Friday, March 28, 2008

Sancp: Pcap Index

We have been having discussion in #snort-gui regarding pcap indexing lately which will allow us to retrieve the network data based on the index quickly. I have learned about this feature during the use of time machine which will be integrated with Bro-IDS, I especially like their time machine framework which is illustrated here.

Sancp 1.6.2 beta has quite a few new features, one of them is actually in discussion I mentioned above - pcap index. We are actually looking forward for pcap index so that we can retrieve the pcap data based on index instead of doing it manually with tcpdump or other tools. Hopefully the future sguil will support this so we can just right click and obtain the pcap from sancp record.

I was not so sured how to do it with sancp when I took the first look at 1.6.2 beta, after emails exchange with my friend John, I finally have the idea of how to do it. Here's the simple howto -

shell>mkdir sancp-output

shell>echo "default index log" > sancp-pcapindex.conf

shell>echo "format index delimiter=| sancp_id output_filename start_pos stop_pos src_ip_dotted dst_ip_dotted ip_proto src_port dst_port" >> sancp-pcapindex.conf

shell>sancp -i eth0 -c sancp-pcapindex.conf -d sancp-output

The index file is created in sancp-output along with the pcap data. Basically the index file looks like this -

5177639571328195257|sancp-output/pcap.eth1.1205513154|24|114|
192.168.1.101|121.35.19.76|6|51570|80
5177639571328196206|sancp-output/pcap.eth1.1205513154|114|204|
192.168.1.101|86.1.191.36|6|50397|13322
5177639571328204971|sancp-output/pcap.eth1.1205513154|204|294|
192.168.1.101|219.77.117.51|6|35860|6881
5177639571328205574|sancp-output/pcap.eth1.1205513154|294|384|
192.168.1.101|219.90.206.228|6|53729|55265
5177639571328206646|sancp-output/pcap.eth1.1205513154|384|474|
192.168.1.101|76.122.33.223|6|45014|22100
5177639571328208237|sancp-output/pcap.eth1.1205513154|474|1984|
220.140.112.45|192.168.1.101|6|20315|60025
Output truncated ...

To extract the pcap based on its index, you can use getpcapfromsancpindex.pl which is also written by Jlcurry. Download it first -

shell>wget http://metre.net/file/getpcapfromsancpindex.pl

Now you can grep the index and extract its corresponded data by executing -

shell>fgrep "5177639571328208237|sancp-output/pcap.eth1.1205513154|474|
1984|220.140.112.45|192.168.1.101|6|20315|60025" sancp-output/index | ./getpcapfromsancpindex.pl 220-140-112-45


Lets examine the file -

shell>file 220-140-112-45
220-140-112-45: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

Read it with tcpdump -

shell>tcpdump -ttttnnr 220-140-112-45
reading from file 220-140-112-45, link-type EN10MB (Ethernet)
2008-03-15 00:45:54.396653 IP 220.140.112.45.20315 > 192.168.1.101.60025: . 4279573104:4279574532(1428) ack 1270973978 win 65535

John(Jlcurry) has put up his own note of how to use getpcapfromsancpindex.pl here -

http://metre.net/getpcapfromsancpindex.html

You can also read the interesting interview of me with John about Sancp here.

Enjoy (;])

No comments: