IDS mailing list archives
RE: HTTP LOG files Labeling
From: <dai.morgan () orange-ftgroup com>
Date: Wed, 21 May 2008 11:35:03 +0100
Hi Wei WANG, If you are just looking for anomalies in the URL then you could create a script to - extract the URL - pipe the URL to netcat - point the traffic generated by netcat past a snort sensor (you'll still need a webserver (or a netcat to /dev/null??) to complete the 3-way handshake etc) - you could use the source port as an index(=file line number) to correlate the snort events to the log records. Eg echo "GET /ariana/Images/Icones/sound.gif HTTP/1.0" | nectat -p $src_port <target_webserver> 80 If it works you'll also have the benefit of the http pre-processor to normalise Unicode etc. If you try this please let me know how you get on, been meaning to try this myself for a while (road to hell.... etc). Regards Dai PS There's probably a smarter way of pushing the traffic to snort without having to regenerate traffic. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of wangweifrequent () gmail com Sent: 20 May 2008 16:06 To: focus-ids () securityfocus com Subject: HTTP LOG files Labeling Hi All, We are working on anomaly detection of HTTP attacks. In fact, we have collected a large amount of HTTP logs (apache sever), but we didn't use IDS to label the data during collection. Does any one know how to label the HTTP logs? for example: one http log line like : burtul.xx.fr - - [10/May/2007:14:46:07 +0200] "GET /ariana/Images/Icones/sound.gif HTTP/1.0" 200 579 http://www-sop.inria.fr/ariana/fr/xx "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.7.13) Gecko/20060417" Any suggestions are very appreciated. Wei WANG INRIA 2008-05-20 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=int ro_sfw to learn more. ------------------------------------------------------------------------ ********************************* This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified. If you are not the intended addressee of this message, please cancel it immediately and inform the sender. ******************************** ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- HTTP LOG files Labeling wangweifrequent (May 20)
- RE: HTTP LOG files Labeling dai.morgan (May 21)
- <Possible follow-ups>
- Re: HTTP LOG files Labeling abhicc285 (May 21)
- Re: HTTP LOG files Labeling wangweifrequent (May 21)
- Re: HTTP LOG files Labeling Stefano Zanero (May 21)
- Re: HTTP LOG files Labeling Christian Bockermann (May 22)
- Re: HTTP LOG files Labeling Stefano Zanero (May 22)
- Re: HTTP LOG files Labeling Stefano Zanero (May 21)
- Re: Re: HTTP LOG files Labeling wangweifrequent (May 22)
- Re: HTTP LOG files Labeling Stefano Zanero (May 22)
- Re: HTTP LOG files Labeling "Zow" Terry Brugger (May 23)
- Re: HTTP LOG files Labeling Stefano Zanero (May 22)