Monday, October 20, 2014

Changing Timezone in Wireshark


I don't think there is an outright method in wireshark to do it.  However you can set you TZ to some other value as described in this link

Get the list of TZ from here

Now start wireshark like so to start displaying Time in EST.  Note this works in GNU/Linux OS.  Not sure about other OS.

$ TZ='America/New_York' wireshark &

Friday, October 3, 2014

Ubuntu not discovering other OS on my friends computer

I got burned by Ubuntu not discovering other OS on my friends computer.  I found the answer in the link shown below.

All we need to do is include the following five lines under /boot/grub/grub.cfg #40 custom OS detections......

As always try to take backup before you screw up something real bad.

menuentry "Some Operating System (on /dev/sda1)" {
    insmod ntfs
    set root='(hd0,1)'
    chainloader +1

Saturday, August 2, 2014

PhotoRec looks promising for recovering files

Starting with GIT

Initializing giti init To initialize a Git repository
Checking the Status git status git status command to see what the current state of our project is
Adding git status
Git add octocat.txt
To check and add a file to git tracking mechanism.
Committing git commit -m “Add cute octocat story”
Adding All Changes git add '*.txt' Adding all *.txt files alone
Committing all git commit -m “Add all the octocat files” Now committing them.
History git log
Remote Repositories git remote add origin To push the changes of local repo to the server
Pushing Remotely git push -u origin master The -u is to remember origin and master, next time we can just do git push
Pulling Remotely git pull origin master
Difference git diff HEAD
Difference git add octocat/octodot.txt
Staged Difference git diff –staged
Resetting the Stage git reset ocotfamily/octodog.txt

git checkout – octodog.txt
Branching Out git branch clean_up

git checkout clean_up
Removing All The Things git rm '*.txt'

git commit -m “Remove all the cats”

git checkout master

git merge clean_up
Keeping things clean git branch -d clean_up Deleting the branch clean_up

git push

Monday, July 21, 2014

Strange words

flabbergast :surprise (someone) greatly; astonish.
Jibber Jabber: useless words, beating around the bush,

my chair my rules -> sella mea et praecepta mea(Latin)

Beaver - Rodent
wee-wee - a child's word for urine.
potty - a bowl used by small children as a toilet.
buck up - Be strong
intimidate - frighten or overawe (someone), especially in order to make them do what one wants.
obnoxious - extremely unpleasant.
caterwauling - (of a cat) make a shrill howling or wailing noise.
bitchy pills -
condescension - an attitude of patronizing superiority
subtle - making use of clever and indirect methods to achieve something.
defecate - discharge faeces from the body.
outright - wholly and completely.
cognitive - cognition - the mental action or process of acquiring knowledge and understanding through thought, experience, and the senses.
ipso facto - by that very fact or act.
subsume - include or absorb (something) in something else.
rankest - having a foul or offensive smell.
hogwash - nonsense.
preposterous - contrary to reason or common sense; utterly absurd or ridiculous.
pining - suffer a mental and physical decline, especially because of a broken heart.

Monday, June 16, 2014

Cesiumjs 3D Globe, 2.5D and 2D map

Here is the piece of html code which I have used download.

This is the video which I recorded after writing that piece of code.

Monday, June 9, 2014

Snort alert count on Google Earth


For a long time I wanted to know how could I plot the alerts which each snort sensor is generating on a Google Earth based on geographic location.  If this could be done I could see from which location on the globe am I getting lots of alerts from.


The solution to my problem was all in the power of KML file.


1. Have snort running on many places.
2. Have barnyard to log your alerts (Optional if you are using old version of snort).
3. The last three characters of your sensors should be named after the airport code. (For example: Chennai sensor name "SensorMAA").  If you are wondering how to get all airport codes stick around.
4. View the snort generated alerts using BASE (Since my mysql query will work only on the BASE generated mysql schema).
5. Be able to run my bash script on the server which runs your mysql server.
6. Of-course Google Earth.


Follow along there are a few steps.

1. Download the script and the support files as a zip from here.  The flow chart for creating the script is here.
2. Edit the file "GoogleEarth/Project/conf/mysql.cnf" to contain your IDS mysql credentials.
3. Run the file "GoogleEarth/Project/" like ./
4. Now Open the file "GoogleEarth/Project/Alerts.kml"
5. You could add to a cron job which runs every 5 minutes so that the bar height on Google Earth would get updated automatically.

If you think I am forgetting something you bet your correct, you can get all the airport codes from the file you downloaded. "GoogleEarth/Project/resource/airport_codes.csv"

Wednesday, May 7, 2014

Steps and Calories

Saturday, April 5, 2014

Network Forensics - PCAP analysis

How did it start ?

It all started in December of 2013 when I received an email via a mailing list that there is a Holiday challenge which they have created.   This is the link to the challenge.  This is the link to the solutions.

The reason for putting together a bash script was to make our life as network analyst a bit easier if an unknown PCAP is given to be analysed.  The script which I have created will give us a quick overview of what we can expect in the pcap.

Running the script
There are some prerequisite for running the script.
  1. Tcpdump should be installed and be in path.
  2. Tshark be installed and be in path.
  3. Snort be installed and be in path.
Running the script is as simple as[1] invoking the shellscript and passing the pcap file as the argument.  You can get the script by clicking here.

#./ sansholidayhack2013.pcap

Output file
There are two output files which will be created namely ip.csv and idsalert.txt

ip.csv - You can get the output file by clicking here.
1st column - List of all IP addresses in the PCAP.
2nd - List of all MAC gathered for the IP addresses in 1st column via ARP reply.
3rd - SYN connection attempted to various ports by 1st column.
4th - All listening TCP services of 1st column.
5th - All non-listening TCP services of 1st column.
6th - Open UDP ports (may give erroneous value).
7th - Domains resolved.
8th - HTTP useragent used by 1st column.

While opening the ip.csv, if you see that the rows are misaligned try these settings as shown in the screen shot. Remember to select Unicode (UTF-8), Comma and Text delimiter double quotes.

idsalert.txt - You can get the output file by clicking here.
This text file would show all the snort alerts generated for each IP considering it as its only HOME_NET. This is done as we don't know which is our HOME_NET to configure snort.