1

We have inherited an old Web application that needs to be extended with some logging capacities for compliance purposes. Unfortunately, we can't change the application. The application receives XML POST requests. We need to capture several specific XML values and log them in a separate file. So this involves XML parsing and some custom code. We are thinking about putting a kind of a proxy in front of the server. Are there proxies that allow custom request body processing without low level programming? Or an IDS is better for this purposes?

test1839
  • 23
  • 1
  • 6
  • Snort can watch and pump to a DB, I would suggest a custom app to do "the action" – Jacob Jan 31 '13 at 02:34
  • consider using `mod_security` - Information about its [audit log](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecAuditEngine). – fuero Jan 31 '13 at 02:38
  • @Jacob: I understand that Snort can match some values in requests and raise alerts. Is it able to capture data fields and log them? Does it takes a custom plugin? – test1839 Jan 31 '13 at 02:45
  • @fuero: Unfortunatelly mod_security logs the whole request body, which greatly increases the log size. – test1839 Jan 31 '13 at 02:46
  • @test1839 Lemme check my Snort reference book, but yes you can match like that. Is the location of the data static, or will it be different in 2 packets? – Jacob Jan 31 '13 at 02:50
  • @Jacob: The XML structure is stable but value lengths may vary. – test1839 Jan 31 '13 at 02:58

1 Answers1

0

You have not specified what action you have to preform after logging, so for now I will skip that.

First, I would suggest setting Snort to log to a database(most likely MYSQL). In Fact, I would suggest sending binary logs to Barnyard to export to the DB depending on your load to this application.

Anyhow more of what your interested in is how to actually log the data. Luckily, Snort has all kinds of ways to match against packets. What I would suggest is writing a rule to use the HTTP preprocessor. You can use a content match to find the service identifier.

For reasons I will explain in a second, we want to use a specific piece of information that always appears in the same general area in every packet. This is because we can optimize the rule by telling Snort where too look inside the packet for the match. You can use uricontent to to match against the URI, but we can go better and specificity exactly where in the packet the data will be with the depth and offset modifier.

The depth mod on its own will set the search length from the start of the packet, but when you use the offset mod it will set the starting point for depth. EX. If I say offset 10 depth 50 then Snort will check from bytes 10-50 of the payload only. The content match is only done within the payload, and you have to use other processors to check the header.

This should be enough to get the data you need, but you also have to remember the security of the Snort and DB instance if you ae logging sensitive data.

A good resource on this is Snort IDS toolkit published by Syngress.

Jacob
  • 9,114
  • 4
  • 44
  • 56
  • 1. I forgot to mention that this is an SSL encrypted connection. Would Snort be able to deal with the encrypted traffic? – test1839 Jan 31 '13 at 13:37
  • 2. As for the action to perform, after each logging event we eventually need to send an update to another server (syslog or database update). Basically, I would need a possibility to run a custom script. – test1839 Jan 31 '13 at 13:45