tag:blogger.com,1999:blog-7554630712114756330.post4265246462047387039..comments2014-08-26T13:29:06.855-04:00Comments on Security Onion: tcpdump and ngrepDoug Burkshttp://www.blogger.com/profile/09074300658047188367noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-7554630712114756330.post-50275006305654161122012-12-28T06:32:22.252-05:002012-12-28T06:32:22.252-05:00Very useful information I needed to debug my web a...Very useful information I needed to debug my web application. <br /><br />Thanks,<br /><br />Marty BrandonMarty Brandonhttps://www.blogger.com/profile/05458127678340064242noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-51851963407655422912012-02-29T17:08:56.489-05:002012-02-29T17:08:56.489-05:00Thanks for the response! I'm currently taking...Thanks for the response! I'm currently taking the SANS 502 class (onemand) and a few generic items we're mentioned such as monitoring for an IP header value other than 5 or the frag bit set but a packet size smaller than 500 bytes. So I was wondering if there is a 'checklist' of generic items to monitor for such as the above mentioned.<br /><br />JoeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-26511983169062716672012-02-28T19:33:00.537-05:002012-02-28T19:33:00.537-05:00Part of defending your network is knowing what'...Part of defending your network is knowing what's considered "normal" and what's considered "evil" for YOUR network. I don't know anything about your network so I can't define "evil" for you. You might look at the Snort and Emerging Threats IDS rule sets for some ideas. Hope that helps!Doug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-20860650135048657742012-02-28T17:27:36.121-05:002012-02-28T17:27:36.121-05:00Great post.
Related to:
tcpdump -nnAi eth1 -s0 ...Great post.<br /><br />Related to: <br /><br />tcpdump -nnAi eth1 -s0 | grep "evil"<br /><br />Can you provide examples of "evil". That is, what are some things we should be looking for?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-40129173168970597892011-09-02T09:24:58.236-04:002011-09-02T09:24:58.236-04:00Hi Anonymous,
Thanks for your comment. I did inc...Hi Anonymous,<br /><br />Thanks for your comment. I did include this extra discussion of the -s option when I posted this article on PaulDotCom:<br /><a href="http://pauldotcom.com/2011/08/finding-evil-some-basics-you-m.html" rel="nofollow">http://pauldotcom.com/2011/08/finding-evil-some-basics-you-m.html</a>Doug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-6542499813914744532011-08-30T22:32:17.520-04:002011-08-30T22:32:17.520-04:00Though I think the discussion of -s 0 is beneficia...Though I think the discussion of -s 0 is beneficial, I thought it worth pointing out that for recent versions of tcpdump the default snaplen is now 65535. Of course, old versions abound so -s 0 is important to know.<br /><br />Keep up the great work on Security Onion, Doug.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-79516330446539241772011-08-17T17:09:12.259-04:002011-08-17T17:09:12.259-04:00I'll give you suggestion a look next time I...I'll give you suggestion a look next time I'm at my Mac.<br /><br />BTW ... I did get this to work on Windows 7 with Windump/WinPCap/Powershell:<br /><br />windump -nnvvAi 1 -s0 | select-string "apple.com"<br /><br />SteveSteve Holdenhttps://www.blogger.com/profile/17024356289317661222noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-84397920766570385272011-08-17T16:30:40.542-04:002011-08-17T16:30:40.542-04:00I don't think it's a Mac OS X issue. tcpd...I don't think it's a Mac OS X issue. tcpdump on Mac OS X seems to have the same timestamp behavior as tcpdump on other platforms.<br /><br />Perhaps you are experiencing the results of browser and/or DNS caching. Try this...<br /><br />In your first terminal window, execute the following:<br />sudo tcpdump -nnAi en0 -s0 | grep "apple.com"<br /><br />In a second terminal window, execute the following:<br />sudo tcpdump -nnvvAi en0 -s0 | grep "apple.com"<br /><br />In a third terminal window, execute the following:<br />nslookup newtest.apple.com<br /><br />Both of the first two terminal windows should then show the DNS lookup for newtest.apple.com and both should have the timestamps.<br /><br />Hope that helps!<br /><br />Thanks,<br />Doug BurksDoug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-69279760502154950822011-08-17T15:51:01.792-04:002011-08-17T15:51:01.792-04:00Doug,
Maybe this is just a Mac OS X issue ... whe...Doug,<br /><br />Maybe this is just a Mac OS X issue ... when I do:<br /><br />sudo tcpdump -nnAi en0 -s0 | grep "apple.com"<br /><br />And then in my browser try to go to "hot.apple.com" I see the DNS captures with timestamp info at the beginning of the output.<br /><br />But when I do:<br /><br />sudo tcpdump -nnvvAi en0 -s0 | grep "apple.com"<br /><br />I don't get any timestamp at the front, I just get the IP address of my host. The data in the verbose mode is much better IMHO so having -vv seems like a good thing.<br /><br />SteveSteve Holdenhttps://www.blogger.com/profile/17024356289317661222noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-20225570537326135582011-08-17T15:19:42.560-04:002011-08-17T15:19:42.560-04:00Hi Steve,
I'm not sure that I understand your...Hi Steve,<br /><br />I'm not sure that I understand your question. Here's what the tcpdump man page says:<br />"By default, all output lines are preceded by a timestamp."<br /><br />There are also some "t" options to control timestamp behavior:<br /><br /> -t Don't print a timestamp on each dump line.<br /><br /> -tt Print an unformatted timestamp on each dump line.<br /><br /> -ttt Print a delta (micro-second resolution) between current and previous line on each dump line.<br /><br /> -tttt Print a timestamp in default format proceeded by date on each dump line.<br /><br /> -ttttt Print a delta (micro-second resolution) between current and first line on each dump line.<br /><br />Please let me know whether or not that helps.<br /><br />Thanks,<br />Doug BurksDoug Burkshttps://www.blogger.com/profile/09074300658047188367noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-8391514466140093882011-08-17T14:36:43.800-04:002011-08-17T14:36:43.800-04:00I noticed when I dropped the -vv option I got time...I noticed when I dropped the -vv option I got time stamps back. Is there a way to get time stamps while using verbose mode?Steve Holdenhttps://www.blogger.com/profile/17024356289317661222noreply@blogger.comtag:blogger.com,1999:blog-7554630712114756330.post-24486986854354161442011-08-16T19:25:23.350-04:002011-08-16T19:25:23.350-04:00I saw this over at Pauldotcom.com and thought it w...I saw this over at Pauldotcom.com and thought it was pretty interesting. To work on the Mac I had to use:<br /><br />sudo tcpdump -nnAi en0 -s0 | grep "apple.com"<br /><br />from my admin account. There was more information about how to packet capture on apple support pages:<br /><br />http://support.apple.com/kb/HT3994?viewlocale=en_US<br /><br />Thanks!Anonymousnoreply@blogger.com