:wq - blog » iploc http://writequit.org/blog Tu fui, ego eris Mon, 22 Dec 2014 14:54:59 +0000 en-US hourly 1 http://wordpress.org/?v=4.1.5 NSM-Console version 0.3 release http://writequit.org/blog/2008/01/08/nsm-console-version-03-release/ http://writequit.org/blog/2008/01/08/nsm-console-version-03-release/#comments Wed, 09 Jan 2008 06:29:44 +0000 http://writequit.org/blog/?p=118 Yep, I’ve just been cranking out code lately, so I am proud to present the 0.3 release of nsm-console!

You can download NSM-Console here:

http://writequit.org/projects/nsm-console/files/nsm-console-0.3.tar.gz

This release was focused a bit more on usability, features and bugfixes rather than the addition of new modules, however, there were still a couple that were added. Since this release has some pretty big changes, let’s start by going over some of the notable ones:


- Logfile changes
I decided I wanted a way to track the exit status of each module command that was executed, so the logfile will now prepend each executed command with “[exit: #]” (# is the exit status of the command). I’m hoping this will help with module debugging.

- Output directory changes
The default output directory has been changed from “output” to “${PCAP_BASE}-output”, I’m hoping this helps to provide a more meaningful output directory name. Note that when you perform analysis on a directory of files, multiple output directories will be created, if you want all the output in 1 folder, change output not to have ${PCAP_BASE} in it.

- Modules
The following modules were added, use “info <module>” to get more information about a module: iploc, fl0p, argus

- e command
e” is now a shortcut for exec, who likes typing that all out anyway? :)

- eval command
The “eval” command allows an analyst to evaluate a line of ruby, this is extremely powerful to anyone that knows ruby. Note that all the variables and methods I’ve written for nsm-console are available for use with eval also. Here are two examples:

nsm> eval 9 * 6
=> 54

nsm> eval m = get_mod_by_name("aimsnarf"); puts m.get_commands
=> aimsnarf -r ${PCAP_FILE} > ${OUTPUT_DIR}/${OUTPUT_FILE}

- Better tab completion
I added things like “PCAP_FILE” and “OUTPUT_DIR” to the list of tab-completed words, there is a much larger list now. (If you really want a list you can use: “eval puts $tabstrings” to print them all out)

- encode/decode commands
Here are the two commands I think a lot of packet analysts are going to find extremely useful. They allow someone to easily translate from one encoding to a different encoding. Rather than explain with text, let me show you a screenshot:

encode and decode

Right now encode and decode support a handful of formats (see screenshot for the list), but I’m hard at work on many many more formats to encode and decode. Thanks go to Geek00l, who gave me the idea for this feature (especially how it would be useful in something like this). This should allow for quicker analysis as performing inline encoding and encoding should be much easier to perform. Take a look at the TODO file in the tarball and let me know if there is an encoding missing that should be available.

- Licensing
NSM-Console is now released under a LGPL version 2.1 license, you can read the license agreement in the LICENSE file or online here.

- Bugfixes
Whitespace handling fixes, better handling of commands not found, category reading fix and many more :)

- Code cleanup and organization
Cleanup is always good.

See the CHANGELOG file for more detail about what has changed. The TODO file lists features that I am currently working on. If you aren’t sure what nsm-console is, I recommend you watch the screencast I recently created.

As always, I welcome any feedback, comments, criticism, support and patches.

]]>
http://writequit.org/blog/2008/01/08/nsm-console-version-03-release/feed/ 3
Network traffic IP Location aggregator (iploc) http://writequit.org/blog/2007/12/14/network-traffic-ip-location-aggregator-iploc/ http://writequit.org/blog/2007/12/14/network-traffic-ip-location-aggregator-iploc/#comments Fri, 14 Dec 2007 20:17:47 +0000 http://writequit.org/blog/?p=107 Have you ever been looking through your pcap files (or live captures) and wondered where all the traffic was coming from (or going to)? I have! Well, I’ve written a small (< 150 lines) script to aggregate all of the packet source addresses into a neatly separated CSV (comma-separated values) file. It includes

<ip address>,<country>,<city and state>,<latitude>,<longitude>,<packet count>

First off, get the script here.

It requires ruby-pcap and wget (like most of the Ruby scripts I write :P). Each unique ip address will have the script query the hostip.info database, storing the info in a temp file. If the ip already exists in the script’s list, it won’t query for the information (to save time and bandwidth).

iploc can either run in live capture mode, or read from a pcap file. Here’s how you would run it live:

./iploc -i eth0 >> output.csv

iploc will run until it receives a CTRL-C, at which point it will aggregate the data and dump it to STDOUT. Alternatively, you can read from a pcap file like this:

./iploc -r ~/data.pcap >> output.csv

Here’s an example of what the CSV file looks like after being opened in Numbers (or Excel):

IPloc CSVs version 2

Since it’s a CSV file, it should be easy to parse for any other program. I’m planning on hopefully writing another program to take out the latitude/longitude and plot the points on a map (for a more visual representation).

IPloc also supports BPF filters, just use it like you would tcpdump, for instance, if you only cared about http data:

./iploc -i eth0 port 80 > output.csv

Questions? Leave me a comment below! Now go forth, and visualize your honeypot data! :)

P.S. Thanks to the hostip guys for having a really nice web api to get this data quickly.

]]>
http://writequit.org/blog/2007/12/14/network-traffic-ip-location-aggregator-iploc/feed/ 0