is. Show someone a Snort dump of an SMTP message and they
go "Hmmm... I don't really understand."  Show them all the mail they
received today neatly displayed in your mail reader's list window,
and they go "Ah!"

The flip side is that you must never let the wrong people (HR and bad
managers) find out about it. When they ask if you can perform such
acts, give them a Snort traffic dump with only the hex payload displayed.
(Cut out the ASCII.)

-Paul

-- 
/Paul M. Hirsch              /
/elektrosatan at ...659.../
/GPGPGPkeyID: 0xD11A250E     /



More information about the Snort-users mailing list