[Snort-users] sniffing http sessions
roesch at ...421...
Wed Oct 25 01:43:03 EDT 2000
Dsniff does a really good job, as desribed below, probably better than Snort
for this particular application. If you want to collect web traffic on a
network with Snort, use session rules like this:
log tcp any any -> $HOME_NET 80 (session: printable;)
log tcp $HOME_NET any -> any 80 (session: printable;)
You can grab mail traffic with the following:
log tcp any any -> $HOME_NET 25 (session: printable;)
log tcp any any -> $HOME_NET 110 (session: printable;)
log tcp any any -> $HOME_NET 143 (session: printable;)
This will see and record all mail traffic on a network. Someday we'll
probably add application layer decoding to nicely format everything for
various protocols, but for now this gives you the basic data you're looking
Paul Doom wrote:
> > Is there some way of processing the output of snort in order to
> > reconstruct a (sniffed) http
> > session through a www browser ?
> Check out dsniff's webspy module. (Part of Dug Song's dsniff package:
> It grabs web traffic from the wire and feeds URLs into Netscape Navigator.
> Real slick, and real amusing.
> Just one of many cool features of the dsniff package, including mailsnarf
> (SMTP -> mbox), filesnarf (NFS -> file), and urlsnarf (HTTP -> CLF log).
> Finally, there is dsniff itself, which sniffs passwords for: FTP, Telnet,
> SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, NFS,
> YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting
> Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB,
> Oracle SQL*Net, Sybase and Microsoft SQL, parsing them into an easy to
> read format. Yea, you can do it by hand, but it sure isn't as fun as
> watching the usernames and passwords spill to the screen, ready to go.
> Dsniff is a great package to use when you want to demo how insecure a
> network is. Show someone a Snort dump of an SMTP message and they
> go "Hmmm... I don't really understand." Show them all the mail they
> received today neatly displayed in your mail reader's list window,
> and they go "Ah!"
> The flip side is that you must never let the wrong people (HR and bad
> managers) find out about it. When they ask if you can perform such
> acts, give them a Snort traffic dump with only the hex payload displayed.
> (Cut out the ASCII.)
> /Paul M. Hirsch /
> /elektrosatan at ...659.../
> /GPGPGPkeyID: 0xD11A250E /
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
roesch at ...421...
More information about the Snort-users