TCPreplay
Wednesday, September 14th, 2005Programs for more interactive TCP replaying:
Monkey see, monkey do TCPopera Tomahawk TPCivo
Archive for the 'Security' Category
- A large set of, not exactly tested, snort rules: the Bleeding Edge of Snort - Breaking Snort Signatures (0)
- An interesting Blog entry about building low-cost physical and logical security: kaos.theory: fractal blog » Blog Archive » Armor Your Palace (0)
Slow initial SSH connection and other weird behavior
Thursday, August 18th, 2005Yes, it happened to us. Even if the network connection was fast, the initial connection was too slow. The culprit turned out to be a faulty DNS server of our provider—probably SSH does a rev DNS lookup on connecting or something like this.
After running our server as a recursive DNS server and changing the entries in resonv.conf to localhost, the problem disappeared.
Parsing Bro’s connection logs and writing it into a database
Wednesday, August 17th, 2005- Create a database table with the following fields:
- sip address
- sport
- dip address
- dport -sbytes -rbytes -conn length
create table conn(sip inet, sport int, dip inet, dport int, rbytes int, sbytes int, length float);
- Use perl one liner: perl -ne ‘ @a = split; print “INSERT INTO conn VALUES(’”‘”‘$a[2]‘”‘”‘, $a[5], ‘”‘”‘$a[3]‘”‘”‘, $a[6], $a[8], $a[9],$a[1]);\n”;’
BTW need also to replace ? with NULLs — do it with =~ s/// command.
- Combine all of them into a horrible thing: cat conn.log | perl -ne ‘@a = split; $a[8] =~ s/\?/NULL/; $a[9] =~ s/\?/NULL/; $a[1] =~ s/\?/NULL/; print “INSERT INTO conn VALUES(’”‘”‘$a[2]‘”‘”‘, $a[5], ‘”‘”‘$a[3]‘”‘”‘, $a[6], $a[8], $a[9], $a[1]);\n”;’ | psql test test -h 127.0.0.1
- Something to prevent injections for servlets: modsecurity java. (0)
Matching all outgoing (and only outgoing) traffic with tcpdump
Tuesday, August 16th, 2005Task: match all outgoing traffic (not including local services, e.g. 80, 22, 25). Actually, not as simple as it could have been. Moreover, contrary to a manpage, my tcpdump does not seem to support “portrange”. Hopefully, can do something like this: tcp[0:2] for source port and tcp[2:2] for destination port.
At the end the rule is as follows: tcpdump -n -i eth0 “(udp and ( ((dst host $MYIP) and (udp[2:2] >= 1024)) or ((src host $MYIP)and(udp[0:2] >= 1024)) )) or (tcp and ( ((dst host $MYIP) and (tcp[2:2] >= 1024)) or ((src host $MYIP)and(tcp[0:2] >= 1024)) ) and (not port (9030||9001)))”
Large files with Bro/Snort/…
Monday, August 15th, 2005To overcome this limit one needs to recompile: 1. libpcap 2. snort/bro/… itself.
Hope it works - haven’t tried it yet.
http://www.tcpdump.org/lists/workers/2003/11/msg00047.html http://archives.neohapsis.com/archives/snort/2002-02/0395.html
Capturing local traffic for further analysis (long term)
Monday, August 15th, 2005Add this line to cron.daily/cron.hourly/…
tcpdump -np -i eth0 -s 0 -w /<path>/date +"%Y%m%d-%H%M%S.tcpdump" “<filter>”