Here we have a post from Doug Burks (yes, the guy from Security Onion)
How do I find evil on my network?
For the purposes of this example, “evil” could be any text string that
would indicate an attack or successful compromise. If you already
have an IDS deployed on your network, this is a simple matter of
writing an IDS rule to look for “evil”. But what if you don’t already
have an IDS?
Almost every operating system has some form of tcpdump available, so
here’s one option:
tcpdump -nnAi eth1 -s0 | grep "evil"
What does it all mean?
This option disables name resolution for IP addresses AND port
numbers. Some versions of tcpdump do this with a single “n”, but the
double “nn” option should work on all of them.
This option prints just the ASCII text (no hex) in the packets. This
is useful when looking for strings like “evil”.
This option allows you to specify the Interface (in this case eth1).
eth1 on my Security Onion box at home is connected to a SPAN port that
monitors all ingress/egress of my home network. Doesn’t everybody do
full packet capture at home?
This option sets the snaplen. Modern versions of tcpdump default to a
snaplen of 65535 bytes. However, many people are still using older
versions of tcpdump that default to a snaplen of 68 bytes and would
therefore not see the entire packet. Setting snaplen to 0 forces
tcpdump to capture the entire packet regardless of its size.
Since we had tcpdump output in ASCII, we can easily use the standard
grep command to look for interesting text strings. We might want to
include some context around the “evil”, so we might want to do
grep -C10 "evil"
This will include the 10 lines before “evil” and the 10 lines after.
Another option would be ngrep. Most Linux distros do not have ngrep
installed by default. But let’s assume that you’ve installed it on
your Linux box or you have a distro such as Security Onion which just
so happens to include ngrep by default. Here’s the ngrep version of
ngrep -d eth1 -s0 "evil"
Here we use the “-d eth1″ option to force ngrep to listen on device
eth1 and the “-s0″ option to force ngrep to look at the entire packet.
ngrep defaults to a snaplen of 65536, so this option isn’t strictly
needed here, but is included for completeness. After specifying these
options, we simply tell ngrep what string to look for.
If you’d like to learn more about packet analysis, tcpdump, Snort, and
Intrusion Detection in general, Doug Burks is teaching SANS SEC503 in
Portland 8/22 – 8/27. We’re extending a 10% discount to PaulDotCom
listeners. For more information, please click here.