Snort mailing list archives
Re: Capture Email Content / Website Activity
From: stuff () trackingsolutions ca
Date: Sun, 27 Nov 2005 15:26:00 -0700
Is there then a way to create a snort box the sits between the router and the modem? On November 27, 2005 02:40 pm, barryab63-ia () yahoo com wrote:
If your using a Linksys router and have your snort box plugged into on of its switch port, then I doudt your seeing all the http activity or email. You'r only seeing activity going to/from the snort box and any broadcast traffic. I don't think you can set the Linksys router/switch up for a monitor port. Sound like you'll need to get a switch that has the ability to have a monitor/mirror port, not all switches have this ability. You'll need a switch with management functions and then double check the specs to make sure it has the monitor/mirror port function. Barry stuff () trackingsolutions ca wrote: There are several challenges here. I am developing a solution for a client to allow them to determine if their network is clean for inappropriate activity. They are running a Linksys router with built in switch. I suspect that this will limit the abilities to capture all the data. When I run "snort -dv" I am able to see all http activity but not outgoing emails from other machines. I can see the email was sent but that was it. Do I need to get a new switch to accomplish this job? Thanks On November 27, 2005 03:39 am, barryab63-ia () yahoo com wrote:In order to see everything on the network, you need to have one of the following: 1. A true hub. But, you'll only see traffic that passes through the hub. 2. A switch that will let you configure a monitor port, have the port your snort box is connected to configured to monitor all the other ports. How you do this depends on the switch. 3. Use a network tap. Place the tap were it will pickup the traffic you want to see, possibly between your firewall and inside router/switch, that way you would see everything in and out of your network. 4. Run snort in in-line mode, place the snort box in a location similar to the network tap. You would really need to give more information on your network to get a more detailed answer. As to detecting web activity, snort does have some rules for detect web traffic. But, it sound from you question that it might be better to try to get this info from you Firewall logs. Snort isn't really a very good web usage monitoring tool. Barry stuff () trackingsolutions ca wrote: I am new to snort and am starting to test things out. I am able to capture email content from the machine running snort, but I would also like to capture email being sent on the entire network. Is there a way to do this? Also is there a way to capture visited websites for the entire network to a file stating date, time, url, ipaddress? Thank you very much. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Capture Email Content / Website Activity stuff (Nov 27)
- Re: Capture Email Content / Website Activity barryab63-ia (Nov 27)
- Re: Capture Email Content / Website Activity stuff (Nov 27)
- Re: Capture Email Content / Website Activity Alex Butcher, ISC/ISYS (Nov 28)
- <Possible follow-ups>
- Re: Capture Email Content / Website Activity stuff (Nov 27)
- Re: Capture Email Content / Website Activity G Ramon Gomez (Nov 27)
- Re: Capture Email Content / Website Activity stuff (Nov 27)
- Re: Capture Email Content / Website Activity G Ramon Gomez (Nov 27)
- Re: Capture Email Content / Website Activity stuff (Nov 27)
- Re: Capture Email Content / Website Activity G Ramon Gomez (Nov 27)
- Re: Capture Email Content / Website Activity stuff (Nov 27)
- Re: Capture Email Content / Website Activity barryab63-ia (Nov 28)
- Re: Capture Email Content / Website Activity G Ramon Gomez (Nov 27)
- Re: Capture Email Content / Website Activity barryab63-ia (Nov 27)