Snort mailing list archives

RE: Problem to sniff 80, 110, 25 and 21 ports.


From: "O'Flynn, Derek" <DOFlyn () lsuhsc edu>
Date: Wed, 29 Oct 2003 16:11:08 -0600

Download dsniff, check www.insecure.org top 75 security tools, there's a
link to it...

It'll grab any password out of the traffic.  You can do this also with
tcpdump/snort, but it's a bit more complex.

You could also try ngrep as well.  It's a handy tool as well.

Derek

-----Original Message-----
From: giochi [mailto:giochi () telvia it] 
Sent: Wednesday, October 29, 2003 3:33 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Problem to sniff 80, 110, 25 and 21 ports.

Hi again list,

thank you very much for yours intresting.

The fact is that: my boss wants to see (on his server) the http,pop3,smtp
and ftp user/pass of users.

I try many solutions for this:

- tcpdump tcp and port 80 or port 110 or port 21 or port 25 (as you suggest
me) It works, but if I grep for USER or PASS into the output file genereted
from tcpdump I can't see nothing.

- snort -i eth0 -l prova  (It works, but logs a lot of packets, and in one
day of work I can reach over 300Mb of size file)

- snort -i eth0 -l prova dst port 80 and port 25 and port 21 (It doesn't
works) I see this error:

Running in packet logging mode
Log directory = prova

Initializing Network Interface eth0
ERROR: OpenPcap() FSM compilation failed:
        PCAP command: %s

Fatal Error, Quitting..

Could we suggest me the right way for solve this things ?

Thank you very much.

Regards,
Fabrizio


-- 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.3 (GNU/Linux)

mQGiBD6CJ8QRBACpDkW+4b3/LdE8YsT3FEM/MfH2k0NDxFKhedwYaGi5CzbU7KfM
1sD5KEwBONz2FQM+FIil2wuiVy0aLSnRmQHg6SMCFsGfjAG9Uc41hKpReTI/tG+s
39cX7q21oiE4n22yXpocqLFf0QFXQccHbQ2RzwTCiEPINUjcgXMszQsxXwCgqIDw
IAcSTMx1jdX0gVPMnngMgT8EAJOTRWAoGlb1TfZvLqqPzgWoeQATHV4TQ19QYYv4
McqTRPDVVBKFveRrcVvAF269tDH8PBh3B06KPinMq+yQoQSKWbhg7oT00m9jvkmZ
eU+XpAOpjvi0zFICFTDLag1iVp21NssUPc1XDUxfTpBzxoE+d9sFymCuLq1VhhFZ
jxiPA/0XEyWx1M8RjPxZfS/RRJWKG/ibtViNHpTG9ZGrZow9WWm/5NXdk0AS8bIH
3jHcNpqDJNKHaO4zm5CTkCPBgGkgf9PqeeffKrpUtj1VNXqb+zCSXKF43YwYDVxi
rX/6rNxpby0yQY+OJcJoke+NGCUfMyD2M7znS8bzzm6rWIvkArQ8RmFicml6aW8g
UmVnYWxsaSAoVW5peCBTeXN0ZW0gQWRtaW5pc3RyYXRvcikgPGZhYkB0ZWx2aWEu
aXQ+iFkEExECABkFAj6CJ8UECwcDAgMVAgMDFgIBAh4BAheAAAoJEHjh0f/fOEdn
VbEAn15x05/obw6ipPf4UHZXfu5sX4n3AJ0ZGR8apSUVqj15YuvJf3K+hZNU5A==
=jDBs
-----END PGP PUBLIC KEY BLOCK-----


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread: