[Snort-users] sniffing http sessions

Lance Spitzner lance at ...185...
Wed Oct 25 08:43:14 EDT 2000


The method Marty has described below is one of the methods
that the Honeynet projects uses to capture keystrokes from
the badguys.

Extremely effective for cleartext protocols :)

lance

On Wed, 25 Oct 2000, Martin Roesch wrote:

> # incoming
> log tcp any any -> $HOME_NET 80 (session: printable;)
> 
> # outgoing
> log tcp $HOME_NET any -> any 80 (session: printable;)
> 
> You can grab mail traffic with the following:
> 
> log tcp any any -> $HOME_NET 25 (session: printable;)
> log tcp any any -> $HOME_NET 110 (session: printable;)
> log tcp any any -> $HOME_NET 143 (session: printable;)
> 
> This will see and record all mail traffic on a network.  Someday we'll
> probably add application layer decoding to nicely format everything for
> various protocols, but for now this gives you the basic data you're looking
> for.




More information about the Snort-users mailing list