[Snort-users] sniffing http sessions

Martin Roesch roesch at ...421...
Wed Oct 25 01:43:03 EDT 2000

Dsniff does a really good job, as desribed below, probably better than Snort
for this particular application.  If you want to collect web traffic on a
network with Snort, use session rules like this:

# incoming
log tcp any any -> $HOME_NET 80 (session: printable;)

# outgoing
log tcp $HOME_NET any -> any 80 (session: printable;)

You can grab mail traffic with the following:

log tcp any any -> $HOME_NET 25 (session: printable;)
log tcp any any -> $HOME_NET 110 (session: printable;)
log tcp any any -> $HOME_NET 143 (session: printable;)

This will see and record all mail traffic on a network.  Someday we'll
probably add application layer decoding to nicely format everything for
various protocols, but for now this gives you the basic data you're looking


Paul Doom wrote:
> > Is there some way of  processing the output of snort in order to
> > reconstruct a (sniffed) http
> > session through a www browser ?
> Check out dsniff's webspy module. (Part of Dug Song's dsniff package:
> http://www.monkey.org/~dugsong/dsniff/)
> It grabs web traffic from the wire and feeds URLs into Netscape Navigator.
> Real slick, and real amusing.
> Just one of many cool features of the dsniff package, including mailsnarf
> (SMTP -> mbox), filesnarf (NFS -> file), and urlsnarf (HTTP -> CLF log).
> Finally, there is dsniff itself, which sniffs passwords for: FTP, Telnet,
> YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting
> Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB,
> Oracle SQL*Net, Sybase and Microsoft SQL, parsing them into an easy to
> read format. Yea, you can do it by hand, but it sure isn't as fun as
> watching the usernames and passwords spill to the screen, ready to go.
> Dsniff is a great package to use when you want to demo how insecure a
> network is. Show someone a Snort dump of an SMTP message and they
> go "Hmmm... I don't really understand."  Show them all the mail they
> received today neatly displayed in your mail reader's list window,
> and they go "Ah!"
> The flip side is that you must never let the wrong people (HR and bad
> managers) find out about it. When they ask if you can perform such
> acts, give them a Snort traffic dump with only the hex payload displayed.
> (Cut out the ASCII.)
> -Paul
> --
> /Paul M. Hirsch              /
> /elektrosatan at ...659.../
> /GPGPGPkeyID: 0xD11A250E     /
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list