NSM; work and IT @ 19 Apr 2007 11:24 pm by ayoi
Well, I did learn something yesterday and few days back. From reading Mr.Bejtlich article on insecure magazine (Issue 4, Oct 2005) and also from conversation with my friend, geek00l. From the article I learnt what to see, what to look and how to properly use the trace files that we have by using open source tools and most of them (I think all of them) available on FreeBSD and perhaps other OSes as well such as argus, tcpdstat, tcpflow (now can use radump). And from my friend geek00l, he showed how to trace passive ftp traffics (example-a good one btw) with argus (ragrep, ra, radump) and even show that detecting IPv6 passive ftp traffic is more simpler than IPv4. I told you he is good.
So perhaps next postings I can show that from this :
16:12:14.510121 IP 192.168.8.1.2265 > 192.168.8.130.http: S 3484844009:3484844009(0) win 65535 <mss 1460,nop,nop,sackOK>
16:12:14.510121 IP 192.168.8.130.http > 192.168.8.1.2265: S 3687266312:3687266312(0) ack 3484844010 win 65535 <mss 1460,sackOK,eol>
16:12:14.510121 IP 192.168.8.1.2265 > 192.168.8.130.http: . ack 1 win 65535
16:12:14.511997 IP 192.168.8.1.2265 > 192.168.8.130.http: P 1:41(40) ack 1 win 65535
16:12:14.520966 IP 192.168.8.130.http > 192.168.8.1.2265: . 1:1461(1460) ack 41 win 65535
16:12:14.521462 IP 192.168.8.130.http > 192.168.8.1.2265: P 1461:1840(379) ack 41 win 65535
16:12:14.521486 IP 192.168.8.1.2265 > 192.168.8.130.http: . ack 1840 win 65535
Getting this (statistical data):
StartTime: Tue Apr 17 16:12:14 2007
EndTime: Tue Apr 17 16:12:24 2007
TotalTime: 10.93 seconds
TotalCapSize: 0.86MB CapLen: 512 bytes
# of packets: 2694 (1.17MB)
AvgRate: 974.33Kbps stddev:1162.70K
### IP flow (unique src/dst pair) Information ###
# of flows: 2 (avg. 1347.00 pkts/flow)
Top 10 big flow size (bytes/total in %):
75.0% 25.0%
### IP address Information ###
# of IPv4 addresses: 2
Top 10 bandwidth usage (bytes/total in %):
100.0% 100.0%
### Packet Size Distribution (including MAC headers) ###
<<<<
[ 32- 63]: 720
[ 64- 127]: 28
[ 128- 255]: 7
[ 256- 511]: 833
[ 512- 1023]: 820
[ 1024- 2047]: 286 protocol packets bytes bytes/pkt
————————————————————————
[0] total 2694 (100.00%) 1230404 (100.00%) 456.72
[1] ip 2694 (100.00%) 1230404 (100.00%) 456.72
[2] tcp 2662 ( 98.81%) 1228043 ( 99.81%) 461.32
[3] http(s) 1234 ( 45.81%) 914754 ( 74.35%) 741.29
[3] http(c) 1150 ( 42.69%) 297133 ( 24.15%) 258.38
[3] squid 12 ( 0.45%) 696 ( 0.06%) 58.00
[3] other 266 ( 9.87%) 15460 ( 1.26%) 58.12
[2] udp 12 ( 0.45%) 1085 ( 0.09%) 90.42
[3] dns 3 ( 0.11%) 338 ( 0.03%) 112.67
[3] other 9 ( 0.33%) 747 ( 0.06%) 83.00
[2] icmp 20 ( 0.74%) 1276 ( 0.10%) 63.80
And from there look at the session
StartTime Flgs Type SrcAddr Sport Dir DstAddr Dport SrcPkt DstPkt SrcBytes DstBytes State
17 Apr 07 16:12:14 tcp 192.168.8.1.2265 -> 192.168.8.130.80 6 5 372 2117 FIN
17 Apr 07 16:12:14 tcp 192.168.8.1.2267 -> 192.168.8.130.80 6 5 478 2174 FIN
and see what actually happen (I’m using tcpflow instead of radump. Basically ragrep and radump are faster). Have some minor prob with argus 3 and I can hear geek00l is laughing his head off.
192.168.008.001.02320-192.168.008.130.00080: GET /iissamples/ HTTP/1.1
Connection: Keep-Alive
Host: ayoimonitoring
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
192.168.008.130.00080-192.168.008.001.02320: HTTP/1.1 404 Not Found
Date: Tue, 17 Apr 2007 08:12:20 GMT
Server: Apache/1.3.37 (Unix) PHP/4.4.4 with Suhosin-Patch
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
And we might even can see whut alerts that might triggered. Or can use the alerts to investigate using session and full content as above.
[**] [1:993:11] WEB-IIS iisadmin access [**]
[Classification: Web Application Attack] [Priority: 1]
04/17-16:12:20.595945 192.168.8.1:2320 -> 192.168.8.130:80
TCP TTL:128 TOS:0×0 ID:12258 IpLen:20 DgmLen:329 DF
***AP*** Seq: 0×6E6D2495 Ack: 0xC519A20F Win: 0xFDE9 TcpLen: 20
[**] [1:1402:7] WEB-IIS iissamples access [**]
[Classification: Web Application Attack] [Priority: 1]
04/17-16:12:20.598448 192.168.8.1:2320 -> 192.168.8.130:80
TCP TTL:128 TOS:0×0 ID:12259 IpLen:20 DgmLen:331 DF
***AP*** Seq: 0×6E6D25B6 Ack: 0xC519A427 Win: 0xFBD1 TcpLen: 20
