rsync copy

It is pretty interesting when I want to know the progress of my file copy process and I can't really see it with cp command. Hence I prefer to use rsync for this purpose while most people usually use rsync for file backup.

shell>rsync --progress -v ./dirty.pcap i-Pcaps/
dirty.pcap
520535973 100% 7.79MB/s 0:01:03 (xfer#1, to-check=0/1)

sent 520599601 bytes received 42 bytes 8071312.29 bytes/sec
total size is 520535973 speedup is 1.00

Not only you can see the progress but also the average time and its rate. Don't you think it is lovely?

Enjoy ;]

Nepenthes: Disable Modules

I have been mentioning about nepenthes(low level honeypot to attract malwares) and apparently it is pretty easy to turn on or off nepenthes modules(emulated vulnerable services). I don't want my nepenthes to listen on port 80 as I need to use port 80 for other application. To disable it doesn't seem to be trivial though -

shell>grep '"80"' /etc/nepenthes/*.conf
/etc/nepenthes/log-surfnet.conf: "80",
/etc/nepenthes/vuln-asn1.conf: iisport "80";

Thus I just comment it out at nepenthes core configuration file - /etc/nepenthes/nepenthes.conf

// "vulnasn1.so", "vuln-asn1.conf", ""

Pretty quick isn't it. I have noted it down here for my poor memory sometimes.

Peace ;]

At last .....

I can't resist to post this while it is nothing related to computer security, but hey it is one of the best strategy game ever and I love it while I was young. I'm wondering whether the release of this game will suck my time away.

I bet most of you won't forget this tactical game that requires a lot of offensive and defensive approach to turnaround in the game. Hopefully Blizzard will make it successful again. It's about 10 years now ..... since 1997.

Rock & Roll ....

Enjoy (;])

Argus 3.0: Cisco Netflow

Cisco netflow is invented initially to speed up the route with its flow cache, but it appears to be very useful this day where Cisco Netflow is used in different area. One of my interest field is examining the network flow data to track the malicious events but you are free to do any kind of interesting research with the netflow data in hand.

Cisco has improved and add new features to its IOS, I have found few new features for Netflow that looks pretty interesting to me where you can capture more useful information. The most commonly used Netflow version is 5, I would like to try out version 9(shiny?If any of you use version 9, I would like to hear from you) however argus doesn't identify Netflow version 9 yet thus I remain to use the solid Netflow version 5. So here I start to export Cisco Netflow data to argus collector(probe). Login to the Cisco Router, I run the following commands -

ios#config t
ios(config)#ip flow-capture packet-length
ios(config)#ip flow-capture ttl
ios(config)#ip flow-capture icmp
ios(config)#ip flow-capture ip-id

I choose to export the Netflow version 5 data from network interface GigabitEthernet 0/0 to my argus collector(192.168.0.55) port 9996.

ios(config)#ip flow-export source GigabitEthernet0/0
ios(config)#ip flow-export version 5
ios(config)#ip flow-export destination 192.168.0.55 9996
ios(config)#ip flow-top-talkers
ios(config)#interface GigabitEthernet 0/0

Enable it at the interface GigabitEthernet 0/0 for both ingress and egress flows -

ios(config-if)#ip route-cache flow
ios(config-if)#ip flow ingress
ios(config-if)#ip flow egress
Ctrl+z

Save it to survive reboot -

ios#copy run start

Once I have done the Cisco router configuration part, I login to my argus collector and do the following -

shell>rasplit -CS 9996 -M time 60m -n \
-w /nsm/argus/log/Net-DMZ/%Y/%m/%d/argus_%H:%M:%S

rasplit is one of argus client tools that can split resulting output into consecutive sections of records based on different criteria. The options -CS 9996 is to connect to port 9996 and identify the input as Cisco Netflow format. The interesting thing here is it will split the data hourly(-M time 60m) and log it to its respected directory.

To read the Netflow data, what you need to do is just change to directory /nsm/argus/log/Net-DMZ/2007/05/19(as for today) and read them with ra or racluster.

All for now, have fun with the flow!

Cheers (;])

Graphing with rrdtool

RRDtool is widely used today for network based graphing. If you want to learn how to use rrdtool to create graph, here are very good tutorial that I have found -

http://www.cuddletech.com/articles/rrd/rrdintro.pdf

http://merlin.com.ua/doc/rrd/tutorial/

http://www.study-area.org/tips/rrdtool/rrdtool.html

Or you can actually find out all the tutorials that available at the RRDtool website -

http://oss.oetiker.ch/rrdtool/tut/index.en.html

Cheers ;]

SpyBye

Thanks to Adli who has told me about SpyBye(malwares hunter proxy) which is developed by Niels Provos(Honeyd Guy) where you can find here -

http://www.spybye.org/

Getting it installed is pretty straightforward, I just run it for the first time(I always run the command line with -h, habit sometimes kills :P) -

shell>./spybye -h
./spybye: invalid option -- h
./spybye: [-P] [-p port] [-g good] [-b bad]
-P disable private IP check; allows the proxy to fetch 127/8
-g good_patterns a file or url containing the good patterns
-b bad_patterns a file or url containing the danger patterns
for documentation of all options consult the man page

Starting it up -

shell>/usr/local/stow/spybye-0.2/bin $ ./spybye
SpyBye 0.2 starting up ...
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days. ***
LibClamAV Warning: *** Please update it IMMEDIATELY! ***
LibClamAV Warning: **************************************************
Loaded 108322 signatures
Virus scanning enabled
Report sharing enabled.
Making connection to www.monkey.org:80 for /~provos/good_patterns
Received 529 bytes from http://www.monkey.org/~provos/good_patterns
Added 30 good patterns
Making connection to www.monkey.org:80 for /~provos/bad_patterns
Received 3332 bytes from http://www.monkey.org/~provos/bad_patterns
Added 205 bad patterns
Starting web server on port 8080
Configure your browser to use this server as proxy.

I configure my browser manually to point to the local proxy, you can do it easily with switchproxy on Firefox and start browsing milw0rm site -

Making connection to 213.150.45.196:80
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://spybye.org/styles/css
Caching 37418 bytes for http://www.milw0rm.com (unknown)
Virus scanned 37418 bytes; result: clean
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://www.milw0rm.com/milw0rm.css (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 213.150.45.196:80
Received request for http://spybye.org/styles/css
Caching 2348 bytes for http://www.milw0rm.com/milw0rm.css (harmless)
Virus scanned 2348 bytes; result: clean
Received request for http://www.milw0rm.com/images/dot.gif (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 213.150.45.196:80
Received request for http://www.milw0rm.com/images/milw0rm-wi.jpg (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 213.150.45.196:80
Received request for http://ypn-js.overture.com/partner/js/ypn.js (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 72.30.33.29:80
Caching 804 bytes for http://www.milw0rm.com/images/dot.gif (harmless)
Virus scanned 804 bytes; result: clean
Caching 7038 bytes for http://ypn-js.overture.com/partner/js/ypn.js (unknown)
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://spybye.org/styles/css
Virus scanned 7038 bytes; result: clean
Received request for http://ypn-js.overture.com/d/search/p/ypn/jsads/?Partner=9308575640&adwd=468&adht=60&ctxtUrl=http%3A//spybye.org/%3Furl%3Dwww.milw0rm.com&bg=000000&bc=000000&cc=141414&lc=00c000&tc=FFFFFF&uc=00c000&du=1&cb=1177662499468 (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 72.30.33.29:80
Caching 2713 bytes for http://ypn-js.overture.com/d/search/p/ypn/jsads/?Partner=9308575640&adwd=468&adht=60&ctxtUrl=http%3A//spybye.org/%3Furl%3Dwww.milw0rm.com&bg=000000&bc=000000&cc=141414&lc=00c000&tc=FFFFFF&uc=00c000&du=1&cb=1177662499468 (unknown)
Virus scanned 2713 bytes; result: clean
Expiring dns entry for ypn-js.overture.com
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://spybye.org/styles/css
Caching 44225 bytes for http://www.milw0rm.com/images/milw0rm-wi.jpg (harmless)
Virus scanned 44225 bytes; result: clean

Interesting as it is reported as clean but relying on clamAV is actually not a perfect solution but it is the only Open Source Antivirus Software available, I have many malwares that collected from my nepenthes honeypot and seems not be able to recognized as malwares though. Anyway spybye is pretty interesting piece and you should use it if you suspect that your site contains malwares. It can be used as quick examination tools.

If you are interested to know what Niels has done including his contributions, check out -

http://www.citi.umich.edu/u/provos/

Enjoy ;]

raWPacket Sig and .....

The site is not online yet but hopefully soon, I'm currently working with few guys to get this site up and running, the purpose of it is to create the signatures repository for "not so popular or well known" network security tools such as tcpxtract, pads and fl0p(this is the current three in my mind), and providing signatures update for them. Hopefully with this kind of effort we can increase the momentum of the tools usages.

When the site goes live, anyone are free to contribute the signatures and we won't overtake the signature ownership from you, credit is for sure.

If you have some inhouse signatures that you have written previously and they are not bounced to any legal restriction, I do wish you share it out with the community. All the signatures will be included into the raWPacket LiveCD so that any analyst can easily access to them and performing the analysis process directly.

It seems I'm trying to deliver full suite of utilities(LiveCD, Books) for network security analyst and yes I'm. I promise I will built the CD/DVD that contains pcap data from OpenPacket once it goes live too so that anyone is free to learn all the network data with the tools in the LiveCD and Network Security Analyzt Handbook as reference that comes along.

More to come but I'm tire now .....

Enjoy ;]

Network Forensic Chart

I have came across the chart below when reading the article -

http://www.sandstorm.net/support/netintercept/downloads/ni-ieee.pdf

The chart illustrates what kind of information and data that you can obtained via network centric log(pcap). The breakdown shows clearly all forms of data that can be extracted when performing network forensics, this can give very clear view for people who want to learn more about the network forensics. It doesn't actually reflect the real world foo(data can be transfered via icmp and etc) however it does deliver the idea.

The chart says it all .....

What are the open source tools that can be used to performed network forensics?
- tcpXtract
- tcpflow
- chaosreader
- dataecho

Others that I can't think of now .....

Cheers ;]

Hacker Halted?

Again my friend sent me another interesting link regarding the event for cyber security industry in Malaysia. I think I should keep track of news in the star tech starting from now.

http://star-techcentral.com/tech/story.asp?file=/2007/5/1/technology/20070501101945&sec=technology

Malaysia needs more ethical hackers?
Unless you are talking about selling CEH training .....

But a capable IT security professional should also know how a hacker thinks

This is totally insane!!!!! Hacking is not something that can be learned through the training course unless it is delivered to someone who already has prior experience. Another questionable reason is that lots of CEH trainers are not from the hacker community and background, lots of them are just started learning about hacking from the course and passing the exam and get the license to be the CEH instructor, thus they themselves are not hackers and don't even know how hacker thinks, all they know are from the CEH training materials.

"When a professional is certified as an ethical hacker, it shows he knows what he's doing and that would definitely give an employer more assurance (of the professional's skills,"

Is this for real, I still recalled myself what was happening at the previous Hacker Halted Conference in Malaysia. He or she may give employer trouble too .....

According to EC-Council, IT security professionals should have practical experience with hacking but this should not involve illegal acts, of course.
Practical experience doesn't mean playing with all the windows hacking tools either. It's better to play with your toys or dolls then and you won't end up getting caught into jail.

People often misunderstand the meaning of the phrase "ethical hacking," said Sanjay Bavasi, president of the EC-Council. "In this context, it does not refer to the ethics of a person but to the processes and methods used in a hack," he said.
The context is cool enough as it creates pretty high confuse level, the processes and methods used in the hacks determine the person instead of the contrary and this can be taught!

"Since the concept is new, ECCouncil is often criticised for promoting 'legalised' hacking, but ethical hacking is necessary in security,"
This is nothing new.

For more information, you can check out the KL event at -

http://www.hackerhalted.com/

And if you are interested in their CTF event -
The hacking competition is open to all Malaysians and students of any nationality studying in Malaysia during the course of the competition. All entrants must register, receive acceptance of their registration from the organising committee and pay the registration fee of US$5000.

WOW 5000 US Dollar and you must sign the agreement to participate to the game, I thought this is a joke(affordable for students?????). I rather use that money to pay for my down payment when I buy a house.

Coincidentally their logo looks similar to HITB logo which is using a box as the symbol.

Seriously I don't see any interesting hackers in the speakers list. I don't think the intention behind this conference is to create awareness or motivate IT security processional to overcome potential threats or invasions into their systems but more on .....

Hacker Halted, sorry and there's no way to stop the hackers .....

Peace ;]

World Map: Incidents

All these are interesting in comparison -

http://www.caida.org/publications/animations/

http://isc.sans.org/countryreport.html

http://atlas.arbor.net/worldmap/index

http://ids.surfnet.nl/wiki/doku.php?id=files:screenshots_1.04

http://www.globalincidentmap.com/home.php

Just for fun .....

Enjoy :]

Spammer: Love

It seems spammer would like to show some loves to me!!!!!

Beloved .....

Cheers ;]

linguistics

It is pretty enjoyable when reading the articles that written by Don Parker. I just came across this article that written by him lately and I think people who want to be network security analyst should read it.

http://www.securityfocus.com/columnists/443/

Don has pointed that passing the exam and writing practical paper by doing the real work are two things, that's definitely true as exam itself won't actually test the full set of skills that required to be efficient network security analyst. I have met a lot of people who getting a lot of certifications for the sake of employment and better pay. They forget the real meat to live in security industry should be the passionate, curiosity and continuously pursue the necessary knowledge. Remember security evolves over time.

I myself don't hold any GIAC certification thus I really have not much comments on that, what I would like to emphasize here should be the knowledge that must be acquired by network security analyst instead. To be a decent network security analyst(I still learn to be one), you must understand network protocols very well especially those widely used such as tcp, udp, icmp and such. Other than that, you must arm with at least one or two scripting languages to simplify your tasks as well as dealing with tricky incidents. Understanding the technologies such as firewall, intrusion detection/prevention system are important too but you may notice that if you don't have strong networking knowledge, you will have hard time understanding those technologies.

I won't be discussing further about all the necessary knowledges that are needed to be network security analyst, those will be written in my book in network security analyst: roadmap section so hopefully my knowledge sharing would help those wannabe.

So what you speak? I guess I speak hex most of the time.

Enjoy ;]

OpenBSD 4.1 Released

It's OpenBSD joy again, version 4.1 is just released and you can check out all the details here -

http://www.openbsd.org/41.html

I plan to upgrade my box to 4.1 by following the guide -

http://www.openbsd.org/41.html#upgrade

Various new packages such as OpenOffice are available. It's time to test out all the new features when possible!

Cheers :]

Deleting zer0 size files & Renaming files with '-' prefix

I didn't notice that my research honeypot has its partition full when collecting malwares, hence it generates a lot of malware files with 0 size as there's no room for it. Since I have all of them collected under /var/nepenthes/binaries, I just execute the command below to delete all of the files with 0 size -

shell>cd /var/nepenthes/binaries

shell>find ./ -type f -size 0 -exec rm -rf '{}' \; -print

Then I list the all the files again -

shell>ls -la
total 808
drwxr-xr-x 2 root wheel 3584 May 4 19:49 .
drwxr-xr-x 7 root wheel 512 Jan 28 22:46 ..
-rw-r--r-- 1 root wheel 48808 Jan 29 20:31 06b6cd8fc0333df6a96a66910f0a285d
-rw-r--r-- 1 root wheel 8192 Jan 29 23:43 314b889b16b11886656c901656ffa847
-rw-r--r-- 1 root wheel 8192 Feb 1 20:05 579ab2f7e55c8ddc074603b82bb73ee4
-rw-r--r-- 1 root wheel 64464 May 4 19:49 6df903d10f7ad3ad688d90dba9380d3c
-rw-r--r-- 1 root wheel 58325 Jan 29 17:28 703a8118b285f85622db82e7350c16da
-rw-r--r-- 1 root wheel 40884 May 4 19:46 706e697ed520cc32027a525a645be1dd
-rw-r--r-- 1 root wheel 8192 Feb 1 05:54 a2628d55e482fac6448801187c0ce836
-rw-r--r-- 1 root wheel 158720 Jan 29 19:42 a4ed429c882f382b994b0860c5a9ced2
-rw-r--r-- 1 root wheel 8192 Feb 2 11:52 bc6595eff1398227ab0d4aa13acc20f4

I think I will need to write a script to automate the process, by moving all the files under this directory to another partition when /var partition is full or else I will need to do it manually which wasting my time.

Sometimes it is fun to poke with shell commands especially dealing a tricky one, to rename all the files in the directory with the prefix of '-' so that '-' get discarded, you can try the command below.

shell>for i in `ls -la | awk '{ print $9 }' | grep '^-.*'`; \
do mv -- $i `echo $i | cut -f 2 -d '-'`; done

I was asked about how to do this and think the commands crafted above should do the job. Have fun.

Peace ;]

TCPdump: Privilege Dropping & Passive OS Fingerprinting

I never really notice about this until today, I think OpenBSD has done a lot of modifications on tcpdump, privilege dropping is just one of the feature, you can check out all the change logs of OpenBSD to date here -

http://www.openbsd.org/plus41.html

In fact you navigate on the changes from Release to Release, searching for tcpdump keyword and you may find what were improved and fixed.

Another interesting feature is passive operating system fingerprinting is built into pf and tcpdump(both ipv4 and ipv6 wise), you can now turn it on by using -o option in tcpdump -

shell>tcpdump -o -nni em0
01:57:33.265112 211.75.232.180.54452 > 1.2.3.4.25: S (src OS: unknown) 1591369098:1591369098(0) win 5840 (DF)
01:57:38.819585 89.1.209.9.4723 > 1.2.3.4.25: S (src OS: Windows XP SP1, Windows 2000 SP4) 2701955957:2701955957(0) win 65535 (DF)
01:57:41.343984 89.1.209.9.2506 > 1.2.3.4.25: S (src OS: Windows XP SP1, Windows 2000 SP4) 360732020:360732020(0) win 65535 (DF)
01:57:44.057512 201.244.249.179.3015 > 1.2.3.4.25: S (src OS: Windows XP SP1, Windows 2000 SP4) 645056554:645056554(0) win 65535 (DF)
01:57:44.342456 89.1.209.9.2506 > 1.2.3.4.25: S (src OS: Windows XP SP1, Windows 2000 SP4) 360732020:360732020(0) win 65535 (DF)
01:57:44.438020 89.1.209.9.1479 > 1.2.3.4.25: S (src OS: Windows XP SP1, Windows 2000 SP4) 416546610:416546610(0) win 65535 (DF)
01:58:03.762505 202.74.217.6.1713 > 1.2.3.4.25: S (src OS: Windows 2000 RFC1323, Windows XP RFC1323) 478012651:478012651(0) win 65535 (DF)

It is making use of p0f database but only perform the fingerprinting on tcp packet with syn flag set(In fact p0f is more powerful as it works with packets with other flags as well). Anyway tcpdump should be able to give you a quick glance of the remote operating sytem that trying to probe to you.

Kudos to OpenBSD team about it. By the way, I bet you all can't wait for this -

http://www.openbsd.org/41.html

Peace ;]

Open Source Compatible Handheld Device

I haven't bought any handheld device(handphone not counted), interestingly my friend sent me this link, and I start to think maybe I need one of these toy -

http://www.handhelds.org/moin/moin.cgi/SupportedHandheldSummary

If you know any reference regarding handheld devices that are OSS compatible, please do let me know. Thanks.

Cheers ;]

NetSecAnalyst: The Handbook

Yeah, there are people asking me about the progress of my book - Network Security Analyst: The Handbook.

My initial idea is to have all my blog posts regarding usages of network security tools to be included and packaged into the book, but I realize that this won't make it a good book for Network Security Analyst. I have more thoughts about the book lately hence I can't have it shipped sooner. There are four primary sections for the book which I think very important for network security analyst wannabe -

Network Security Analyst: The RoadMap
What are good foundations and technical knowledge that should be acquired to become good network security analyst? I hope The RoadMap can answer question like that, until now I haven 't seen any books discussing about this topic yet.

Network Security Analyst: The WorkFlows
What are the methodologies and mechanisms that are used by network security analyst to handle their tasks? The routine daily tasks, the automated and manual process of performing analysis, situation handling and so forth.

This is more of how to think or work like a network security analyst. I will try to standardize the common work flows but you are free to extend it to your own way.

Network Security Analyst: The Tools
What are the tools that are commonly used by Network Security Analyst and how they use them? I believe this part should be demonstrating the NSM based tools usage, one should understand this is not the real meat of network security analyst, this is more of helper section to show various examples in using the network security tools. This section will usually be updated as I will import it from my blog and modify it to be more organized and readable. I suggest you read this book to get yourself ready when comes to using most of network security tools -

http://www.awprofessional.com/bookstore/product.asp?isbn=0321246772&rl=1

I truly believe that learning to use tools itself won't make you a good analyst, the right thing to do should be study on how to interpret the results that generated by the tools, this is always not been emphasized but I would see most of analysts will agree with me.

Network Security Analyst: The Case Study
How Network Security Analyst handles the (Intrusion/Extrusion)incidents in real world?

This will load up few incident scenarios and how Network Security Analyst starts his analysis process, examination, escalation and confirmation to decision making. This will make a good round up of what have been studied from previous three sections, and applying it to the real world scenario. One of the site that I suggest you look at should be -

http://www.honeynet.org/misc/chall.html

There are many challenges offered by honeynet community, knowledge sharing is always interesting.

I think this is the final layout for my handbook, hopefully I won't dream of any new ideas for the book again -

Sec 1 - Net Sec Analyst: The RoadMap
Sec 2 - Net Sec Analyst: The Workflows
Sec 3 - Net Sec Analyst: The Tools
Sec 4 - Net Sec Analyst: The Case Study

All the sections are actually correlated, everyone are welcomed to give me suggestions and inputs, what do you think? I don't have skill to write, but no one can stop me from writing anyway.

P/S: For the book, ayoi will be one of the contributor. I would love to spare my time to develop Network Security Analyst LiveCD(we called it raWPacket LiveCD) using freesbie and ship it together with the release of the book, time is always constraint. However I'm glad that I have chfl4gs with me now in developing the liveCD. Stay tuned!!!!!

Btw, I'm looking for non-paid editor(this is free ebook) as I don't know good english. If you would like to help, please let me know.

Peace (;])

Argus: Passive FTP Data Channel Extraction

When dealing with passive ftp instead of active ftp, I used to examine the network traffics manually especially to reconstruct all the data channels as it initials ephemeral ports(usually ports > 1024) for both client and server end dynamically and not like active ftp where fix port(20) is used at server side. After looking into how passive ftp actually works(for both over ipv4 and ipv6 and ftp server implementations), I decided to write a bash shell script to extract all the passive ftp data channel for the ftp flow from argus data. Again if you read my paper that I have used argus for botnet detection, this shell script will make use of argus client tools - ragrep again to extract all the necessary flow and its associated data channel. Here's the interesting result when I execute my script - argus-PASVFTP.sh.

IPv4 Illustration
shell>./argus-PASVFTP.sh
Input your argus data file, specify absolute path!
/home/geek00l/i-Pcaps/ipv4-ftp.arg
SrcAddr|Sport|DstAddr|Dport
192.168.0.24|49971|210.171.226.46|21
192.168.0.24|35839|210.171.226.46|21
Please specify source and destination IP and source PORT to locate associated passive ftp data channel .....
1. Source IP
192.168.0.24
2. Destination IP
210.171.226.46
3. Source Port
49971

Passive FTP Data Channel
61703
64897

Gotcha, here's the ftp data channel that being announced by ftp server for client to connect to - 61703 and 64897.

IPv6 Illustration
shell>./argus-PASVFTP.sh
Input your argus data file, specify absolute path!
/home/geek00l/i-Pcaps/ipv6.test.1.arg
SrcAddr|Sport|DstAddr|Dport
2001:5c0:925d:0:204:5aff:fe79:43a7|57339|2001:6c8:6:4::7|21
Please specify source and destination IP and source PORT to locate associated passive ftp data channel .....
1. Source IP
2001:5c0:925d:0:204:5aff:fe79:43a7
2. Destination IP
2001:6c8:6:4::7
3. Source Port
57339

Passive FTP Data Channel
64534
60801
60199

Works on ftp over IPv6 too, the ftp data channels are 64534, 60801 and 60199.

You can now running argus client tool(ra) to locate all the passive ftp flows by filtering those ports. Though I have only tested this script on FreeBSD and Gentoo Linux, it should work on other *nixes platform flawlessly as long as you have bash shell and argus clients installed. Again here I demonstrate the interesting example of using argus client tools.

Thanks to Richard for his ipv6 pcap file that he has sent me or else I won't be able to examine ftp over IPv6 lately.

I plan to include this script in the liveCD that we(me and chfl4gs) are developing actively, if any of you are interested to have fun with the script, feel free to let me know.

Enjoy (;])

linux.byexamples.com

Yes, I advocate open source. I support anyone who really want to push on open source stuffs. But I'm not doing enough as I don't involve in open source development or coding part. But do you really need to be almighty programmer in order to involve in open source movement? I bet not, there are many ways to promote open source. I believe every little piece of support and effort is important, whether you are testing the software, submit bug, writing documentation or etc.

My friend surface took different approach, he decided to promote open source usage by examples, and now it seems the site growing and there are many tips and tricks that are very useful. You can check it out at -

http://linux.byexamples.com/

I'm surprised when I see this site too -

http://www.byexamples.com/

Well done, surface! May the force be with you!!!!!

Cheers ;]

Argus: Practical BotNet Detection

I use argus for my daily task, like I mentioned argus client tools are easy to use but hard to master, it is trivial to work with it sometimes. However I believe experience may make you wiser when dealing with complex tools, I really appreciate Hanashi's work on BIRT for sguil report generation. As Hanashi is working on sancp session data, I'm more of looking into argus flow data. Here's very short paper that I have written in using argus client tools(ragrep and radump) to perform botnet detection.

http://www.rawpacket.org/anonymous/argusR/Argus-PracticalBotNetDetection.pdf

The reason why I don't want to post this in blog because it may look cluttered, I welcome any feedbacks and idea about this short paper.

Enjoy ;]