Snort mailing list archives
RE: OT: monitoring specific traffic
From: "Patrick Harper" <patrick () internetsecurityguru com>
Date: Mon, 16 May 2005 18:03:45 -0500
I have used tcpdump to build files that you can go through with a sniffer or even use less to look at. The thing you want to do to make sure you get everything is use the -s0 option so it puts the capture size 65535 bytes. tcpdump -s0 -i ethX host <offending ip> and port 80 -w surfer.dmp or something like that (I forget the exact syntax I used but that is pretty close). You can even play with the file with less while you are still capturing and that should only catch his web traffic unless he is using https, you could take the "and port 80" off and just grab everything and look at it in ethereal. I have left this running for days at a time before, just make sure you have the disk space and a stable system and your good to go. Hope that helps Patrick S. Harper | CISSP RHCT MCSE www.internetsecurityguru.com -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rich Adamson Sent: Monday, May 16, 2005 5:45 PM To: Snort Users Postings Subject: [Snort-users] OT: monitoring specific traffic A little off topic here, but thinking a fair number of folks on this list may have knowledge on this.... Been asked to track the usage coming from a specific workstation and heading to the internet. Manager is thinking the employee is surfing as opposed to doing real work. He asked to have something set up to monitor the workstation activity, which is 90% http traffic. Other then a packet sniffer, what tool(s) are folks using to log data such as the url string, host name, or the "GET " string? The manager would like something that runs for a period of days, so packet sniffers are not likely to help. Snort is running, but from what I can tell, its certainly possible to gen an alert but not one with the target strings needed, etc. Thoughts anyone? Rich ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- OT: monitoring specific traffic Rich Adamson (May 16)
- RE: OT: monitoring specific traffic Patrick Harper (May 16)
- <Possible follow-ups>
- RE: OT: monitoring specific traffic Basselgia, Barry A Mr (NAF Atsugi) (May 16)