PAS-18: Extract interesting paths from Cookies

Issue Information

Issue Type: New Feature
 
Priority: Major
Status: Open

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Unresolved
Affects Version: 0.1,
Target version: 0.1,
Labels: Cookies,

Created: 2015-11-26 18:18:17
Time Spent Working
Estimated:
 
60 minutes
Remaining:
  
45 minutes
Logged:
  
15 minutes


Description
PAS-3 introduced a mechanism for locating paths marked as "interesting" within HTTP requests (including referer) headers.

However, as noted here - http://projects.bentasker.co.uk/jira_projects/browse/PAS-3.html#comment1298875 - it may also be possible to extract interesting information from cookie values.

The way in which the pattern matching is performed will need to be slightly different though, so should probably add an additional option for config.sh

Once paths are extracted, they should be added to interestingdomains-full.csv with the third column being "HTTP Cookie".

As in the LinkedIn example, it might be possible to extract a timestamp of the user visiting (or technically, leaving) that path, so should look at adding that as a 4th column


Issue Links

relates to PAS-3: Allow configuration of "interesting" Referrers
Toggle State Changes

Activity


2015-11-27 00:02:21

Repo: PCAPAnalyseandReport
Commit: 183a1728d007e4a666dffc76354c2a801091c0ec
Author: Ben Tasker <github@<Domain Hidden>>

Date: Fri Nov 27 00:01:34 2015 +0000
Commit Message: Implemented extraction of data from Google Analytics cookie. See PAS-18



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-27 00:03:07
The script will now pull path's out of any Google Analytics _utmz cookie that has been observed. Currently the results are added to _interestingdomains-full.csv along with a timestamp of when that cookie was apparently set (or perhaps updated).

Field 2 is set to "GA Cookie" for any it does manage to extract

2015-11-27 00:03:24
btasker changed timespent from '0 minutes' to '15 minutes'

Work log

Ben Tasker
 Permalink
2015-11-27 00:03:24

Time Spent: 15 minutes
Log Entry: Implementing and testing