[Snort-users] Help with a new rule to detect web traffic

JP Vossen vossenjp at ...8683...
Thu Feb 5 21:14:01 EST 2004


> From: "Chris Hoover" <revoohc at ...10743...>
> To: <snort-users at lists.sourceforge.net>
> Date: Tue, 03 Feb 2004 13:25:59 -0600
> Subject: [Snort-users] Help with a new rule to detect web traffic
>
> I need some help writing a new rule.  Where I work, we are running an
> internet proxy server (running squid).  However, we also have an open
> firewall allowing anyone who configures their browser to bypass the
> proxy can go anywhere they want (don't ask on this choice).
>
> Anyway, we are working a plan to close this open hole to the internet.
> In order to get a scope on the problem, I need to get some sort of a
> count as to how many machines are bypassing the proxy.  Please help me
> get this rule written.


I don't think Snort is the correct tool for this.  I'd take a look at ntop,
iptraf, and especially nstreams.  Or, if you are dead set on using snort,
either use tcpdump or use snort in "sniffer/logger" mode instead of IDS mode.
Experiment a bit:

snort -v > some_file_on_a_disk_with_lots_of_space
tcpdump -n > some_file_on_a_disk_with_lots_of_space

Let it run for a week, then grep the file looking for whatever traffic you are
interested in:

grep snort -v > some_file_on_a_disk_with_lots_of_space

But really, nstreams is probably what you want.  I just Googled for it and was
mildly astonished to find the RPM I built for that over 2 years ago is on page
1 of the results...
	http://rpmfind.net/linux/RPM/contrib/libc6/i386/nstreams-1.0.1-2.i386.html

HTH,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?





More information about the Snort-users mailing list