Don't flame me for the lack of creativity with this page. Let's call it
a rough draft for now.
Example script to tail a growing pcap (tcpdump) file:
Script: here
Problem to be solved: I had a tcpdump command writing to a pcap file.
I wanted to extract very specific information out of the file and
keep it running in tail mode. I couldn't find any examples of how
to do this, so I figured out through a little trial-and-error. The
NetPacket modules are very handy and let you decode ICMP, TCP, and
UDP traffic also.
Example script to parse nmap XML output:
Ever wondered what to do with the XML output of an NMAP scan? Me too.
Until I realized that you can easily parse it with a Perl module named
NMAP::Parser. You can do all sorts of really good stuff with this module.
The module allows you to call NMAP directly with the options you specify and
start parsing the XML output. It allows you to specify a callback function
that is called directly when an nmap condition occurs. This could be useful
if you have a scan that takes a long time to run, but want to kick off other
scanning activities when it immediately detects an open port on a machine.
The URL for the module is:
http://search.cpan.org/~apersaud/Nmap-Parser/Parser.pm
I have a simple script that takes an XML filename on the command line and
prints a list of all machines with TCP 139 and 445 open. It also calculates
the total number of open hosts and total number of open TCP ports at the same
time. Here is the example script: parse-nmap-xml.pl
I have already used this parser to roll a custom scanning program that needed
exact conditions from an NMAP scan to occur. I found it was much easier to
call NMAP directly without dealing with output files and ugly grep syntax.
Let me know if you write something cool with this module.
Tools for the Snort Back Orifice pre-processor buffer overflow:
I have developed a standalone tool that can identify exploit attempts
against this vulnerability. This tool is necessary because all of the
traffic exploiting the vulnerability is encrypted with the Back Orifice
encryption (which the tool decrypts). Note that the tool uses some functions
from Snort (the fixed version!).
You can run this tool in two modes: sniffing the network (which requires
root privileges) or reading in a previously saved pcap file (which doesn't
require root).
I've been fairly careful to avoid security problems in this code, but you
never know. If you want to be paranoid, or just don't trust my code, sniff
your network with tcpdump and the filter: "udp and udp[4:2] >= 1032 and not
port 31337". Then you can post process the pcap file with my tool looking
for exploit attempts.
The compilation instructions are in the header of the file.
Code here: ident-snort-bo-exploit.c
Example alert: alert.txt
Here is a pcap file that will trigger the tool.
You can use tcpreplay to
play it again. If you want to edit the source/destination IP addresses,
use the excellent tool Netdude.
Here is a Snort signature to detect the attack:
alert udp any !31337 <> any !31337 ( \
msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; \
dsize: >1024; \
content:"|ce 63 d1 d2 16 e7 13 cf|"; \
offset: 0; \
depth: 8; \
threshold: type limit, track by_dst, count 1, seconds 60; \
classtype: attempted-admin; \
sid: 3000001; \
rev:1; \
)