How to read text file from Snort? - text

I have a worm that its signature is in .txt file. Now I wanna check it with Snort IDS. I read the the manual page of Snort, But I couldn't find anything. How can I do this?(Is there a command for detecting worms signature using Snort something like snort -r worm.txt -c /etc/snort/snort.conf ?)

Try to send this file with "nc" in your local machine (just an idea)
You will need two terminal and Snort must be listening in you network interface :
The first terminal
nc -l 1234 > filename.out
The first terminal
nc host.example.com 1234 < Worm.txt

Related

Output a linux command to a url/port or scocket instead of writing it to a file

I have a command which out outputs certain data which i store in a ext file using a '>>' command.Now Instead of doing that I want to have a socket or a port on any server which will catch the output of the command.Basically i want to output all my script data to a socket or url which ever is possible.
Any help in this direction is most welcomed.
You can use socat to listening on a port 12345 and echo any data sent to it like this:
socat -u TCP-LISTEN:12345,keepalive,reuseaddr,fork STDOUT
If you want to capture it to a file as well (file.log), you can use the same command with tee:
socat -u TCP-LISTEN:12345,keepalive,reuseaddr,fork STDOUT | tee file.log
You can run your program to output to bash's TCP virtual device:
./prog > /dev/tcp/localhost/12345
If you don't want to use bash magic then you can also use socat to send the data:
./prog | socat - TCP-CONNECT:localhost:12345
The above example assume you are running your program and "logger" on the same system but you can replace "localhost" with the hostname or address of the system you wish to send to (where the socat is listening).

linux print directly to network printer that IS NOT installed

I need to build a simple web based printer server that will print a file to any given printers IP address
Using lp or lpr how can I print a file directly to a network printer by IP address? NOTE: The printer will NOT be setup in CUPS locally as it needs to have the ability to print to any IP address thrown at it.
What I have tried:
lp -d 10.11.234.75 /path/to/file
lpr -P 10.11.234.75 /path/to/file
Both give this: 'The printer or class does not exist.'
Try this:
cat you_file.prn | netcat -w 1 printer_ip 9100
If using bash then:
cat /path/to/file > /dev/tcp/10.11.234.75/9100
What you want to do is probably not feasible. If the printers at the ends of these IP addresses are just random printers, then the server you're building would need to know which driver to use to be able to print to them. If you haven't installed them in any way beforehand then it's not going to work.
If you only want to talk to other Internet Printing Protocol (IPP) servers then it is possible, although not necessarily elegant. I don't know of any other Linux implementations of an IPP client than CUPS, and CUPS requires you to install printers in advance. This can be done very easily though (as explained here). It's the same code to add a normal printer (but you need to know which driver to use) as for an IPP server. Alternatively, you might be able to find another IPP implementation (or write one - it should be fairly simple just to send a document) which doesn't require installing printers.
Here's the code to add an IPP printer to CUPS:
lpadmin -E -p <printer-name> -v http://<ip_address>:631/<dir>/<printer> -L <location> -E
<printer-name> and <location> can be whatever you like, and you need the full network path to the printer.
To add a normal printer:
lpadmin -E -p <printer-name> -v <device-uri> -m <model> -L <location> -E
This is the same, except that you need to give a <model>, which is the driver for the printer. Scrap the first -E if you don't want encryption.
If you want to delete the printer afterwards, use this:
lpadmin -x <printer-name>
I found an old program called tcpsend.c to send a file to a printer at an IP address. Build with gcc -o tcpsend tcpsend.c
$ ./tcpsend
use: tcpsend [-t timeout] host port [files]
-t timeout - try connecting for timeout seconds
tcpsend.c source code
I had success using lp with a hostname and port.
echo foobar | lp -h 10.10.13.37:9100 -
Without specifying a port, i would get
lp: Error - No default destination
If printing a PDF, you can first convert it to PostScript using pdf2ps
pdf2ps file.pdf - | lp -h 10.10.13.37:9100 -
The argument - is used as an alias for standard input or output, letting us pipe the output of postscript straight into standard input of lp.

How to grep specific lines from nmap -O output?

I got many files named like 192.168.203.txt as the output of
sudo nmap -O --top-ports 192.168.203.* >>192.168.203.txt
The output looks like as below:
Nmap scan report for 192.168.203.29
Host is up (0.00067s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
139/tcp filtered netbios-ssn
443/tcp closed https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Device type: general purpose
Running: Microsoft Windows 2008|7
OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_7
OS details: Microsoft Windows Server 2008 SP2, Microsoft Windows 7 or Windows Server 2008 SP1
Network Distance: 6 hops
I just want to grep the IP like 192.168.203.29 with http or ssh or other ports open sepetately. Maybe I will pipe all the result IP into a file named http_open_ip.txt.
I have tried grep ftp with commands:
cat *.txt|grep -B 3 "ftp"|grep -B3 "open"|grep "192.168."|awk '{print $5}'|sort -t . -k 3,3n -k 4,4n> ftp_open_ip.txt
Thus, I got a file ftp_open_ip.txt. But I found this command not work with other keywords like ssh stmp. What should I do ?
I am not exactly clear about what you want. Perhaps, you want to look in all the files and for all those IP which will have a http port open in one file, ssh port open in another file. So same IP may be present in multiple files.
Assuming that, below is an awk solution
awk 'BEGIN{http_open="http_open";ssh_open="ssh_open";ftp_open="ftp_open"}
/Nmap scan report for/{ip=$5}
/ftp/ && /open/{print "ftp open for " ip >> ftp_open}
/ssh/ && /open/{print "ssh open for " ip >> ssh_open }
/http/ && /open/{print "http open for " ip >> http_open}
' <filename>
It assumes that the file is containing data in same order shown in your example. So Nmap scan report for line has the IP in 5th field. Now after that, the rest is really simple. if ftp, ssh, http etc are found along with open status, we redirect the output in corresponding file.
Instead of all this challenging text processing, you should use Nmap's own features that make this kind of output processing easier. First, Nmap offers many output formats, and options to output to files. Start with this command:
sudo nmap -oA my-scan-%y%m%d -O --top-ports 192.168.203.0/24
The -oA my-scan-%y%m%d option will save the output of your scan in 3 different files:
$ ls
my-scan-20130520.gnmap my-scan-20130520.nmap my-scan-20130520.xml
For quick queries, the .gnmap file will be the easiest to use with awk or grep, but it doesn't have all the useful information that is included in the normal (.nmap) or XML formats. If you plan to make this script automated, or extend it in any way, your best bet will be to use the XML output.
Here are a couple commands that will do what you want with these output formats:
awk '/\/open\/tcp\/\/http\//{print $2}' my-scan-*.gnmap > http_open_ip.txt
xmlstarlet sel -t -m "//port[#protocol='tcp' and service/#name='ssh' and state/#state='open']/ancestor::host/address[#addrtype='ipv4']" -v '#addr' -n my-scan-*.xml > ssh_open_ip.txt

How to modify input stream of netcat?

I'm creating a TCP/IP interface to a serial device on a redhat linux machine. netcat in a bash script was used to accomplish this with out to much trouble.
nc -l $PORT < $TTYDEVICE > $TTYDEVICE
The problem is that the serial device uses carriage returns('\r') for line ends in its responses. I want to translate this to ("\r\n") so windows machines telneting in can view the response without any trouble. I'm trying to figure out how to go about this with a simple bash solution. I also have access to stty to configure the serial device, but there is no "\r" to "\r\n" translate on the input side(from what I can tell).
I did try to use tr on the input side of netcat, but it didn't work.
#cat $TTYDEVICE | tr '\r' '\r\n' | nc -l $PORT > $TTYDEVICE
Any ideas?
Your problem is that the client that connects to $PORT probably does not have a clue that it is working with a tty on the other side, so you will experience issues with tty-specific "features", such as ^C/^D/etc. and CRLF.
That is why
socat tcp-listen:1234 - | hexdump -C
telnet localhost 1234
[enter text]
will show CRLFs, while
ssh -t localhost "hexdump -C"
[enter text]
yields pure LFs. Subsequently, you would e.g. need
ssh -t whateverhost "screen $TTYDEVICE"
tl;dr: netcat won't do it.
This is overly difficult with standard tools, but pretty easy in perl (although perl is pretty much a standard tool these days):
perl -pe 's/\r/\r\n/g'
The version above will likely read the entire input into memory before doing any processing (it will read until it finds '\n', which will be the entire input if the input does not contain '\n'), so you might prefer:
perl -015 -pe '$\="\n"'
There are a number of versions of netcat (GNU and BSD) but you might want to try:
-C Send CRLF as line-ending

sending raw data through usb on linux

I'm printing some labels on a Zebra TLP-2844 printer, and have been doing it fine on Windows by sending the EPL instructions to the shared USB printer as follows:
type Label.prn > \my-pc\zebra
and it seems to work with serial ports too, with
type Label.prn > COM1
Now I'm trying to to the same on Linux, but it's getting really hard! My first guess was:
cat Label.prn | /dev/bus/usb/005/002
since my printer is on bus 005, device 002 (checked it with lsusb command) but it doesn't work at all, as I get the following:
bash: /dev/bus/usb/005/002: Permission denied
Any guesses?
The command you did
cat Label.prn | /dev/bus/usb/005/002
will try to run /dev/bus/usb/005/002, which is not executable, hence "permission denied".
The correct command would be, similar to windows
cat Label.prn > /dev/bus/usb/005/002
However, not sure if you actually can write anything to a printer like that in linux. If the printer is set up properly, you might also try:
lpr Label.prn
In case anyone else is trying to access raw USB printer ports; The "permission denied" problem is circumvented by adding your user to group "lp", like so:
$ sudo usermod -aG lp USERNAME
where USERNAME is your username.
Sorry by My english.
I tested here, my printer TLP2844 connect on USB, in my embedded arm9 board with linux.
I typed in command prompt:
printf "OD\r\nN\r\nD5\r\nS2\r\nZT\r\nQ128, 24\r\nq400\r\nA15,10,0,2,1,1,N,\"TESTE\"\r\nP1\r\nFE\r\n" > /dev/lp0
and... the TEST printed
You should change access mode for /dev/usb/lp0 device: sudo chmod a+w /dev/usb/lp0
And then you can print a label using copy command: cp test.zpl /dev/usb/lp0
Also you can create your own build system in Sublime Text for example:
{
"cmd": ["cp", "$file", "/dev/usb/lp0"],
"encoding": "utf8"
}
and send files to the printer by pressing Ctrl+B keys immediately after finishing edit the label.
Or you can try my tool to send zpl labels to the printer via TCP/IP:
https://github.com/kashamalasha/AutoIt_ZebraTester
It was written on AutoIt Script language, so you need to install AutoIt to build it. Unfortunately there is no description on English, only Russian, but I can write it very soon, if you will need it.

Resources