Monday, September 17, 2012
Wednesday, April 27, 2011
Cisco IOS capture lazy dog
# create a buffer
monitor capture buffer buffer1 size 512 max-size 512 circular
# create a capture point
monitor capture point ip cef capture1 FastEthernet 0/1/3 both
# associate capture with the buffer 'buffer1'
monitor capture point associate capture1 buffer1
# Start monitor the capture
monitor capture point start capture1
# Show the buffer
show monitor capture buffer buffer1 dump
# Stop the capture
monitor capture point stop capture1
monitor capture buffer buffer1 size 512 max-size 512 circular
# create a capture point
monitor capture point ip cef capture1 FastEthernet 0/1/3 both
# associate capture with the buffer 'buffer1'
monitor capture point associate capture1 buffer1
# Start monitor the capture
monitor capture point start capture1
# Show the buffer
show monitor capture buffer buffer1 dump
# Stop the capture
monitor capture point stop capture1
Tuesday, April 12, 2011
dns blacklist bash script
LISTS="sbl-xbl.spamhaus.org zen.spamhaus.org bl.spamcop.net dnsbl.njabl.org b.barracudacentral.org dnsbl.sorbs.net pbl.spamhaus.org"
HOSTS="1.2.3.4 127.0.0.1"
for list in $LISTS
do
for host in $HOSTS
do
W=$( echo ${host} | cut -d. -f1 )
X=$( echo ${host} | cut -d. -f2 )
Y=$( echo ${host} | cut -d. -f3 )
Z=$( echo ${host} | cut -d. -f4 )
result=`dig +short $Z.$Y.$X.$W.$list`
if [ "$result" != "" ]; then
echo "$host listed in $list"
fi
done
done
HOSTS="1.2.3.4 127.0.0.1"
for list in $LISTS
do
for host in $HOSTS
do
W=$( echo ${host} | cut -d. -f1 )
X=$( echo ${host} | cut -d. -f2 )
Y=$( echo ${host} | cut -d. -f3 )
Z=$( echo ${host} | cut -d. -f4 )
result=`dig +short $Z.$Y.$X.$W.$list`
if [ "$result" != "" ]; then
echo "$host listed in $list"
fi
done
done
Wednesday, December 8, 2010
Passive OS fingerprint, smartphone detection
I recently started a service that allows smartphone users to connect to one of my networks over PPTP to hide their origins. To ensure users are not trying to use the service on computers, I figured some passive OS fingerprinting would be in place.
p0f -i ppp0
p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski, W. Stearns
p0f: listening (SYN) on 'ppp0', 262 sigs (14 generic, cksum 0F1F5CA2), rule: 'all'.
# Iphone 3GS, iOS 4.1
10.100.200.100:52900 - UNKNOWN [65535:64:1:64:M1404,N,W2,N,N,T,S,E:P:?:?] (up: 121 hrs)
-> 1.2.3.4:80 (link: unknown-1444).
# android 2.2, HTC Desire
10.100.200.100:48885 - UNKNOWN [S44:64:1:60:M1356,S,T,N,W1:.:?:?] (NAT!) (up: 3 hrs)
-> 1.2.3.4:80 (link: unknown-1396)
p0f -i ppp0
p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski
p0f: listening (SYN) on 'ppp0', 262 sigs (14 generic, cksum 0F1F5CA2), rule: 'all'.
# Iphone 3GS, iOS 4.1
10.100.200.100:52900 - UNKNOWN [65535:64:1:64:M1404,N,W2,N,N,T,S,E:P:?:?] (up: 121 hrs)
-> 1.2.3.4:80 (link: unknown-1444).
# android 2.2, HTC Desire
10.100.200.100:48885 - UNKNOWN [S44:64:1:60:M1356,S,T,N,W1:.:?:?] (NAT!) (up: 3 hrs)
-> 1.2.3.4:80 (link: unknown-1396)
Thursday, March 25, 2010
syslog-ng by example
1) make sure udp listener is on
netstat -anop|grep 514
2) If not, add udp(); as source to syslog-ng.conf
# udp source
source s_udp {
udp();
};
3) create a destination
destination d_name { file("/var/log/file.log"); };
4) create a filter
filter f_name {
host("192.168.123.123")
and facility(auth,authpriv);
};
5) Create the logging for the filter to the destination
log {
source(s_udp);
filter(f_name);
destination(d_name);
};
Do add the remote logging on the servers, if needed tcpdump on the syslog-ng server to verify that log entries come in.
netstat -anop|grep 514
2) If not, add udp(); as source to syslog-ng.conf
# udp source
source s_udp {
udp();
};
3) create a destination
destination d_name { file("/var/log/file.log"); };
4) create a filter
filter f_name {
host("192.168.123.123")
and facility(auth,authpriv);
};
5) Create the logging for the filter to the destination
log {
source(s_udp);
filter(f_name);
destination(d_name);
};
Do add the remote logging on the servers, if needed tcpdump on the syslog-ng server to verify that log entries come in.
Subscribe to:
Posts (Atom)