I'm trying to run snort in windows, but instead of using -i eth0, can i use remote (rpcap). I'm using windows 7 in vmware
Here is the command i run
c:\Snort\bin>snort -c c:\Snort\etc\snort.conf -l c:\Snort\log --daq pcap --daq-mode inline -i rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}
I run on ERROR:pcap does not support inline
run command snort --daq-list; the result is
Available DAQ modules:
pcap(v3): readback live multi unpriv
Please help, how can i connect and collect data to my remote machine.
Many thanks!
Your problem is that you are trying to operate in inline mode and read a pcap, which doesn't make sense. You would do one or the other. Notes:
The argument "--daq pcap" isn't required for you because pcap is the default, but this won't cause any problems, just a note.
The argument "--daq-mode inline" should be completely removed from the command. You are playing a pcap so the device isn't inspecting traffic inline, it doesn't make any sense to use this here.
Using the -i option is for specifying the interface to listen on. You don't want to specify a pcap file here. Since you are replaying a pcap you need to change this argument to "-r". snort help for this option: -r <tf> Read and process tcpdump file <tf>
Your command should be as follows:
c:\Snort\bin>snort -c c:\Snort\etc\snort.conf -l c:\Snort\log -r rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}
Related
I am trying to make a program that automatically lists all of the connections to my computer from outside of the router. The end goal of this script is that I would like to be able to have a clean list of the external IP addresses of every server/website I am connecting to. I am also trying to use this as a way to learn more about how networks, websites, and servers work so I am sorry for any mistakes I make with terminology and general knowledge!
My tcpdump bash script:
while :
do
# get myip and assign it to a variable
myip="$(ifconfig wlp2s0 | grep -E -o -m 1 "inet................" | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)")"
# tcpdump on my ip for all packets going to or from my ip address. the ipaddress of the packets is placed in IP Address.txt
sudo tcpdump -c 1 -nn host "$myip" | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" >> IPaddress.txt
done
I thought that tcpdump would be the tool for this however I confess that I do not know how tcpdump works. This script is a bash file that I am running through ubuntu. How would I use tcpdump to collect the IP address of every website that I am connecting to? I read the tcpdump documentation and believe it can help me achieve my goal however if there are better tools out there I would love to hear it! Currently, this code only displays internal IP addresses. ;(
I'd lean more towards using ss or netstat.
ss --all --ipv4
Would show all IPv4 connections.
The same works for IPv6 of course; and you could add one of many arguments to get more detailed information if you want, such as --processes, --extended, or --info.
There's also a few more arguments to control the output format, making it more suitable for parsing:
ss --all --ipv4 --processes --no-header --oneline
Suggest to follow ss command .
Learn about ss command here.
Is there any possibility to capture packets by tcpdump from all devices in MacOS?
In Linux I would use 'sudo tcpdump -i any'. In my MacOS when I execute 'sudo tcpdump -D', I don't see "any" pseudo-device.
Per #ChristopherMaynard:
tcpdump docs specify any as working on linux: On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to capture packets from all interfaces. However, it is not actually OS-specific.
tcpdump accepts the any interface on macos in my testing, so in answer to your question, the analog of any on linux is any on macos:
bash-5.0 $ sudo tcpdump -i any
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
09:43:57.789302 IP6 dsldevice7.attlocal.net.domain > 2600:1700:a700:7340:6dad:2758:c536:f29f.56483: 4283 1/0/0 SOA (85)
09:43:57.789324 IP6 2600:1700:a700:7341:6dad:2759:c536:f29f > dsldevice7.attlocal.net: ICMP6, destination unreachable, unreachable port, 2600:1700:a700:7340:6ded:2759:c536:f29f udp port 56423, length 141
...
tcpdump should have the same options (manpage)
on both macos and linux, apart from those detailed below. If you have an older version of tcpdump (my version is 4.9.3/Apple version 83.200.3), you can update it with brew install tcpdump.
Macos/Linux Tcpdump Differences
You should still look at the manpages when in doubt, but this is a summary of differences:
Linux
-Q direction : Choose send/receive direction (in/out/inout)
Macos
-k : Control display of packet metadata
-Q : Specify a filter expression based on packet metadata
-P : Save to pcapng
Note: Unlike Linux or *BSD, Macos does not support -Q direction.
In the provisioning part of vagrant guide, there is a command wget -qO- 127.0.0.1 to check if apache is installed property.
Can anyone explain the command more in detail? I dont understand what the -qO- option does. Also, what is the meaning of wget to 127.0.0.1?
Thanks!
The dash after the O instructs output to go to standard output.
The q option means the command should be "quiet" and not write to standard output.
The two options together mean the instruction can be used nicely in a pipeline.
As far as added 127.0.0.1 as the source of the wget, that is there to make sure you have a local webserver running. Running wget on the commandline is faster than bringing up a browser.
I am working in Hosted Chef environment in windows.We have a UI from where we run Chef Scripts.When there are no parameters to be passed we just select the script to be executed and run the batch file with knife commands in the background execute the scripts.
Now I need to pass parameters dynamically to the recipes.I have tried adding attributes in the attribute file.It is working fine.But each time, I need to download and change the attributes and upload the recipes to chef server and run it using batch file which is quite tedious and time consuming.
Is there any other way to fulfil this requirement ?
Thanks for your help.
You can use environment variables in your recipe code, but that is often very brittle. You can also read a local file either via the -j option mentioned above or by just opening and reading the file yourself in your recipe code. There is no direct way to pass parameters to recipes, and it generally indicates you are doing something non-convergent.
You can add attributes to the chef-client call directly. That kills the "when there are no parameters to be passed", but it does allow you to get attributes in at run-time. There are two ways to do this. Either you pass in a file with the -j option (which might work nicely with your GUI), or you can hack it. This hack works with linux, not sure how you'd do it with windows, but I'm sure there is a similar option.
echo '{ "myjson": "here" }' | chef-client -j /dev/stdin
Or if you are using winrm to run chef-client something like this:
knife winrm -m ipaddress 'echo "{ \"param\":\"test\"}" | chef-client -c c:/ chef/client.rb -j /dev/sdin' -m -x Administrator -P '######'
That assumes you have a linux machine on the other end. Otherwise, I'm not sure how to read stdin as if it were a file. -j /dev/stdin probably won't work for windows clients.
What's the best approach to update an /etc/rc.conf configuration file programmatically?
Specifically, on an arch linux machine, I want to be able to programmatically update
DAEMONS=(syslog-ng network sshd ntpd netfs crond)
to
DAEMONS=(syslog-ng network sshd ntpd netfs crond postgresql)
after postgresql is successfully installed via pacman.
I presume I can write a function that does something like:
line="DAEMONS=(syslog-ng network sshd ntpd netfs crond)"
sed -i "/${line}/ s/)/ postgresql)/" /etc/rc.conf
specifically to handle this postgresql scenario.
However, going one step further, is there a more generic way (using a library if there's one you can recommend) that programmatically includes my service (such as memcached, or like a task server like zeromq etc) in the DAEMONS parameter in my /etc/rc.conf file?
I wouldn't know about a generic way (there seems to be very few tools which do any parsing and modification of shell code), but one way to update a simple array like this one could be to actually read it, change it, then write back the whole line - Something like this:
source /etc/rc.conf
DAEMONS+=(postgresql)
sed -i -e s/'^DAEMONS=.*'/"DAEMONS=(${DAEMONS[#]})"/ /etc/rc.conf