# Network

## The Zeek Network Security Monitor

Run zeek against a pcap, create zeek log files in the current directory. Some of the following logs files may be created, depending on the pcap content and zeek configuration:

* conn.log
* dns.log
* files.log
* http.log
* irc.log
* packet\_filter.log
* ssl.log
* weird.log

```bash
zeek -r /pcaps/Hancitor-Ficker-Cobalt-Strike.pcap
```

<figure><img src="/files/gwAeOfwAl5TOk2TzYXBI" alt=""><figcaption></figcaption></figure>

Carve all zeek-supported file types from a file:

```bash
sudo zeek -r /pcaps/Hancitor-Ficker-Cobalt-Strike.pcap /usr/local/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
```

<figure><img src="/files/3BagPscH2ugef5OTVLVZ" alt=""><figcaption></figcaption></figure>

Display x.509 issuer subjects:

```bash
zeek -C -r /pcaps/normal/https/alexa-top-500.pcap
cat x509.log | zeek-cut certificate.subject
```

<figure><img src="/files/E5V5sz5z6pSx5hkYlXVi" alt=""><figcaption></figcaption></figure>

View Zeek logs without wrapping lines:

```bash
zeek -r /pcaps/tbot.pcap
```

<figure><img src="/files/6aP6gjwJ8lQIZVaP3uA4" alt=""><figcaption></figcaption></figure>

```bash
less -S http.log 
```

<figure><img src="/files/HHJaMqgqddG1CzdvASJE" alt=""><figcaption></figcaption></figure>

## ModSecurity Rules

Rules will need to be added to a .conf file that will be processed with ModSecurity starting up. On the SEC511 VM, this path is /etc/modsecurity. A new file for custom rules should generally be created rather than overwriting a Core Rule Set (CRS) provided file.

Basic Rule Structure:

```bash
SecRule VARIABLE "OPERATOR" "ACTION"
```

We will replace VARIABLE, OPERATOR, and ACTION with appropriate options provided by ModSecurity.

The default action we will use simply causes log information to be generated and a user defined message to be supplied. For example:

```bash
"log,auditlog,msg:'alert message'"
```

Detect an HTTP user agent containing the string 'sqlmap':

```bash
SecRule REQUEST_HEADERS:User-Agent "@contains sqlmap" "log,auditlog,msg:'alert message'"
```

Detect an HTTP user agent NOT containing the string 'sqlmap':

```bash
SecRule REQUEST_HEADERS:User-Agent "!@contains sqlmap" "log,auditlog,msg:'alert message'"
```

Match any HTTP user agents that begin with the string 'Mozilla/5':

```bash
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5" "log,auditlog,msg:'alert message'"
```

Match an argument named 'ip' being set to an IPv4 address or any string of simply numbers and periods:

```bash
SecRule ARGS:ip "^[\d.]+$" "log,auditlog,msg:'alert message'"
```

Detect the Host header not being equal to the string [www.sec511.org](http://www.sec511.org):

```bash
SecRule REQUEST_HEADERS:Host "!@streq www.sec511.org" "log,auditlog,msg:'alert message'"
```

Match the Host header being set to any IP address within 10.5.11.0-255:

```bash
SecRule REQUEST_HEADERS:Host "@ipMatch 10.5.11.0/24" "log,auditlog,msg:'alert message'"
```

Detect the OPTIONS method being used:

```bash
SecRule REQUEST_HEADERS:Method "@streq OPTIONS" "log,auditlog,msg:'alert message'"
```

Detect HTTP responses that lack a Content-Type header:

```bash
SecRule &RESPONSE_HEADERS:Content-Type "@eq 0" "log,auditlog,msg:'alert message'"
```

Detect HTTP requests without a User-Agent:

```bash
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "log,auditlog,msg:'alert message'"
```

Detect HTTP requests with more than one parameter named password:

```bash
SecRule &ARGS:password "@gt 1" "id:'999999',log,auditlog,msg:'alert message'"
```

Detect HTTP requests without a Host header:

```bash
SecRule &REQUEST_HEADERS:Host "@eq 0" "log,auditlog,msg:'alert message'"
```

Detect HTTP requests without a Host header. Add the HTTP User Agent to the information provided in the error.log:

```bash
SecRule &REQUEST_HEADERS:Host "@eq 0" "log,auditlog,msg:'alert message',logdata:%{REQUEST_HEADERS.User-Agent}"
```

error.log - example:

```bash
[Sun Dec 13 20:06:18 2015] [error] [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\\'\"]) ?[=<>]+" at ARGS:name. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "427"] [id "959071"] [rev "2.2.0"] [msg "SQL Injection Attack"] [data "or 1="] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/scanners/pilots.php"] [unique_id "Vm3S7X8AAQEAAB@2CLQAAAAD"]
```

## ngrep

ngrep brings basic power of grep to network traffic. We need ngrep because PCAPs are a binary structure. Although piping the output of strings to grep can work, grep will still not be PCAP aware in the way ngrep is. Rather than simply showing, for example, a line within the PCAP that includes a string match, ngrep understands which packet contains this string and will indicate high level packet details such as source and destination IP addresses, port numbers, and TCP flags.

Source: ngrep man page

```bash
man ngrep
```

Quietly search /pcaps/angler-java.pcap for user agents via the string 'User-Agent':

```bash
ngrep -qI /pcaps/angler-java.pcap "User-Agent"
```

<figure><img src="/files/pCLGl7QDNnQ225LTev9Z" alt=""><figcaption></figcaption></figure>

Search /pcaps/angler-java.pcap for 'User-Agent' in TCP segments destined for port 80:

```bash
ngrep -qI /pcaps/angler-java.pcap "User-Agent" "tcp and dst port 80"
```

<figure><img src="/files/2DLUBRK4wQ8xCWzLUWC6" alt=""><figcaption></figcaption></figure>

Note: In the above command line "tcp and dst port 80" is an example of using BPF (Berkely Packet Filter) expressions. Review the man page for pcap-filter for additional information.

Search /pcaps/styx.pcap for 'User-Agent' in TCP segments destined for traffic other than port 80:

```bash
ngrep -q -I /pcaps/styx.pcap "User-Agent" "tcp and not dst port 80"
```

<figure><img src="/files/2VCcYBTjuklPOrkCUtPL" alt=""><figcaption></figcaption></figure>

Search /pcaps/angler-java.pcap for 'User-Agent' in TCP segments destined for port 80. Have the output honor any linefeeds encountered and wrap text.

```bash
ngrep -q -W byline -I /pcaps/angler-java.pcap "User-Agent" "tcp and dst port 80"
```

<figure><img src="/files/RrxEvdWYlmFVtEuIazGI" alt=""><figcaption></figcaption></figure>

Note: To make the output of some traffic, most notably HTTP, easier to read, the -W switch can be set to byline.

Search /pcaps/angler-java.pcap for traffic with the ACK FIN and PUSH flags set:

```bash
ngrep -q -I /pcaps/angler-java.pcap "" "tcp[tcpflags]==(tcp-ack|tcp-fin|tcp-push)"
```

<figure><img src="/files/MRiG64wCfzj4kiAKpScg" alt=""><figcaption></figcaption></figure>

Note: When using BPF expressions, a search string, even if blank "" as above, is expected. Otherwise ngrep will treat the BPF expression itself as the regex search pattern.

Sniff on the eth0 interface and look for the string 'HoneyToken' without the quotes being passed in clear text:

```bash
sudo ngrep -q -d eth0 "HoneyToken"
```

Note: When using ngrep to bind to an interface, superuser privileges will generally be required.

Sniff on the eth0 interface and look for the string 'HoneyToken' without the quotes being passed in clear text. When found, kill the connection by sending a spoofed TCP RST:

```bash
sudo ngrep -q -d eth0 "HoneyToken" -K1
```

## tcpdump

tcpdump man page:

```bash
man tcpdump
```

Read a pcap file:

```bash
tcpdump -r /pcaps/zeus-gameover-loader.pcap
```

Read a pcap, don't resolve names (layers 3 or 4):

```bash
tcpdump -nr /pcaps/zeus-gameover-loader.pcap
```

Read a pcap, show TCP SYN packets, don't resolve names:

```bash
tcpdump -r /pcaps/zeus-gameover-loader.pcap -n "tcp[tcpflags]==tcp-syn"
```

Read a pcap, show TCP SYN packets not sent to port 80, don't resolve names:

```bash
tcpdump -r /pcaps/zeus-gameover-loader.pcap -n "tcp[tcpflags]==tcp-syn and not tcp dst port 80"
```

Read a pcap without name resolution, /pcaps/angler-java.pcap, and show traffic with the ACK FIN and PUSH flags set.

```bash
tcpdump -r /pcaps/angler-java.pcap -n "tcp[tcpflags]==(tcp-ack|tcp-fin|tcp-push)"
```

## TShark

tshark man page:

```bash
man tshark
```

Read a pcap file:

```bash
tshark -r /pcaps/zeus-gameover-loader.pcap
```

Read a pcap, don't resolve names (layers 3 or 4):

```bash
tshark -nr /pcaps/zeus-gameover-loader.pcap
```

Read a pcap, use the display filter "http.request.method==GET":

```bash
tshark -r /pcaps/zeus-gameover-loader.pcap -Y "http.request.method==GET"
```

Read a pcap, show TCP SYN packets not sent to port 80, don't resolve names:

```bash
tshark -r /pcaps/zeus-gameover-loader.pcap -n -Y "not tcp.port==80 and tcp.flags == 0x0002"
```

Print TCP conversations in a pcap:

```bash
tshark -n -r /pcaps/virut-worm.pcap -q -z conv,tcp
```

Print HTTP User-Agents in a pcap:

```bash
tshark -nr /pcaps/normal/http/normal-user-agent.pcap -Y "http.user_agent" -Tfields -e http.user_agent
```

Print X.509 certificates in a pcap:

```bash
tshark -r /pcaps/normal/https/alexa-top-500.pcap -T fields -Y "ssl.handshake.certificate" -e
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/sans-sec511-and-labs/resources/tools/network.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.