Re: Snort Reporting Actual HTTP Destination

[Phil Wood <cpw () lanl gov>]

On Tue, Apr 30, 2002 at 01:15:40PM -0700, Mike Ahern wrote:
> Phil,
>
> Do you know if there is any way to extract the actual
> http content on some of the web based rule matches in
> snort?? 

Are you using stream4?

> I see a great deal of alerts where the destination IP
> is an internal web (MS) proxy, thus the destination IP
> doesn't actually reflect the true destination of the
> source.

I'm having trouble with the above sentence.  I'll re-phrase and you tell me if
it sounds right.

1. A packet with say "an http get request" comes from the Internet and
   arrives at the doorstep (port 80) of an incoming http proxy (after 
   the 3 way handshake).

2. An internal client system establishes an http session with some server in
   the Internet which is intercepted by an outgoing http caching server managed
   by you.  This proxy looks in its cache and supplies the requested url, or
   if not found (or reload is required), the proxy establishes a connection
   with the http server, downloads, caches, and forwards the requested page
   to the internal client.

We have both cases here.  In case 1, the addresses reflect the true addresses
of both parties.  In case 2, the addresses are between the proxy and the
Internet http server.  In order for us to know who the internal client is,
we have to check the logs on the caching server.

> Is there a way to either also echo the first portion
> of the http string (URL) to the alert file as part of
> the alert message, or perhaps do a lookup that URL to
> find the actual "real" destination for the packet that
> triggered the alert (substituting the destination
> address for this address), in instances where the
> destination IP address is a proxy server? 
>
> Is anyone already doing this? Would we need to modify
> or write something to do this? If so, could you point
> to where in the source we ought to look to implement
> that functionality?

If there is some precurser information needed about a session which
has been lost by the time a "match" triggers an alert, then you might
consider using the tag feature with your proxy address in the rule and
have it capture every connection to port 80 and log the session up to
some number of bytes (determined ahead of time based on how much water
must go under the bridge before the payload goes by).  I haven't done
this.  So, you get to tread water on this one.

> We have some limited C programming abilities within
> our organization.
>
> I saw your name in the snort-devel mail list, and so I
> thought you could at least point me in the right
> direction.
>
>
>  - Mike
>
>
>
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - your guide to health and wellness
> http://health.yahoo.com

-- 
Phil Wood, cpw () lanl gov


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: 
bandwidth@sourceforge.net_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users