Here we have a post from Doug Burks (yes, the guy from Security Onion)
How do I find evil on my network?
For the purposes of this example, "evil" could be any text string that
would indicate an attack or successful compromise. If you already
have an IDS deployed on your network, this is a simple matter of
writing an IDS rule to look for "evil". But what if you don't already
have an IDS?
Almost every operating system has some form of tcpdump available, so
here's one option:
tcpdump -nnAi eth1 -s0 | grep "evil"
What does it all mean?
-nnThis option disables name resolution for IP addresses AND port numbers. Some versions of tcpdump do this with a single "n", but the double "nn" option should work on all of them.
AThis option prints just the ASCII text (no hex) in the packets. This is useful when looking for strings like "evil".
iThis option allows you to specify the Interface (in this case eth1). eth1 on my Security Onion box at home is connected to a SPAN port that monitors all ingress/egress of my home network. Doesn't everybody do full packet capture at home?
-s0This option sets the snaplen. Modern versions of tcpdump default to a snaplen of 65535 bytes. However, many people are still using older versions of tcpdump that default to a snaplen of 68 bytes and would therefore not see the entire packet. Setting snaplen to 0 forces tcpdump to capture the entire packet regardless of its size.
grepSince we had tcpdump output in ASCII, we can easily use the standard grep command to look for interesting text strings. We might want to include some context around the "evil", so we might want to do something like:
grep -C10 "evil"This will include the 10 lines before "evil" and the 10 lines after.
Another option would be ngrep. Most Linux distros do not have ngrep
installed by default. But let's assume that you've installed it on
your Linux box or you have a distro such as Security Onion which just
so happens to include ngrep by default. Here's the ngrep version of
ngrep -d eth1 -s0 "evil"
Here we use the "-d eth1" option to force ngrep to listen on device
eth1 and the "-s0" option to force ngrep to look at the entire packet.
ngrep defaults to a snaplen of 65536, so this option isn't strictly
needed here, but is included for completeness. After specifying these
options, we simply tell ngrep what string to look for.
If you'd like to learn more about packet analysis, tcpdump, Snort, and
Intrusion Detection in general, Doug Burks is teaching SANS SEC503 in
Portland 8/22 - 8/27. We're extending a 10% discount to PaulDotCom
listeners. For more information, please click here.