Snort mailing list archives
Re:Extracting URLS from snort logs
From: "S." <sleepy () maximumunix org>
Date: Tue, 31 Dec 2002 20:36:47 -0800
Hi there : I belive what you are looking for will be in the payload. you might have to write it in C, perl should also work. the information you will need will be in the rules files. for example if you have a rule to trigger porn, it will be concerned with TCP data, going to dst port 80, and there will be in the rule something like off=80 this is the offset where the rule should be tested against in the packet where the IDS will start comparing the content. you could follow this and get the content and convert it to ascii from there, or if you have a firewall , you could find the where the destination was through your firewall logs by matching the sequence number of the packet. if you have any questions, just reply and I am sure there are alot better people who can help you if I cant. Thanks Sleepy http://www.maximumunix.org
Current thread:
- Re:Extracting URLS from snort logs S. (Dec 31)
- Re: Re:Extracting URLS from snort logs Mahdi Kefaiati (Dec 31)
- Re: Re:Extracting URLS from snort logs S. (Jan 01)
- Re: Re:Extracting URLS from snort logs Mahdi Kefaiati (Dec 31)