Extracting information from PCAP - linux

the logs are formatted below. there is also brackets around each **.
03/16-08:30:05.350000 ** [1:491:8] INFO FTP Bad login ** [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.21.101:21 -> 192.168.202.102:4061
what I am trying to do is:
extract all destination IPs
extract source IP/destination IP/port pairs
view all events associated with source IP and get a count of all destinations from the identified source IP
I have just exctracted all IPs and ports:
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\:[0-9]\{3,10\}' alert.pcap | sort | uniq

The listing you showed at top appears to be from snort or suricata alert file. And using grep on a pcap file is unlikely to give you what you want.
The right tool for extracting the things you want is probably tshark (the command line version of wireshark).
Extract the destination IPs:
tshark -r file.pcap -T fields -e ip.dst
Extract TCP source, destination IPs and ports:
tshark -r file.pcap -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -Y tcp
Same for UDP:
tshark -r file.pcap -T fields -e ip.src -e udp.srcport -e ip.dst -e udp.dstport -Y udp
Pipe any of the above to sort -u to get unique addresses/tuples.
Another option is to produce an all-inclusive listing in a format suitable for loading into a spreadsheet and use spreadsheet functions to slice and dice as you see fit. One such command line would produce a comma-separated-value format:
tshark -r file.pcap -E separator=, -T fields -e ip.proto -e ip.src -e tcp.srcport -e udp.srcport -e ip.dst -e tcp.dstport -e udp.dstport -Y "udp or tcp"
The ip.proto column here is 6 for TCP or 17 for UDP. Only the respective src/dst port columns will be populated for each IP sub-protocol.

Related

How can i extract only the destination ports from a TCPDUMP file

i currently have a script in bash that extract the destination IPs and ports only from the Host IP ( me )
I need to sort the destination Ports in a separate File.
the command i use now for making the capture:
tcpdump -G 15 -W 1 -w myscript15s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
Does anyone what command can i use to put in a separate document only the destination ports?
I found you can only sort IPs but maybe i didn't search throughly enough :(
Packet capture script
Packet capture output
// Script for making the capture
#!/bin/bash
clear
echo "Select your capture option: "
read capture
echo "You selected $catpure"
echo
if [ $capture == "Option1" ];
then
echo
tcpdump -G 15 -W 1 -w myscript15s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
tcpdump -ttttnnr myscript15s
cp myscript15s captura
elif [ $capture == "Option2" ]
then
echo
tcpdump -G 600 -W 1 -w myscript600s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
else
echo "Incorect option .."
fi
echo
echo "The end"
echo
/// output - placed only first 2 lines to get the ideea
2018-06-26 15:42:21.261263 IP 10.0.2.15.54178 > 10.18.0.22.53:19272 [1au] A? detectportal.firefox.com.(53)
2018-06-26 15:42:21.261418 IP 10.0.2.15.51118 > 10.18.0.22.53:31437+ [1au] AAAA? detectportal.firefox.com.(53)
One way that could achieve this would be using tshark to read the capture while applying display filters, sorting as needed then writing the output to a file:
tshark -r your_capture_file.pcap -T fields -e udp.dstport -e tcp.dstport | sort | uniq > results.txt
If you wish to also include the protocol name in your results you can add it in the filter as well:
tshark -r your_capture_file.pcap -T fields -e _ws.col.Protocol -e udp.dstport -e tcp.dstport | sort | uniq > results.txt
Note that using the above method will take care of everything in a single command however the output resulted will contain blank UDP port columns for TCP traffic and blank TCP port columns for UDP traffic which may pose an issue.
In order to avoid this, you can simply run the command twice, once per protocol:
TCP
tshark -r your_capture_file.pcap -T fields -e tcp.dstport | sort | uniq > results.txt
UDP
tshark -r your_capture_file.pcap -T fields -e udp.dstport | sort | uniq >> results.txt
Take note that the second run should use the >> operator instead of the > one to append data to the results file.

Block list of ip addresses linux

I'm running Kali on a computer that has port forwarding so I can access it while away from my desk. Upon looking at /var/log/auth.log I find a number of IP addresses that have been trying to log in which I don't recognise. I've managed to extract all the IPs and put them in a file, and want to run a script to block them using iptables. So far, I've come up with this, but it's not working:
#!/bin/bash
NUMBEROFIPS=cat "ipaddresses.txt" | wc -l
for i in `seq 0 $NUMBEROFIPS`;
do
IP=awk 'NR==$i' ipaddresses.txt
iptables -A INPUT -s $IP -j DROP
done
What am I doing wrong?
I suggest:
#!/bin/bash
while IFS= read -r ip; do
iptables -A INPUT -s "$ip" -j DROP
done < ipaddresses.txt
or
xargs -I {} iptables -A INPUT -s {} -j DROP < ipaddresses.txt

Iptables remove specific rules by comment

I need to delete some rules with same comment.
For example I have rules with comment = "test it", so i can get list of them like this:
sudo iptables -t nat -L | grep 'test it'
But how can i delete all PREROUTING rules with comment 'test it'?
UPD:
As #hek2mgl said, i can do something like this:
sudo bash -c "iptables-save > iptables.backup"
sed -i '/PREROUTING.*--comment.* "test it"/d' iptables.backup
sudo iptables-restore < iptables.backup
sudo rm iptables.backup
But between save and restore could be changes in iptables, so after restore there will be problems =/
You can use the following command:
iptables-save | sed -r '/PREROUTING.*comment.*test it/s/-A/iptables -D/e'
iptables-save will return iptables commands that can be executed to return the current state of the firewall after a reboot or whatever.
Meaning it will contain lines like:
...
-A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT -m comment --comment "test it"
...
The sed command searches for lines containing PREROUTING.*comment.*test it (should be good enough) and prepends the term iptablesplus replaces -A by -D since -D deletes a rule. The result of the replacement operation get's then executed using the e command. The e command is a GNU extension to sed.
Note: If you want to print the command in addition to simply executing it you can use s/-A/iptables -D/pe.
Yet another way to Remove by comment:
NOWRULES=$(iptables --line-number -nL INPUT | grep comment_here | awk '{print $1}' | tac)
for rul in $NOWRULES; do /sbin/iptables -D INPUT $rul; sleep 0.1; done
The best way to remove comment-based rules from iptables is:
iptables-save | grep -v COMMENT | iptables-restore
it cleans all rules with matching comment. As for me, I use this method to add ruleset that needs to be completely removed later.
If you neeed only PREROUTING chain to be touched, add some prefix or suffix to your comment like preroute_COMMENT upon rule creation to make difference inside COMMENT identified ruleset

Adding my current IP to whitelist on iptables?

I'm pretty new to setting up game server but I want to block rcon to every ip except the ones that are whitelisted.
First I'm gonna use this trhough SSH:
iptables -A INPUT -p tcp --destination-port 27015 -j LOG --log-prefix "SRCDS-RCON " -m limit --limit 1/m --limit-burst 1
iptables -A INPUT -p tcp --destination-port 27015 -j DROP
After that I want that when a user runs a bash script or something similar, it detects the user IP and add it to the whitelist automatically.
How can I do this?
Assuming :
the bash script is run on the server
the users logs in using ssh
You could create an ipset :
First, add this rule in iptables :
iptables -A INPUT -i eth0 -m set --match-set whitelist src -p tcp --destination-port 27015 -j ACCEPT
Then create a set :
sudo ipset -N whilelist iphash
Finally, add a script like this, using SSH_CONNECTION environment variable :
#!/bin/bash
USER_IP=$(echo $SSH_CONNECTION | cut -f1 -d' ')
sudo ipset -A whitelist $USER_IP
You could even add those two lines at the end of /root/.bash_profile so it gets done automagically when someone connects as root.
However, this assumes your friends are connecting as root via ssh. Since this is not desirable, you could use a temporary directory to hold the ip addresses, and add a cron job to fill the ipset hash :
Create /etc/cron.d/check_ipset with :
* * * * * root /usr/local/bin/check_ipset
Create /usr/local/bin/check_ipset (and chmod 700) :
#!/bin/bash
for i in `cat /tmp/ipset_pending | sort -u`; do
ipset -A whitelist $i
done
cat /dev/null > /tmp/ipset_pending
Add this to every user's .bash_profile :
...
echo $SSH_CONNECTION | cut -f1 -d' ' >> /tmp/ipset_pending
...
Didn't test, so YMMV, but this should be close enough.

grep - exclude certain domains from url search

data_file.txt contains URLs, something like:
bunch of data http://good1.com/contact
lines of non-url data
bunch of data http://ok.ip.add.rss/page/1
lines of non-url data
bunch of data http://spammer.com/spammers/are/lame
lines of non-url data
bunch of data http://good2.com/page2
lines of non-url data
bunch of data http://good1.com/contact
Some are good URLs, some are spammer URLs. I'm trying to find all the spammer URLs.
I can find the good URLs with:
grep -n -o -P 'http://(good1.com|ok.ip.add.rss|good2.com).{0,80}' data_file.txt
I would like to reverse that, finding anything that is not good. I tried these variants:
grep -n -o -P 'http://*(^(good1.com|ok.ip.add.rss|good2.com)).{0,80}' data_file.txt
grep -n -o -P 'http://*^(good1.com|ok.ip.add.rss|good2.com).{0,80}' data_file.txt
grep -n -o -P 'http://*(^good1.com|^ok.ip.add.rss|^good2.com).{0,80}' data_file.txt
grep -n -o -P 'http://*(^good1.com\|^ok.ip.add.rss\|^good2.com).{0,80}' data_file.txt
grep -n -o -P 'http://*(^(good1.com|ok.ip.add.rss|good2.com)).{0,80}' data_file.txt
...but those didn't work. Any ideas?
I was able to do this with a double grep:
grep -n -o -P "http://.*?[^/'\\\\)<]*" data_file.txt | grep -v "http://good1.com\|http://good2.com\|http://ok.ip.add.rss"
I had various characters--besides slashes--following the domains, hence the [^/'\\\\)<]

Resources