Snort mailing list archives
Re: Snort Reporting Actual HTTP Destination
From: Phil Wood <cpw () lanl gov>
Date: Tue, 30 Apr 2002 15:20:40 -0600
On Tue, Apr 30, 2002 at 01:15:40PM -0700, Mike Ahern wrote:
Phil, Do you know if there is any way to extract the actual http content on some of the web based rule matches in snort??
Are you using stream4?
I see a great deal of alerts where the destination IP is an internal web (MS) proxy, thus the destination IP doesn't actually reflect the true destination of the source.
I'm having trouble with the above sentence. I'll re-phrase and you tell me if it sounds right. 1. A packet with say "an http get request" comes from the Internet and arrives at the doorstep (port 80) of an incoming http proxy (after the 3 way handshake). 2. An internal client system establishes an http session with some server in the Internet which is intercepted by an outgoing http caching server managed by you. This proxy looks in its cache and supplies the requested url, or if not found (or reload is required), the proxy establishes a connection with the http server, downloads, caches, and forwards the requested page to the internal client. We have both cases here. In case 1, the addresses reflect the true addresses of both parties. In case 2, the addresses are between the proxy and the Internet http server. In order for us to know who the internal client is, we have to check the logs on the caching server.
Is there a way to either also echo the first portion of the http string (URL) to the alert file as part of the alert message, or perhaps do a lookup that URL to find the actual "real" destination for the packet that triggered the alert (substituting the destination address for this address), in instances where the destination IP address is a proxy server? Is anyone already doing this? Would we need to modify or write something to do this? If so, could you point to where in the source we ought to look to implement that functionality?
If there is some precurser information needed about a session which has been lost by the time a "match" triggers an alert, then you might consider using the tag feature with your proxy address in the rule and have it capture every connection to port 80 and log the session up to some number of bytes (determined ahead of time based on how much water must go under the bridge before the payload goes by). I haven't done this. So, you get to tread water on this one.
We have some limited C programming abilities within our organization. I saw your name in the snort-devel mail list, and so I thought you could at least point me in the right direction. - Mike __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
-- Phil Wood, cpw () lanl gov _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth@sourceforge.net_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort Reporting Actual HTTP Destination Phil Wood (Apr 30)