Re: Re: [Snort-announce] Snort 2.0 rc1 available

[Bennett Todd <bet () rahul net>]

2003-03-27T02:34:48 Mahdi Kefayati:
> One of the things I have been looking for in snort is logging the
> URI which has caused a rule to be trigered.

If I wanted to accomplish that, I'd try combining snort's pcap
logging, with the urlsnarf program from Dug Song's dsniff.

A quick peek at the man page of the urlsnarf I've got installed on
my system reveals on -r option for reading a pcap file, so that
might have to be hacked in.

Another approach might be to just hit the pcap file with ngrep, and
yank the URL out of that with a simple perl invocation.

These all assume that the pcap file ends up containing the request
uri, that would in turn depend on details of the rule; if the rule
only fires on a later packet, e.g. in a method=post body, the header
with the request URI will be long gone by the time the rule fires,
and the only way to do such processing will be to keep full capture
files of all traffic, and retroactively search them when a rule
fires.

-Bennett

Attachment: _bin
Description: