Re: Pretty Cool
> % It would be nice to have an option to
> % tag the images with the source and
> % destination IP addresses, yeah I know
> % that would be a pain.
> It very deliberately doesn't do this.
> Feel free to add this yourself,
> but I won't accept such a patch into the
I actually have a need for this as well, but not for the Big Brother reasons you were probably thinking in your quote above. I spent some time trying to hack out just the parts of driftnet that I needed today but it hasn't been quite as easy as I had hoped.
I am interested in just grabbing the JPEG images off the wire, checking them for the JPEG buffer overflow vulnerability. If they are infected, log the source and destination address, and URL/image name if possible, but that can be obtained via other means. I actually can take a stock driftnet and use the "-a -m 1000 -d /myjpgs" params and pipe the output to a simple little Perl script that will check the JPEG file for the buffer overflow vulnerability and successfully detect infected JPEGS but it doesn't do me a lot of good without knowing where it came from and where it was going.
I would like to just get rid of the Perl part and strip out the JPEG grabber from driftnet and check for the vulnerability in memory and only write out the infected files along with the addresses (high utulization circuit). I know if I keep plucking at it I could hack out what I need but if anyone would be interested in helping I could use it.
You can find the simple details on how to check for the overflow here:
If anyone is interested in helping create a tool for this using driftnet (or something more appropriate) let me know. Here's a good place to post:
I know this wasn't the intended purpose for driftnet but it has most of the parts needed for this needed security app.