ASA 5505 Monitor HTTP Traffic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2009 09:01 AM - edited 02-21-2020 03:17 AM
Hi,
Any suggestion about how to correctly monitor HTTP Traffic from a certain host ?
I just received a request to log, for a specific period of time, http traffic from a host on the inside network to internet and to generate a sort of human readable output format.
It can either be log to a syslog, FTP etc...
I know how to use filter, but this request got me a little confused.
Any idea ?
- Labels:
-
Other Network Security Topics

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2009 02:03 PM
You need to inspect HTTP under your policy map for your ASA to log web addresses that are being accessed. After doing that, you would need to log to a syslog server, and then filter by the IP address that you want. If you have a lot of users, there's not a way that I know of that will allow you to pick just one address. (I don't think you can create an ACL to log against.) So, you could have a ton of traffic coming through that you'd have to filter through.
HTH,
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2009 02:50 PM
Create a "capture" file which is easily readable and exportable. I'm assuming you want to know what website IP addresses this inside host is going to???
Easy.
First, create an ACL to watch for traffic to the internet on port 80 from the inside host IP address. Lets call the ACL "http-snoop" and assume the inside IP address is 192.168.1.15 - just for example.
HOST(config)# access-list http-snoop permit tcp host 192.168.1.15 any eq 80
Then, create a capture session - let's call it "watchingyou" - and apply it to the interfaces you want to capture on and reference the above ACL...
HOST(config)# capture watchingyou access-list http-snoop interface inside
Now.. just let it run.
When you want to see what you've captured, just type..
HOST# show capture watchingyou
And you'll see line-by-line each outbound request from that host to the internet on port 80.
When you're done, "no" the capture line above then "no" the access-list. Also, if you do a "show capture" you'll see the remaining capture file and you can "no" that to erase it when you're done.
Hope that helps.
Jeremy Ault
