Capturing Traffic from a Specific TCP Session

Problem

You want to capture all the traffic from a specific TCP session.

Solution

Use the session option in a rule.

session: modifier;

For example, to capture only printable characters:

session: printable;

Discussion

The printable modifier outputs all the printable text from a session. This is an incredibly useful option for a plain-text session such as FTP or Telnet. It allows you to view the content of an entire session. If the protocol is a little more complex, use the all modifier to output all the data from the session.

For example, the previous rule produces the following output in the log SESSION:

&& !"'#P 38400,38400#frodo:0'DISPLAYfrodo:0XTERMsimon^Mpassword^m

This shows all the Telnet sessions from the client to the server, with the username and password obvious in clear text. If you replace -> with <> to get both sides of the conversation, it becomes a little clearer.

alert tcp any any <> any 23 ( msg: "Telnet"; session: printable;)

This gives the following :

&& !"'# #'&&!" #'P 38400,38400#frodo:0'DISPLAYfrodo:0XTERMFedora Core release 2 (Tettnang) Kernel 2.6.5-1.358 on an i686 login: ssiimmoonn^M Password: password^M Last login: Fri Jul 2 12:58:49 from 192.168.0.8 ]0;simon@blackbox:~[simon@blackbox simon]$

which makes a little more sense, except for the doubled up letters when the letter is both sent from and returned to the Telnet client.

See Also

Snort Users Manual