Don't flame me for the lack of creativity with this page. Let's call it a rough draft for now.


Example script to tail a growing pcap (tcpdump) file:

Script: here

Problem to be solved: I had a tcpdump command writing to a pcap file. I wanted to extract very specific information out of the file and keep it running in tail mode. I couldn't find any examples of how to do this, so I figured out through a little trial-and-error. The NetPacket modules are very handy and let you decode ICMP, TCP, and UDP traffic also.


Example script to parse nmap XML output:

Ever wondered what to do with the XML output of an NMAP scan? Me too.

Until I realized that you can easily parse it with a Perl module named NMAP::Parser. You can do all sorts of really good stuff with this module. The module allows you to call NMAP directly with the options you specify and start parsing the XML output. It allows you to specify a callback function that is called directly when an nmap condition occurs. This could be useful if you have a scan that takes a long time to run, but want to kick off other scanning activities when it immediately detects an open port on a machine.

The URL for the module is: http://search.cpan.org/~apersaud/Nmap-Parser/Parser.pm

I have a simple script that takes an XML filename on the command line and prints a list of all machines with TCP 139 and 445 open. It also calculates the total number of open hosts and total number of open TCP ports at the same time. Here is the example script: parse-nmap-xml.pl

I have already used this parser to roll a custom scanning program that needed exact conditions from an NMAP scan to occur. I found it was much easier to call NMAP directly without dealing with output files and ugly grep syntax. Let me know if you write something cool with this module.


Tools for the Snort Back Orifice pre-processor buffer overflow:

I have developed a standalone tool that can identify exploit attempts against this vulnerability. This tool is necessary because all of the traffic exploiting the vulnerability is encrypted with the Back Orifice encryption (which the tool decrypts). Note that the tool uses some functions from Snort (the fixed version!).

You can run this tool in two modes: sniffing the network (which requires root privileges) or reading in a previously saved pcap file (which doesn't require root).

I've been fairly careful to avoid security problems in this code, but you never know. If you want to be paranoid, or just don't trust my code, sniff your network with tcpdump and the filter: "udp and udp[4:2] >= 1032 and not port 31337". Then you can post process the pcap file with my tool looking for exploit attempts.

The compilation instructions are in the header of the file.
Code here: ident-snort-bo-exploit.c
Example alert: alert.txt

Here is a pcap file that will trigger the tool. You can use tcpreplay to play it again. If you want to edit the source/destination IP addresses, use the excellent tool Netdude.

Here is a Snort signature to detect the attack:

alert udp any !31337 <> any !31337 ( \
msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; \
dsize: >1024; \
content:"|ce 63 d1 d2 16 e7 13 cf|"; \
offset: 0; \
depth: 8; \
threshold: type limit, track by_dst, count 1, seconds 60; \
classtype: attempted-admin; \
sid: 3000001; \
rev:1; \
)