Monday, September 17, 2012

Wednesday, April 27, 2011

Cisco IOS capture lazy dog

# create a buffer
monitor capture buffer buffer1 size 512 max-size 512 circular

# create a capture point
monitor capture point ip cef capture1 FastEthernet 0/1/3 both

# associate capture with the buffer 'buffer1'
monitor capture point associate capture1 buffer1

# Start monitor the capture
monitor capture point start capture1

# Show the buffer
show monitor capture buffer buffer1 dump

# Stop the capture
monitor capture point stop capture1

Tuesday, April 12, 2011

dns blacklist bash script

LISTS="sbl-xbl.spamhaus.org zen.spamhaus.org bl.spamcop.net dnsbl.njabl.org b.barracudacentral.org dnsbl.sorbs.net pbl.spamhaus.org"
HOSTS="1.2.3.4 127.0.0.1"

for list in $LISTS
do
for host in $HOSTS
do
W=$( echo ${host} | cut -d. -f1 )
X=$( echo ${host} | cut -d. -f2 )
Y=$( echo ${host} | cut -d. -f3 )
Z=$( echo ${host} | cut -d. -f4 )
result=`dig +short $Z.$Y.$X.$W.$list`
if [ "$result" != "" ]; then
echo "$host listed in $list"
fi
done
done

Wednesday, December 8, 2010

Passive OS fingerprint, smartphone detection

I recently started a service that allows smartphone users to connect to one of my networks over PPTP to hide their origins. To ensure users are not trying to use the service on computers, I figured some passive OS fingerprinting would be in place.

p0f -i ppp0
p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski , W. Stearns
p0f: listening (SYN) on 'ppp0', 262 sigs (14 generic, cksum 0F1F5CA2), rule: 'all'.

# Iphone 3GS, iOS 4.1
10.100.200.100:52900 - UNKNOWN [65535:64:1:64:M1404,N,W2,N,N,T,S,E:P:?:?] (up: 121 hrs)
-> 1.2.3.4:80 (link: unknown-1444).

# android 2.2, HTC Desire
10.100.200.100:48885 - UNKNOWN [S44:64:1:60:M1356,S,T,N,W1:.:?:?] (NAT!) (up: 3 hrs)
-> 1.2.3.4:80 (link: unknown-1396)

Thursday, March 25, 2010

syslog-ng by example

1) make sure udp listener is on
netstat -anop|grep 514

2) If not, add udp(); as source to syslog-ng.conf

# udp source
source s_udp {
udp();
};

3) create a destination
destination d_name { file("/var/log/file.log"); };

4) create a filter
filter f_name {
host("192.168.123.123")
and facility(auth,authpriv);
};

5) Create the logging for the filter to the destination
log {
source(s_udp);
filter(f_name);
destination(d_name);
};

Do add the remote logging on the servers, if needed tcpdump on the syslog-ng server to verify that log entries come in.