IDS mailing list archives

RE: HTTP LOG files Labeling

From: <dai.morgan () orange-ftgroup com>
Date: Wed, 21 May 2008 11:35:03 +0100


Hi Wei WANG, 

If you are just looking for anomalies in the URL then you could create a
script to 
  - extract the URL 
  - pipe the URL to netcat 
  - point the traffic generated by netcat past a snort sensor (you'll still
need a webserver (or a netcat to /dev/null??) to complete the 3-way handshake
etc)
  - you could use the source port as an index(=file line number) to correlate
the snort events to the log records. 

Eg 

echo "GET /ariana/Images/Icones/sound.gif HTTP/1.0" | nectat -p $src_port
<target_webserver> 80 

If it works you'll also have the benefit of the http pre-processor to
normalise Unicode etc. 

If you try this please let me know how you get on, been meaning to try this
myself for a while (road to hell.... etc). 

Regards

Dai 

PS There's probably a smarter way of pushing the traffic to snort without
having to regenerate traffic. 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of wangweifrequent () gmail com
Sent: 20 May 2008 16:06
To: focus-ids () securityfocus com
Subject: HTTP LOG files Labeling

Hi All,

We are working on anomaly detection of HTTP attacks.

In fact, we have collected a large amount of HTTP logs (apache sever), but
we didn't use IDS to label the data during collection.

Does any one know how to label the HTTP logs?  for example: one http log line
like :

burtul.xx.fr - - [10/May/2007:14:46:07 +0200] "GET
/ariana/Images/Icones/sound.gif HTTP/1.0" 200 579
http://www-sop.inria.fr/ariana/fr/xx "Mozilla/5.0 (X11; U; Linux i686; fr;
rv:1.7.13) Gecko/20060417" 

Any suggestions are very appreciated.

Wei WANG

INRIA
2008-05-20 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=int
ro_sfw
to learn more.
------------------------------------------------------------------------


*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. 
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration. 
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Current thread:

HTTP LOG files Labeling wangweifrequent (May 20)
- RE: HTTP LOG files Labeling dai.morgan (May 21)
- <Possible follow-ups>
- Re: HTTP LOG files Labeling abhicc285 (May 21)
- Re: HTTP LOG files Labeling wangweifrequent (May 21)
  - Re: HTTP LOG files Labeling Stefano Zanero (May 21)
    - Re: HTTP LOG files Labeling Christian Bockermann (May 22)
    - Re: HTTP LOG files Labeling Stefano Zanero (May 22)
- Re: Re: HTTP LOG files Labeling wangweifrequent (May 22)
  - Re: HTTP LOG files Labeling Stefano Zanero (May 22)
    - Re: HTTP LOG files Labeling "Zow" Terry Brugger (May 23)