Logging Application Data

Problem

You want to capture the application data from network trafficfor example MySQL, HTTP, or FTP traffic.

Solution

To see the actual application payload data in ASCII format, you can use the -C command-line option to print out payloads with character data only (no hex). You must use this in conjunction with the -d command-line option, which dumps the application layer:

C:Snortin>snort -vdC

Discussion

There are times when you may want to record all transactions related to a specific application. This may be for legal reasons, content checking, or usage monitoring. Another reason to log application data is to help application developers find bugs in network applications. By default, Snort displays only the header information of the packet. If you would like to see the actual payload data in ASCII format, you can use the -C command-line option. You must use this in conjunction with the -d command-line option, which dumps the application layer, as well as the -v option:

C:Snortin>snort -vdC

Running in packet dump mode

Log directory = log

 

Initializing Network Interface DeviceNPF_

{572FF0E6-9A1E-42B5-A2AF-A5A307B613EF}

 

 --= = Initializing Snort = =--

Initializing Output Plugins!

Decoding Ethernet on interface DeviceNPF_

{572FF0E6-9A1E-42B5-A2AF-A5A307B613EF}

 

 --= = Initialization Complete = =--

 

-*> Snort! <*-

Version 2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30)

By Martin Roesch (roesch@sourcefire.com, www.snort.org)

1.7-WIN32 Port By Michael Davis (mike@datanerds.net, 

www.datanerds.net/~mike)

1.8 - 2.x WIN32 Port By Chris Reid 

(chris.reid@codecraftconsultants.com)

 

11/01-12:15:26.305595 192.168.100.70:4435 -> 216.239.51.147:80

TCP TTL:128 TOS:0x0 ID:50695 IpLen:20 DgmLen:323 DF

***AP*** Seq: 0x880283FF Ack: 0xD0CF219E Win: 0x4470 TcpLen: 20

GET / HTTP/1.1..Accept: */*..Accept-Language: en-us..Accept-Enco

ding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 6

.0; Windows NT 5.0)..Host: www.google.com..Connection: Keep-Aliv

e..Cookie: PREF=ID=1c67539b15a71c3d:TM=1078849240:LM=1078849469:

TB=2:S=8BR7CQ3QdlExQhyo....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

 

11/01-12:15:26.341166 216.239.51.147:80 -> 192.168.100.70:4435

TCP TTL:52 TOS:0x10 ID:34185 IpLen:20 DgmLen:1400

***AP*** Seq: 0xD0CF219E Ack: 0x8802851A Win: 0x7AE4 TcpLen: 20

HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html

..Content-Encoding: gzip..Server: GWS/2.1..Content-Length: 1192.

.Date: Thu, 01 Jul 2004 16:14:53 GMT...............Vmo.6..._.([b

..h.q.....X....t-.a..Z:ID$.&)+^....^...i.....{.w.....,. ..DA....

Z5.e.W..KaA..]+.H7.=...:.9.s........c/.,..D.Rf........kw<.Y.d=..

.....oR49NY.......#.....<........'.p.....&...'{.|...(......@;..5

W.?.dZ..r).I...D.U...S...80.ac.t&zU...9L.Y.....C...~2!..Wa..Y..

.l......4m..8.,...Q....1`lQ.YH...'$..0..d.H.$iF(...'^f..8.(/Y..

.2.~.S..<.yx..%..g.......Iks.)...u.h..{...T...&Rh...q...J.......

....!..)..$..?B..."........>.<{'K%....VL.%.......bE...3...kH}4.

....o.z..p..5..l

.a6kU....4...M.(.....F.....V.>.rvP.....3r^.W...Y..........m..V.a

..SM.)KVL..|i.hK..m7...N7..=~......&.t&..3Oj.Ld....+e.+.w....l..

.Z..]..w...k.e....}...`H[7...4+..2&[y<.W.}G..+..c.`..j....e.Y..J

.....n.m.AE..?.......A...^.)........{...^.(m.4w........_......N

(.....P?.%=....9.j.-..@m.r..2[.)....sz..~.bx.u...x.....K/..]A..

...4....u...woF....[=$q,.z~8.....]Q.29....F...G.^....D..EG..F..A

..._M.......^...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

 

11/01-12:15:26.373894 192.168.100.70:4435 -> 216.239.51.147:80

TCP TTL:128 TOS:0x0 ID:50697 IpLen:20 DgmLen:421 DF

***AP*** Seq: 0x8802851A Ack: 0xD0CF26EE Win: 0x3F20 TcpLen: 20

GET /images/logo.gif HTTP/1.1..Accept: */*..Referer: http://www.

google.com/..Accept-Language: en-us..Accept-Encoding: gzip, defl

ate..If-Modified-Since: Mon, 22 Mar 2004 23:04:23 GMT..User-Agen

t: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)..Host: www

.google.com..Connection: Keep-Alive..Cookie: PREF=ID=1c67539b15a

71c3d:TM=1078849240:LM=1078849469:TB=2:S=8BR7CQ3QdlExQhyo....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

You can use the -C and -d command-line options in any of Snort's modes: packet dump, packet logger, and NIDS. Although Snort inspects the payload information, it doesn't print or log this information by default.

See Also

Recipe 1.16

Recipe 1.17

Recipe 1.18