My projects


url-sniff
Introduction
url-sniff provides the ability to sniff HTTP 1.1 GET request that goes throught our server.

Screenshots
Requirements
  • Perl 5.x (latest stable for your distro because of security reasons)
  • ngrep
Installation
  • Download script: url-sniff
  • Download example configuration: url-sniff.conf
  • Copy url-sniff to some location that is in your PATH variable, for example /usr/sbin.
  • chmod +x /path_to_script/url-sniff
  • Modify accordingly to your needs url-sniff.conf and place somewhere, for example in /etc.
Use
Configuration file may contain as follows:
$iface = "eth0";
Tells on what interface to sniff. If not set, first interface will be used.
$promisc = "1";
Tells to enable or disable promiscuous mode on interface. Default promiscuous mode is disabled "0".
$lookup = "1";
Tells to enable or disable dns lookups for source IPs.
$ports = "80,8080,3128";
Tells to what destination ports can be send GET request that should be captured. Default: only GETs to port 80 will be captured.
$srchost = "";
Regular expression that matches only requests with appropriate source IPs (specified here in regexp).
For example : "192.168.2.1[67]\d$", "192.168.2.16$", "10.1.|192.168.1." etc.
If not set, request from all clients will be shown, if not discarded by other filters.
$dsthost = "";
Regular expression that matches only requests where Host: header contains appropriate strings (specified here in regexp).
For example : "google|yahoo", ".com$", "^yahoo.com$" etc.
If not set, all request will be shown, if not discarded by other filters.
$query = "";
Regular expression that matches only requests where path and query part of URL contains appropriate strings (specified here in regexp).
For example : "yaguar|puma", "home", "little|big" etc.
If not set, all request will be shown, if not discarded by other filters.
$excl = "";
Regular expression that discards requests for files which extensions matches given regexp.
For example : "\.jpg|\.css|\.jpeg|\.gif|\.js|\.ico|\.bmp|\.png" etc.
If not set, all request will be shown, if not discarded by other filters.
$ads = "";
Regular expression that discards requests where path and query part of URL matches given regexp.
For example : "ads|advert|ad\.js|dot\.gif|banner" etc.
If not set, all request will be shown, if not discarded by other filters.
$ifcolors="1";
Enables colored output "1". Default is "0", colored output is disabled. If we want to redirect output to file, then to clear output from color codes, colors should be disabled.
%color_set = ( 'Settings' => 'BLU', # color of used Settings; default BLU 'Src' => 'GRE', # source IP/hostname color; default GRE 'Dst' => 'YEL', # destination IP/hostname color; default YEL 'Query' => 'BBLU', # query color; default BBLU 'Neutral' => 'BPIN', # delimiters, settings names color; default BPIN );
Codes for colors that can be used:
'RST' - reset (white), 'RED' - red, 'GRE' - green, 'YEL' - yellow, 'BLU' - blue, 'PIN' - pink,
'LBL' - light blue, 'BRED' - bold red, 'BGRE' - bold green, 'BYEL' - bold yellow,
'BBLU' - bold blue, 'BPIN' - bold pink, 'BLBL' - bold light blue
BRACKETS, SEMICOLONS, QUOTES ARE NECESSARY AND SHOULDN'T BE OMITTED.
If default values are good enough for some parameters, then simple don't put them in configuration file.

Now we can do appropriate configuration files for every need and use them with url-sniff specifing in command line.
url-sniff command line parameters:
server:~# url-sniff --help Usage: url-sniff [--help] [--iface=<interface>] [--promisc] [--ports="<X,Y,Z>"] [--lookup] [--colors] [--srchost="<regexp>"] [--dsthost="<regexp>"] [--excl="<regexp>"] [--ads="<regexp>"] [--query="<regexp>"] [--config=<config-file>] --iface=<interface> interface to listen on --promisc promiscuous mode; default disabled --excl="<regexp>" regexp to exclude some extensions (.jpg,.gif etc); default none --ads="<regexp>" regexp to exclude some queries/paths (ads|banner etc); default none --ports="<X,Y,Z>" destination ports to sniff for GETs (80,3128,8080); default 80 --dsthost="<host_regexp>" match only these destination host names (google|yahoo etc); default all --srchost="<IP_regexp>" match only these source IPs (192.168.|10. etc); default all --query="<regexp>" match only queries/paths with these patterns (sex|car etc); default all --config=<filename> path to configuration file (overwrites CL parameters); default none --colors enables colored output; default disabled --lookup enables dns lookups; default no --help prints this info url-sniff 1.0 by snaj server:~#
Well, I think it speaks for itself ;)
Example:
url-sniff --iface=eth2 url-sniff --iface=eth3 --promisc --ports="80,8080" --dsthost="google|microsoft" --query=jaguar url-sniff --config=/etc/url-sniff.conf
Contact
Mail me about bugs/advices/observations.

Pawel 'snaj' Pawilcz   ->  pawel_pawilcz (at) yahoo (dot) com   ->   PP5414-RIPE