:wq - blog » flowtime http://writequit.org/blog Tu fui, ego eris Mon, 22 Dec 2014 14:54:59 +0000 en-US hourly 1 http://wordpress.org/?v=4.1.5 NSM-Console version 0.5 release http://writequit.org/blog/2008/02/05/nsm-console-version-05-release/ http://writequit.org/blog/2008/02/05/nsm-console-version-05-release/#comments Tue, 05 Feb 2008 20:08:02 +0000 http://writequit.org/blog/?p=144 smallmonkeyThat’s right, no development release this time around. I’ve been trying to get version 0.5 all finished for the Hex 1.0.3 release, and I’m happy to present the newest NSM-Console release!

Firstly, you can download NSM-Console version 0.5 here:
http://writequit.org/projects/nsm-console/files/nsm-console-0.5.tar.gz

Mirror here:
https://secure.redsphereglobal.com/data/dakrone/files/nsm-console-0.5.tar.gz

Like always, let’s go over some of the new features in this release:

Alias command
You can now alias a command whatever else you would like to, the syntax is the same as regular bash alias syntax, for instance, here are my aliases from my ~/.nsmcrc:
alias ls = list
alias ll = list
alias serv = e cat /etc/services | grep

So as an example, if I wanted to look up a service port, now I just type “serv 5190” and see if /etc/services has an entry for that port. (I have a habit of hitting ‘ll’ or ‘ls’ all the time, so now at least they’re useful)

Additional modules: flowtime and harimau
I added a couple of modules, the first is flowtime, which is a packet timeliner that I wrote about in this post. The second is the Harimau module, which will query the Harimau watchlist for all the IPs in a pcap file and print out the matching entries. Thanks go to Spoonfork and the Security.org.my team for the awesome tool.
Note: flowtime won’t work out of the box in Hex unless you install Argus version 3 (not version 2, which is what Hex comes with) as well as symlink ‘ploticus’ to ‘pl’ somewhere in your path.

Checkip command
Speaking of the Harimau watchlist, it has also been integrated as an NSM-Console command. You can see an example here:
nsm> checkip 209.177.146.34
209.177.146.34,www.emergingthreats.net/rules/bleeding-botcc.rules,botcc,2008-02-05 00:03:10

Module improvements
The snort module now uses the ac-bnfa search algorithm, which should help on systems with lower amounts of RAM (*cough* like my own). In addition, the bro-ids module now actually generates many more helpful reports and actually performs intrusion detection instead of just generating flow content. Some modules have been added to categories to make them easier to toggle.

Other minor improvements
Toggle handles multiple module names, space separated
All NSM-Console errors finally go to STDERR instead of STDOUT
Help command is much more readable and supports argument to get help about a particular command.
~./nsmcrc is read extremely quietly now, so it doesn’t fill up the screen
Bugfixes.

You can read the entire changelog here.

As always, please please please let me know if you have any comments, criticisms or suggestions :) Feel free to email me or leave a comment below.

]]>
http://writequit.org/blog/2008/02/05/nsm-console-version-05-release/feed/ 3
Flowtime – Create a timeline for packet flow http://writequit.org/blog/2008/01/24/flowtime-create-a-timeline-for-packet-flow/ http://writequit.org/blog/2008/01/24/flowtime-create-a-timeline-for-packet-flow/#comments Thu, 24 Jan 2008 16:36:28 +0000 http://writequit.org/blog/?p=132 You can never have too many tools for pcap visualization :)

Flowtime is a script written in Ruby that produces a timeline of the network flows in a pcap file. Everything is better with a picture, so here’s a picture: (warning, this picture is 3000×2000 pixels, kind of large)

ink2

Each bar on the left is a IP address along with a port, the timeline on the bottom is the time it was capture (in seconds). The different colors represent different kinds of traffic, http is blue, ssl is red, yellow is other, etc. At the moment there isn’t any legend, but I already think it’s useful just to see patterns in the traffic over time.

Download Flowtime here.

Requirements to run Flowtime:

  • Argus (version 3 only)
  • Ploticus (you should have ‘pl’ in your path. You may have to symlink ‘ploticus’ to ‘pl’)
  • EasyTimeline (you should have ‘EasyTimeline’ in your path)

Yea, I know, lots of dependencies, I’m hoping to rewrite this into a MUCH better version in the future, consider this the prototype :)

Here’s how to run it:

flowtime [-w #] [-h #] [-g] [--help] <pcapfile> <ipaddr> <outfile_base>
-w specify the width, default: 2000
-h specify the height, default: 2000
-g automatically try generate a png (requires 'EasyTimeline' and 'pl' in path)
<pcapfile> the packet file to generate a graph of
<ipaddr> source address to generate a graph for, 'all' for all IPs
<outfile_base> basename for the output file

To generate a basic graph, just do something like ‘flowtime -g data.pcap all data-out‘. After running this (if everything works okay), you should have a few files in your directory, if you open data-out.png you should be able to see the data as a timeline. If there are errors instead of data-out.png, there will be a file called data-out.err.

I know this script has issues, isn’t very user-friendly and doesn’t always work, here’s what I’m hoping to improve for the next version:

  • Generate an image of the entire timeline, in addition to showing it in a window
  • The ability to zoom in to a particular range of time to show only that time
  • Export an image of the current view
  • Select a bar to get more information about that flow

I’m going to have to use a different framework though, I’m considering Tk, but I haven’t ever done anything with it before.

Questions? Concerns? Comments? Suggestions?

P.S. I already made an NSM-Console module for flowtime too ;)

]]>
http://writequit.org/blog/2008/01/24/flowtime-create-a-timeline-for-packet-flow/feed/ 4
NSM Console projected module list http://writequit.org/blog/2007/11/28/nsm-console-projected-module-list/ http://writequit.org/blog/2007/11/28/nsm-console-projected-module-list/#comments Wed, 28 Nov 2007 21:43:28 +0000 http://writequit.org/blog/?p=95 Here’s a list of all the planned modules and completed (struck-out) modules for nsm-console: (if a module is struck out, it’s because I’ve finished making a module for it, it isn’t necessarily in the tarball for download)

  • aimsnarf
  • ngrep (gif/jpg/pdf/exe/pe/ne/elf/3pg/torrent)
  • tcpxtract
  • tcpflow
  • chaosreader
  • bro-IDS
  • snort
  • tcpdstat
  • capinfos
  • tshark
  • argus
  • ragator
  • racount
  • rahosts
  • hash (md5 & sha256)
  • ra
  • honeysnap
  • p0f
  • pads
  • fl0p
  • iploc
  • foremost – thanks shadowbq!
  • flowgrep
  • tcptrace
  • tcpick
  • flowtime
  • flowtag
  • harimau
  • clamscan

Think of any other useful modules? Leave me a comment and let me know!

P.S. I’m also brainstorming for some pcap/real-time network visualization tools, stay tuned!

]]>
http://writequit.org/blog/2007/11/28/nsm-console-projected-module-list/feed/ 3