Network
Last updated
Last updated
Run zeek against a pcap, create zeek log files in the current directory. Some of the following logs files may be created, depending on the pcap content and zeek configuration:
conn.log
dns.log
files.log
http.log
irc.log
packet_filter.log
ssl.log
weird.log
Carve all zeek-supported file types from a file:
Display x.509 issuer subjects:
View Zeek logs without wrapping lines:
Rules will need to be added to a .conf file that will be processed with ModSecurity starting up. On the SEC511 VM, this path is /etc/modsecurity. A new file for custom rules should generally be created rather than overwriting a Core Rule Set (CRS) provided file.
Basic Rule Structure:
We will replace VARIABLE, OPERATOR, and ACTION with appropriate options provided by ModSecurity.
The default action we will use simply causes log information to be generated and a user defined message to be supplied. For example:
Detect an HTTP user agent containing the string 'sqlmap':
Detect an HTTP user agent NOT containing the string 'sqlmap':
Match any HTTP user agents that begin with the string 'Mozilla/5':
Match an argument named 'ip' being set to an IPv4 address or any string of simply numbers and periods:
Detect the Host header not being equal to the string www.sec511.org:
Match the Host header being set to any IP address within 10.5.11.0-255:
Detect the OPTIONS method being used:
Detect HTTP responses that lack a Content-Type header:
Detect HTTP requests without a User-Agent:
Detect HTTP requests with more than one parameter named password:
Detect HTTP requests without a Host header:
Detect HTTP requests without a Host header. Add the HTTP User Agent to the information provided in the error.log:
error.log - example:
ngrep brings basic power of grep to network traffic. We need ngrep because PCAPs are a binary structure. Although piping the output of strings to grep can work, grep will still not be PCAP aware in the way ngrep is. Rather than simply showing, for example, a line within the PCAP that includes a string match, ngrep understands which packet contains this string and will indicate high level packet details such as source and destination IP addresses, port numbers, and TCP flags.
Source: ngrep man page
Quietly search /pcaps/angler-java.pcap for user agents via the string 'User-Agent':
Search /pcaps/angler-java.pcap for 'User-Agent' in TCP segments destined for port 80:
Note: In the above command line "tcp and dst port 80" is an example of using BPF (Berkely Packet Filter) expressions. Review the man page for pcap-filter for additional information.
Search /pcaps/styx.pcap for 'User-Agent' in TCP segments destined for traffic other than port 80:
Search /pcaps/angler-java.pcap for 'User-Agent' in TCP segments destined for port 80. Have the output honor any linefeeds encountered and wrap text.
Note: To make the output of some traffic, most notably HTTP, easier to read, the -W switch can be set to byline.
Search /pcaps/angler-java.pcap for traffic with the ACK FIN and PUSH flags set:
Note: When using BPF expressions, a search string, even if blank "" as above, is expected. Otherwise ngrep will treat the BPF expression itself as the regex search pattern.
Sniff on the eth0 interface and look for the string 'HoneyToken' without the quotes being passed in clear text:
Note: When using ngrep to bind to an interface, superuser privileges will generally be required.
Sniff on the eth0 interface and look for the string 'HoneyToken' without the quotes being passed in clear text. When found, kill the connection by sending a spoofed TCP RST:
tcpdump man page:
Read a pcap file:
Read a pcap, don't resolve names (layers 3 or 4):
Read a pcap, show TCP SYN packets, don't resolve names:
Read a pcap, show TCP SYN packets not sent to port 80, don't resolve names:
Read a pcap without name resolution, /pcaps/angler-java.pcap, and show traffic with the ACK FIN and PUSH flags set.
tshark man page:
Read a pcap file:
Read a pcap, don't resolve names (layers 3 or 4):
Read a pcap, use the display filter "http.request.method==GET":
Read a pcap, show TCP SYN packets not sent to port 80, don't resolve names:
Print TCP conversations in a pcap:
Print HTTP User-Agents in a pcap:
Print X.509 certificates in a pcap: