Tuesday, July 26, 2011

tcpdump and ngrep

Yesterday, I tweeted the following:
tcpdump -nnvvAi eth1 -s0 | grep "Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland"
 So what does it all mean?

-nn This option disables name resolution for IP addresses and port numbers.  Some versions of tcpdump do this with a single "-n", but the double "-nn" option should work on all of them.
vv This option enables Very Verbose output.  It wasn't strictly needed for the purposes of this command, but I'm in a habit of using it.
A This option prints just the ASCII text in the packets.  This is useful when looking for strings like "Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland" or "c99shell".
i This option allows you to specify the Interface (in this case eth1).  eth1 on my Security Onion box at home is connected to a Dualcomm Switch Tap that monitors all ingress/egress of my home network.  Doesn't everybody do full packet capture at home?
-s0 This option sets the snaplen. By default, tcpdump only captures 68 bytes and would therefore not see the entire payload of the HTTP connection.  Setting snaplen to 0 forces tcpdump to capture the entire packet regardless of its size.
grep Since we had tcpdump output in ASCII, we can easily use the standard grep command to look for interesting text strings.

I was waiting on someone to ask the question "Why not use ngrep instead?".  tcpdump's advantage is that it is more universally available than ngrep.  If you're doing Incident Response on a Unix box of some kind, chances are that it already has tcpdump installed and you can use that to look for suspicious traffic as defined above.

Most Unix boxes do not have ngrep installed by default.  But let's assume that you've got a dedicated IDS platform such as Security Onion which just so happens to include ngrep by default.  Here's the  ngrep version of the command:
 ngrep -d eth1 -s0 "Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland"
Here we use the "-d eth1" option to force ngrep to listen on device eth1 and the "-s0" option to force ngrep to look at the entire packet.  Note that, unlike tcpdump's default snaplen of 68 bytes, ngrep defaults to 65536, so this option isn't strictly needed here, but is included for completeness.  After specifying these options, we simply tell ngrep what string to look for.

Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland Oregon 8/22 - 8/27.  Sign up today!
http://www.sans.org/portland-2011-cs-2/description.php?tid=4866

Monday, July 25, 2011

Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland 8/22 - 8/27

Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland Oregon 8/22 - 8/27.  For more information about the class, please see:
http://www.sans.org/portland-2011-cs-2/description.php?tid=4866


Enter Discount Code COINS10 at the time of registration to save $356 on Tuition!

Thursday, July 14, 2011

Security Onion 20110714 now available

Security Onion 20110714 is now available!  This release completes the PulledPork reconfiguration to ignore a new Emerging Threats BLOCK category released on 7/8/2011.

Existing Security Onion users can perform an in-place upgrade to version 20110714 using the following command (i
f you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Monday, July 11, 2011

Security Onion 20110709 now available

Security Onion 20110709 is now available!  This release configures PulledPork to ignore a new Emerging Threats BLOCK category released on 7/8/2011.

Existing Security Onion users can perform an in-place upgrade to version 20110709 using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"