Snort mailing list archives
RE: Help with a new rule to detect web traffic
From: JP Vossen <vossenjp () netaxs com>
Date: Fri, 6 Feb 2004 00:13:01 -0500 (EST)
From: "Chris Hoover" <revoohc () sermonaudio com> To: <snort-users () lists sourceforge net> Date: Tue, 03 Feb 2004 13:25:59 -0600 Subject: [Snort-users] Help with a new rule to detect web traffic I need some help writing a new rule. Where I work, we are running an internet proxy server (running squid). However, we also have an open firewall allowing anyone who configures their browser to bypass the proxy can go anywhere they want (don't ask on this choice). Anyway, we are working a plan to close this open hole to the internet. In order to get a scope on the problem, I need to get some sort of a count as to how many machines are bypassing the proxy. Please help me get this rule written.
I don't think Snort is the correct tool for this. I'd take a look at ntop, iptraf, and especially nstreams. Or, if you are dead set on using snort, either use tcpdump or use snort in "sniffer/logger" mode instead of IDS mode. Experiment a bit: snort -v > some_file_on_a_disk_with_lots_of_space tcpdump -n > some_file_on_a_disk_with_lots_of_space Let it run for a week, then grep the file looking for whatever traffic you are interested in: grep snort -v > some_file_on_a_disk_with_lots_of_space But really, nstreams is probably what you want. I just Googled for it and was mildly astonished to find the RPM I built for that over 2 years ago is on page 1 of the results... http://rpmfind.net/linux/RPM/contrib/libc6/i386/nstreams-1.0.1-2.i386.html HTH, JP ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- You used to have to reboot the Windows 9.x series every couple of days because it would crash. Now you have to reboot Windows 200x or XP every couple of days because of a patch. How is that better or more stable? ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with a new rule to detect web traffic Chris Hoover (Feb 03)
- <Possible follow-ups>
- RE: Help with a new rule to detect web traffic JP Vossen (Feb 05)