Sunday, August 11, 2013

IDS alert analysis

Today I was going through my IDS logs and found something suspicious.

The following are the steps I took to know that the alerts were benign.

I went inside the payload, nothing was evident.  So I wanted to know how did I end up on the IP, so I went to my proxy logs and grep'ed the IP.  In an instance I came to realize that I was downloading some ISO files.

Now to prove that the timing match,

The first field on the proxy logs is unix epoch time, I converted that (1374814496.635) using [date -d @1374814496.635 +"%d-%m-%Y %T %z"]  to verify the same. "26-07-2013 10:24:56 +0530"
The second field is the milliseconds which took to download the file "1330675". Since unix epoch time increments one per second I had to get the seconds component by dividing the number by 1000 which gives me approx 1330 and add this with the previous epoch time to get the TotalTime of 1374815826 which happens to translate to "26-07-2013 10:47:06 +0530"

This shows that the alerts were well within the time of the download and IDS was sure to trip off any data contained within the ISO file which is obviously falsepositive.  Case closed.

Monday, July 29, 2013

Error while loading shared libraries


In Ubuntu when we get the following error "Error while loading shared libraries"  Check to see if you have the shared libraries which it complaints is present on your system.

Run the following command as shown in the image, then the error disappear.

export LD_LIBRARY_PATH=/usr/local/lib

Sunday, June 23, 2013

Synergy setup for my friend

This is the synergy client script which runs at the client end.

At the synergys side do like the following

synergys -a --config /etc/synergy.conf &

cat /etc/synergy.conf
section: screens

section: aliases

section: links
left = synergyc
right = synergys

section: options
screenSaverSync = false
keystroke(f12) = lockCursorToScreen(toggle)

Sunday, May 12, 2013

Edit a binary file in VI

Let us edit a file in binary mode with the -b switch

$ vi -b somefile.bin

Once inside the file go to the command mode then press the following, I am not sure about the % is for,  However !xxd is to run the xxd command.


Now navigate around and begin editing the HEX characters, Ahhhh one picture is definitely worth a thousand words.

Sunday, April 21, 2013

View Unbilled usage in Airtel Internet

Log on to this website

After logging in you need to select you internet account, first click on "My account" > Then drop down > Then select you DSL connection.

Now select on my account

On scrolling down we can see the unbilled usage.  If we need detailed usage, we can still click on "Click here"

Friday, April 19, 2013

Startup script for gnome-terminal

Open up the start up script here over GUI here.


In that click on ADD and then

1. Give the startup script some name.
2. Give the command as shown

gnome-terminal -x /bin/bash -c "ls"

3. Give what ever comment you want to give and save it.

Next time you login with you credential, a gnome-terminal will pop out of nowhere and it will list all the files.  You can replace the list command with what ever script you want :-D

One more thing I did see the shell which gets spawned getting closed automatically,  In order to prevent that we need to exec bash as shown. Ref(

$ gnome-terminal -e "bash -c \"echo foo; echo bar; exec bash\""

We can also start many sessions in multiple windows with the following command

gnome-terminal --tab --title="Listing" -e "bash -c \"ls; exec bash\"" --tab --title="cat example.txt" -e "bash -c \"cat example.txt; exec bash\""

Thursday, April 18, 2013

Chennai Property Tax

One of my acquaintance wanted to pay property tax online hence approached me for help thinking I can help, well what do you know after a bit of google search I was able to come up with this :-)

With this link you can enter old data get new

Zone Number:
Ward Number:
Bill No:
Sub No:

Sunday, April 14, 2013

Get page numbers of PDF files

This small script would list all PDF files in a folder along with the number of pages in each one of them. is nothing by the pdfid python script.

for f in *.pdf
    #echo $f
    pagenumber=`/usr/bin/ "$f" | grep "Page" | cut -de -f2`
    echo "$f    $pagenumber"

1.pdf                 5
2.pdf                 6
3.pdf                 7
4.pdf                 8

Tuesday, February 19, 2013

Get a chunk of PCAP from a larger PCAP

One way of extracting pcap within a time constrain.
#editcap -A "2013-02-19 05:19:00" -B "2013-02-19 05:21:00" Input.pcap output.pcap

Second method

wireshark -r input.tcpdump -w output.tcpdump -R 'frame.time >=  "Aug 15, 1990 00:00:00" && frame.time <= "Aug 15, 1990 00:01:00" 

Thursday, February 7, 2013

SSH client predefine your Source Port


I was actually searching to see how I can set my source port to be of some fixed value while SSHing to a server,  I found the way in this link

 These are all that you would be require to do.

# ncat -l 2222 --sh-exec "ncat SSH_SERVER_IP 22 -p 443"

From another terminal you can see that port 2222 is listening on my system locally

# netstat -antulp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *               LISTEN      847/cupsd      
tcp        0      0  *               LISTEN      13219/ncat    

Form another terminal I tried to ssh to my local machine port 2222.

$ ssh bala@localhost -p 2222
bala@localhost's password:
Linux SSH_SERVER_IP 2.6.32-5

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

bala@SSH_SERVER_IP:~$ exit
Connection to localhost closed.

Before I closed the connection shown above, I did this command from another terminal, which clearly shows that my source port to be 443.

bala@bala-desktop:~$ ss | grep 22
ESTAB      0      0             SSH_SERVER_IP:22