Capturing Traffic from a Specific TCP Session

Problem

You want to capture all the traffic from a specific TCP session.

Solution

Use the session option in a rule.

session: modifier;

For example, to capture only printable characters:

session: printable;

 

Discussion

The printable modifier outputs all the printable text from a session. This is an incredibly useful option for a plain-text session such as FTP or Telnet. It allows you to view the content of an entire session. If the protocol is a little more complex, use the all modifier to output all the data from the session.

For example, the previous rule produces the following output in the log SESSION:

&& !"'#P 38400,38400#frodo:0'DISPLAYfrodo:0XTERMsimon^Mpassword^m

This shows all the Telnet sessions from the client to the server, with the username and password obvious in clear text. If you replace -> with <> to get both sides of the conversation, it becomes a little clearer.

alert tcp any any <> any 23 ( msg: "Telnet"; session: printable;)

This gives the following :

&& !"'# #'&&!" #'P 38400,38400#frodo:0'DISPLAYfrodo:0XTERMFedora Core 

release 2 (Tettnang)

Kernel 2.6.5-1.358 on an i686

login: ssiimmoonn^M

Password: password^M

Last login: Fri Jul 2 12:58:49 from 192.168.0.8

]0;simon@blackbox:~[simon@blackbox simon]$

which makes a little more sense, except for the doubled up letters when the letter is both sent from and returned to the Telnet client.

See Also

Snort Users Manual

Killing a Specific Session

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index





Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net