Bitnami DokuWiki

User Tools

Site Tools

Trace: sans2011sec542 vista sans2012sec503
aoe:sans2012sec503

Table of Contents

Sans 503 March 5-10, 2012

Day 1 TCP/IP for Intrusion Detection

Instructor: Mike Poor

IDS: Snort, OSSEC, Tipping Point

Since IDS can give unmanageable amount of information, Focus IDS on attacks on critical things that are likely to succeed.

snort alert files can be obtained from snort.org or http://www.emergingthreats.net/

TCP has control bits, not flags. Flags are: don't fragment, MF, evil bit.

vm image accounts: sans training, root packetrix

tcpdump Output in Hex ..1.10

tcpdump -s0 -x

Sample Hexadecimal Output ..1.11

Offsets count from 0

Templates are not a visual map, but a logical map to the packet

Day 2

Examining the Frame Header ..2.23

bc -l
ibase=16
0089
137

Frame header mac addresses source and destination are swapped.

Computing Fragmentation Offset ..2.32

ip header, tcp header, multiply by 4

fragment offset, multiply by 8

Day 5

Scapy 

root@packetrix:/home/sans/Exercises/bootcamp_handson/snort# cat /root/.scapy_history
ls()
ls(IP)
ls(TCP)
i=IP(dst="127.0.0.1")
ls(i)
t=TCP(dport=31337)
ls(t)
t.sport=80
ls(t)
p="this is evil payload"
send(i/t/p)
ip.show()
previous error
i.show()
help(sr)
help(sendp)
help(send)
help(srp)
help(sr)
help(srp1)
help(sr1)
t.show()
t=TCP(dport[111,80,2049])
t=TCP(dport=[111,80,2049])
send(i/t/p)
t=TCP(dport=(80,200))
send(i/t/p)
sr(IP(dst=["127.0.0.1","127.0.0.2"])/TCP(dport = (80,90), flags="S"))
#control C to stop
sr(IP(dst="127.0.0.1/24")/TCP(dport = (80,90), flags="S"))
send(IP(dst="127.0.0.1/24")/TCP(dport = (80,90), flags="S"))
help wireshark
help(wireshark)
wireshark(i,t,p)
wireshark(i/t/p)
help(snif)
help(sniff)
help(sendp)
help(rdpcap)

Day 6

GNU Unix Core Utils - Unix tools on Windows for the command line- http://www.gnu.org/software/coreutils/

Unix Power Tools - http://proquest.safaribooksonline.com/book/operating-systems-and-server-administration/unix/0596003307/firstchapter

Snort Cookbook - http://proquest.safaribooksonline.com/0596007914/snortckbk-CHP-1-SECT-3?reader=html&imagepage=#X2ludGVybmFsX0ZsYXNoUmVhZGVyP3htbGlkPTA1OTYwMDc5MTQvc25vcnRja2JrLUNIUC0xLVNFQ1QtMTQ=

Get the source IP's counts from a text pcap file: 

tcpdump -nnqr .pcap  'dst port 443' |cut -f 3 -d " " | cut -f 1-4 -d "." |uniq -c |sort -rn

SYN-ACK will indicate ports connecting 

tcpdump -nnqr .pcap 'tcp[13] = 0x12' |cut -f 3 -d "" | cut -f 5 -d "." | sort |uniq -c | sort -rn

grep that lists 5 lines after 

grep -A 5

Mike Poor

  • mike@inguardians.com (work)
  • mikepoor@mac.com (personal)
  • twitter – @mike_poor (private)
  • 1 240 338 4882 Cell Phone

tcpdump tip: sort of follow streams using tcpdump 

tcpdump -nn -r challenge.pcap 'host 200.184.43.197 and tcp port 1716' -w- |strings

tcpdump -nn -r challenge.pcap 'dst host 192.168.1.254' -w-

Silk indicates a descrepency between syslog server and honeypot which is the honeypot owner blocking something 

rwfilter challenge.pcap -saddress=192.168.1.1254 --pass=stdout |rwcut --fields=1-8
aoe/sans2012sec503.txt · Last modified: 2012/05/03 20:11 by 127.0.0.1