First off, I apologize for the lack of posts here lately, I’ve been trying to come up with something good to post, because I’m just not a fan of rehashing things other blogs post, or commenting on news stories. Hopefully I’ll be able to contribute more soon
Now down to the real post, NSM-Console 0.7 has been released, there are a lot of cool features in this release, but first, go download NSM-Console!
As always, you can check out the TODO and CHANGELOG from svn.
Now, let’s cover some of the newest features in this release:
Encode/Decode enhancements
The encode and decode methods have had a few enhancements added to them, most notably, you can now specify a file to encode or decode, instead of specifying just a string, so you could do:
nsm> encode -f base64 testfile.txt
Encoding ascii --> base64...
Output ([]'s added to show beginning and end):
[TlNNLUNvbnNvbGUgaXMgYXdlc29tZSwgeW91IHNob3VsZCB1c2UgaXQgOikK]
Also, you can specify a variety of hex encodings, because I was noticing that it was delineated in a variety of ways, \x, space (or not delineated at all). I’ve also added the default hex and binary methods, so you don’t have to specify endianness, they default to little-endian.
IP->ASN mapping
As per Scholar’s suggestion, there is now both a module and a command for translating an ip into it’s ASN, you can either use the module to get a listing from each IP in the pcap, or use the below command to get the ASN for just one address:
nsm> ip2asn 203.223.154.86
Bulk mode; whois.cymru.com [2008-04-27 17:53:32 +0000]
17992 | 203.223.154.86 | AIMS-MY-DIA-AS AIMS Data Centre
Thanks to Team Cymru for their ASN servers
‘Print’ command supports flags
The print command now supports printing TCP flags, still uses Scholar’s pcapparser library.
New command: ‘iplist’
Generate a list of the ips in a pcap file, sorted by the number of occurrences in the file, see below:
nsm> iplist
=== IP list for data.pcap ===
192.168.1.123 1507
64.233.179.109 260
192.168.1.136 141
204.245.162.17 126
216.178.38.133 102
208.67.217.230 92
209.225.0.103 88
.. etc etc
Pipes now supported
One feature geek00l has been bugging me about is getting piping to work in the nsm shell, I’m happy to announce that they finally work, you might run into a few bugs (broken pipes with less), but for the most part they work, now output can be piped into files and programs:
nsm> p -x 1-* | less
(display all the packets and hex output, piped into less)
nsm> iplist > iplist.txt
(output the list of ips into iplist.txt)
nsm> ip2asn 203.223.154.86 >> iplist.txt
(append the ip2asn output to iplist.txt)
Etc, etc, you get the idea. The ‘<‘ pipe hasn’t been implemented yet, perhaps if it’s needed in the future.
New modules, bro-ids-connection and yahsnarf
Geek00l committed his bro-ids-connection module for generating only connection information from a pcap, a yahsnarf module was also committed, to enable extract yahoo IM conversations from a pcap file. Thanks geek00l!
Automatic updating of NSM-Console
Users desiring to be on the bleeding edge of NSM-Console development (is there anyone that actually desires this? :P) can now use the “update” command from within NSM-Console to automatically update from the latest subversion commit. You can also use the -v for verbose output, see below:
nsm> update -v
Updating NSM-Console from svn...
Fetching newest revision from svn...
etc, etc
Still a few kinks to work out, but should work pretty well.
Bugfixes
I fixed some bugs related to gzip’d pcap files as well as some bugs in the encode and decode methods. I also introduced some bugs (hurray!) with pipes, but it’s still usable.
Like I always say, check out the full TODO and CHANGELOG for complete details, and send me any feedback you have