Snort mailing list archives
Re: Re: [Snort-announce] Snort 2.0 rc1 available
From: Bennett Todd <bet () rahul net>
Date: Thu, 27 Mar 2003 12:13:28 -0500
2003-03-27T02:34:48 Mahdi Kefayati:
One of the things I have been looking for in snort is logging the URI which has caused a rule to be trigered.
If I wanted to accomplish that, I'd try combining snort's pcap logging, with the urlsnarf program from Dug Song's dsniff. A quick peek at the man page of the urlsnarf I've got installed on my system reveals on -r option for reading a pcap file, so that might have to be hacked in. Another approach might be to just hit the pcap file with ngrep, and yank the URL out of that with a simple perl invocation. These all assume that the pcap file ends up containing the request uri, that would in turn depend on details of the rule; if the rule only fires on a later packet, e.g. in a method=post body, the header with the request URI will be long gone by the time the rule fires, and the only way to do such processing will be to keep full capture files of all traffic, and retroactively search them when a rule fires. -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: [Snort-announce] Snort 2.0 rc1 available Mahdi Kefayati (Mar 27)
- Re: Re: [Snort-announce] Snort 2.0 rc1 available Bennett Todd (Mar 27)