Courses:

Offensive Countermeasures: The Art Of Active Defense: SANSFIRE June 15-16, Blackhat USA July 27-28 & 29-30


Conferences:

Check out the entire PaulDotCom crew at BsidesRI June 14-15th!



Subscribe:

Blog:
Videos:
Podcast:


PaulDotCom EspaƱol


Hack Naked TV


Hack Naked At Night


Stogie Geeks


Sponsored By:


www.coresecurity.com


www.tenablesecurity.com


www.sans.org



Follow Us On:


twitter.com/pauldotcom

PaulDotCom YouTube Channel


Finding Evil. Some basics you must know.

By
John Strand
on August 12, 2011 7:16 AM |

Here we have a post from Doug Burks (yes, the guy from Security Onion)

How do I find evil on my network?

Clown2.jpeg
Sometimes... It is obvious..

For the purposes of this example, "evil" could be any text string that
would indicate an attack or successful compromise. If you already
have an IDS deployed on your network, this is a simple matter of
writing an IDS rule to look for "evil". But what if you don't already
have an IDS?

Almost every operating system has some form of tcpdump available, so
here's one option:

tcpdump -nnAi eth1 -s0 | grep "evil"

What does it all mean?

-nn
This option disables name resolution for IP addresses AND port numbers. Some versions of tcpdump do this with a single "n", but the double "nn" option should work on all of them. 
A
This option prints just the ASCII text (no hex) in the packets. This is useful when looking for strings like "evil". 
i
This option allows you to specify the Interface (in this case eth1). eth1 on my Security Onion box at home is connected to a SPAN port that monitors all ingress/egress of my home network. Doesn't everybody do full packet capture at home? 
-s0
This option sets the snaplen. Modern versions of tcpdump default to a snaplen of 65535 bytes. However, many people are still using older versions of tcpdump that default to a snaplen of 68 bytes and would therefore not see the entire packet. Setting snaplen to 0 forces tcpdump to capture the entire packet regardless of its size. 
grep
Since we had tcpdump output in ASCII, we can easily use the standard grep command to look for interesting text strings. We might want to include some context around the "evil", so we might want to do something like: 
grep -C10 "evil"
This will include the 10 lines before "evil" and the 10 lines after.

Another option would be ngrep. Most Linux distros do not have ngrep
installed by default. But let's assume that you've installed it on
your Linux box or you have a distro such as Security Onion which just
so happens to include ngrep by default. Here's the ngrep version of
the command:

ngrep -d eth1 -s0 "evil"

Here we use the "-d eth1" option to force ngrep to listen on device
eth1 and the "-s0" option to force ngrep to look at the entire packet.
ngrep defaults to a snaplen of 65536, so this option isn't strictly
needed here, but is included for completeness. After specifying these
options, we simply tell ngrep what string to look for.

If you'd like to learn more about packet analysis, tcpdump, Snort, and
Intrusion Detection in general, Doug Burks is teaching SANS SEC503 in
Portland 8/22 - 8/27. We're extending a 10% discount to PaulDotCom
listeners. For more information, please click here.

Categories: