Hi Wei WANG, If you are just looking for anomalies in the URL then you could create a script to - extract the URL - pipe the URL to netcat - point the traffic generated by netcat past a snort sensor (you'll still need a webserver (or a netcat to /dev/null??) to complete the 3-way handshake etc) - you could use the source port as an index(=file line number) to correlate the snort events to the log records.
Eg echo "GET /ariana/Images/Icones/sound.gif HTTP/1.0" | nectat -p $src_port <target_webserver> 80 If it works you'll also have the benefit of the http pre-processor to normalise Unicode etc. If you try this please let me know how you get on, been meaning to try this myself for a while (road to hell.... etc). Regards Dai PS There's probably a smarter way of pushing the traffic to snort without having to regenerate traffic. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 20 May 2008 16:06 To: [email protected] Subject: HTTP LOG files Labeling Hi All, We are working on anomaly detection of HTTP attacks. In fact, we have collected a large amount of HTTP logs (apache sever), but we didn't use IDS to label the data during collection. Does any one know how to label the HTTP logs? for example: one http log line like : burtul.xx.fr - - [10/May/2007:14:46:07 +0200] "GET /ariana/Images/Icones/sound.gif HTTP/1.0" 200 579 http://www-sop.inria.fr/ariana/fr/xx "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.7.13) Gecko/20060417" Any suggestions are very appreciated. Wei WANG INRIA 2008-05-20 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=int ro_sfw to learn more. ------------------------------------------------------------------------ ********************************* This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified. If you are not the intended addressee of this message, please cancel it immediately and inform the sender. ******************************** ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
