* [ulog2] Plugin ulogd_filter_HTTPSNIFF proposal
@ 2018-01-12 17:21 Jean Weisbuch
0 siblings, 0 replies; only message in thread
From: Jean Weisbuch @ 2018-01-12 17:21 UTC (permalink / raw)
To: netfilter-devel
I created a filter plugin for ulogd2 that does retrieve informations
from HTTP request, it is similar to ulogd_filter_PWSNIFF (on which the
code is based) which allows to monitor/log HTTP requests sent/recieved
by the system.
Other solutions based on PCAP allows to log HTTP queries but not along
with informations such as the UID that did sent the packet which can be
useful to which users are executing virus/hacked scripts.
Output of "ulogd --info ulogd_filter_HTTPSNIFF.so" :
Input keys:
Key: raw.pkt (raw data)
Output keys:
Key: httpsniff.host (string)
Key: httpsniff.uri (string)
Key: httpsniff.method (unsigned int 8)
The code is available at : https://github.com/jb-boin/ulogd_filter_HTTPSNIFF
It requires both https://bugzilla.netfilter.org/show_bug.cgi?id=1192 and
https://bugzilla.netfilter.org/show_bug.cgi?id=1193 to be fixed for it
to work correctly.
I included proposed patchs for those two bugs.
I have been using it with a MariaDB output for about 3 months on more
than 30 Debian Jessie hosts, ulogd2 compiled as packages using the
Debian Stretch 2.0.5-5 source package and i didnt hit any issue so far.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-01-12 17:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-12 17:21 [ulog2] Plugin ulogd_filter_HTTPSNIFF proposal Jean Weisbuch
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.