[Dshield] HTTP logging using Netcat

Ed Truitt ed.truitt at etee2k.net
Mon May 6 23:37:32 GMT 2002


Well, this isn't how I would handle it.  While netcat will do what you want,
it will also do a lot of other things - some of which could be very bad (for
you).  I hope you are running netcat in a chroot jail, in a security context
which can do nothing other than what you want it to do, and that no one else
can get to the executable.

That said, there are other things out there that you can use.  For awhile, I
used the Squid web proxy for this purpose (actually, it was - and it - a
by-product of what I use Squid for, which is a proxy server for my home
network).  Just set it up to listen on Port 80, configure it so that no one
can use it to proxy to other sites, and you have a solution which isn't as
open-ended as netcat.

Af far as getting "that clever", you can either download Snort, untar it,
and read the rules files - or, you can get experience (for example, a
specific series of requests indicates Nimda, another specific request
indicates CR, etc.) by looking at 'em for awhile.  Or, you can download
Snort, install it, and see what else is floating around on your network.

HTH.

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."


----- Original Message -----
From: "Jos Geluk" <j-No-Spam-geluk at wanadoo.nl>
To: <list at dshield.org>
Sent: Monday, May 06, 2002 4:24 PM
Subject: [Dshield] HTTP logging using Netcat


> I would like to analyze the HTTP requests sent to the IP address of my
> firewall. To do so, I have the firewall route packets with target port
> 80 to a host in my internal network, which runs Netcat. Netcat does
> nothing but write the incoming requests to a logfile, which makes for
> amusing reading.
> Questions:
> 1. Is this a good idea, or is there any risk that I may overlook?
> 2. Rather than install an intrusion detection package, I would like to
> compare my log file to a list of attack signatures. Some of you people
> can tell a Nimda from a Code Red just from the GET requests, how do I
> get that clever?
>
> Thanks,
>
> Jos.
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list