Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Help with a new rule to detect web traffic

From: JP Vossen <vossenjp () netaxs com>
Date: Fri, 6 Feb 2004 00:13:01 -0500 (EST)
From: "Chris Hoover" <revoohc () sermonaudio com>
To: <snort-users () lists sourceforge net>
Date: Tue, 03 Feb 2004 13:25:59 -0600
Subject: [Snort-users] Help with a new rule to detect web traffic

I need some help writing a new rule.  Where I work, we are running an
internet proxy server (running squid).  However, we also have an open
firewall allowing anyone who configures their browser to bypass the
proxy can go anywhere they want (don't ask on this choice).

Anyway, we are working a plan to close this open hole to the internet.
In order to get a scope on the problem, I need to get some sort of a
count as to how many machines are bypassing the proxy.  Please help me
get this rule written.



I don't think Snort is the correct tool for this.  I'd take a look at ntop,
iptraf, and especially nstreams.  Or, if you are dead set on using snort,
either use tcpdump or use snort in "sniffer/logger" mode instead of IDS mode.
Experiment a bit:

snort -v > some_file_on_a_disk_with_lots_of_space
tcpdump -n > some_file_on_a_disk_with_lots_of_space

Let it run for a week, then grep the file looking for whatever traffic you are
interested in:

grep snort -v > some_file_on_a_disk_with_lots_of_space

But really, nstreams is probably what you want.  I just Googled for it and was
mildly astonished to find the RPM I built for that over 2 years ago is on page
1 of the results...
        http://rpmfind.net/linux/RPM/contrib/libc6/i386/nstreams-1.0.1-2.i386.html

HTH,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: