[Snort-users] Re:Extracting URLS from snort logs
sleepy at ...7582...
Tue Dec 31 20:52:03 EST 2002
Hi there :
I belive what you are looking for will be in the payload.
you might have to write it in C, perl should also work.
the information you will need will be in the rules files.
for example if you have a rule to trigger porn, it will be concerned with TCP data, going to dst port 80, and there will be in the rule something like off=80 this is the offset where the rule should be tested against in the packet where the IDS will start comparing the content. you could follow this and get the content and convert it to ascii from there, or
if you have a firewall , you could find the where the destination was through your firewall logs by matching the sequence number of the packet.
if you have any questions, just reply and I am sure there are alot better people who can help you if I cant.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users