|
|
 |
|
|
|
register |
bbs |
search |
rss |
faq |
about
|
|
|
meet up |
add to del.icio.us |
digg it
|
|
|
|
TCP/UDP Logfile Analysis: Overview of the Scripts
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
TCP/UDP Logfile Analysis SOP
Stephen Northcutt
Updated: 10/08/96
This is a high level overview to the scripts which can be
used to parse logfiles. Scripts are located on gumby in
/usr/local/bin.
The primary driver script is now viceget.sh which brings down
the three data files. viceget.sh is called by cron a little after
midnight.
INAPPROPRIATE USE:
Default method: getit.sh will bringdown the current snif file and
run keyword.sh on it for you.
- pornsites.sh reads a LOGGER file to scan for cases of local
hosts making connection to a primarily sexually explict site.
Data is appended to file: porn.dat in the directory from which
you run the program. usage porn.sh logfile
- keyword.sh reads a SNIF file to scan for keywords that
indicate inappropriate use. Data scrolls down your screen.
Usage keyword.sh snif.datafile OR if you don't have scrollback
keyword.sh snif.datafile > some.tmp.file
NOTE: infodisc.sh, politics.sh, violence.sh, and querytrack.sh
are subject matter oriented first cousins of keyword.
- skeyword.pl reads a SNIF file to scan for keywords that
indicate inappropriate use. Information is printed by
oringinating subnet. Usage keyword.pl snif.datafile
NOTE: the purpose of this program is to begin to transfer
responsibility for handling of this information to line
management and employees themselves.
- stringhunter.pl reads a SNIF file(s) to scan for a
keyword and produce a formated output. This tool
is valuable to parse a lot of data.
Usage stringhunter.pl string snif.file.descriptor
- iphunter.pl reads a SNIF file(s) to scan for a
numeric IP host and produce a formated output. This tool
will allow the analyst to focus on the activities of a
particular AIS for a day/month ...
Usage iphunter.pl ipaddr snif.file.descriptor
INTRUSION DETECTION:
- inpattern.pl reads a LOGGER file to scan for
a given incoming pattern. For instance to search
for ftpservers, inpattern.pl logfile ftp. Will take
either alpha or numeric (inpattern.pl logfile 25) patterns.
- outpattern.pl reads a LOGGER file to scan for
a given outgoing pattern. For instance to search
for ftpservers, outpattern.pl logfile ftp. Will take
either alpha or numeric (inpattern.pl logfile 25) patterns.
- ipspoof.pl reads a LOGGER file to scan for the
case of src/dest host both 128.38. NOTE: requires
file extracted with "-n" option. usage ipspoof.pl logfile
- inftp.sh reads a LOGGER file to scan for incoming ftp
connections. These are sorted, uniq'd and counted.
NOTE: results are written in /tmp/inftp.unq
usage inftp.sh logfile
- innumericport.pl reads a LOGGER file to scan for incoming
numeric TCP ports. The logic requires a well thought out
/etc/services file ... if everything in the world is annotated
then this program will not detect anything, if nothing is
annotated then the program will overwhelm you with information
(or at least data). The /etc/services file will probably serve
as a decent reference of a good balance.
usage innumericport.pl file_pattern.
*INTRUSION DETECTION TOOLS FOR TIMES OF UTTER CLUELESSNESS
*The following tools are rather brute force, but they do
*manipulate data, so when I don't know what I am looking for
*I can turn to these guys. Also good tools to learn the
*ebb and flows of our traffic.
- incoming.sh reads a LOGGER file to scan for incoming
connections and then sorts them by type and number of
connections. This script depends on incoming.pl
incoming.extract.pl reads a SNIF file to scan for incoming
connections, reduces the data and prints it.
usage incoming.extract.pl snif_filedes
KEEP TRACK OF THINGS:
- nonnswcnet.pl reads a LOGGER file to scan for the
case of src/dest host neither as nswc (either words or numbers)
usage nonnswcnet.pl logfile
- nonreghosts.pl reads a LOGGER file to scan for the
case of a local host where namelookup failed. NOTE: requires
file NOT BE extracted with "-n" option. usage nonreghosts.pl logfile
NOTE: nonreghosts.sh does the same task, but reduces the output
considerably.
- nonreghosts.sh reads a LOGGER file to scan for the
case of a local host where namelookup failed. The output
will be the number of accesses from a host and the IP addr.
usage nonreghosts.sh logfile
- tcplogstats.pl reads one or more LOGGER file(s) to determine
certain base statistics: service #accesses percent of total.
usage tcplogstats.pl logfile or group of logfiles.
|
|
|
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
totse.com certificate signatures
|
|
|
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
|
|
|
|
|
|
