Wednesday, October 30, 2013
Sunday, August 11, 2013
IDS alert analysis
Today I was going through my IDS logs and found something suspicious.
The following are the steps I took to know that the alerts were benign.
I went inside the payload, nothing was evident. So I wanted to know how did I end up on the IP 130.239.18.142, so I went to my proxy logs and grep'ed the IP. In an instance I came to realize that I was downloading some ISO files.
Now to prove that the timing match,
The first field on the proxy logs is unix epoch time, I converted that (1374814496.635) using [date -d @1374814496.635 +"%d-%m-%Y %T %z"] to verify the same. "26-07-2013 10:24:56 +0530"
The second field is the milliseconds which took to download the file "1330675". Since unix epoch time increments one per second I had to get the seconds component by dividing the number by 1000 which gives me approx 1330 and add this with the previous epoch time to get the TotalTime of 1374815826 which happens to translate to "26-07-2013 10:47:06 +0530"
This shows that the alerts were well within the time of the download and IDS was sure to trip off any data contained within the ISO file which is obviously falsepositive. Case closed.
The following are the steps I took to know that the alerts were benign.
I went inside the payload, nothing was evident. So I wanted to know how did I end up on the IP 130.239.18.142, so I went to my proxy logs and grep'ed the IP. In an instance I came to realize that I was downloading some ISO files.
Now to prove that the timing match,
The first field on the proxy logs is unix epoch time, I converted that (1374814496.635) using [date -d @1374814496.635 +"%d-%m-%Y %T %z"] to verify the same. "26-07-2013 10:24:56 +0530"
The second field is the milliseconds which took to download the file "1330675". Since unix epoch time increments one per second I had to get the seconds component by dividing the number by 1000 which gives me approx 1330 and add this with the previous epoch time to get the TotalTime of 1374815826 which happens to translate to "26-07-2013 10:47:06 +0530"
This shows that the alerts were well within the time of the download and IDS was sure to trip off any data contained within the ISO file which is obviously falsepositive. Case closed.
Monday, July 29, 2013
Error while loading shared libraries
Hi
In Ubuntu when we get the following error "Error while loading shared libraries" Check to see if you have the shared libraries which it complaints is present on your system.
Run the following command as shown in the image, then the error disappear.
export LD_LIBRARY_PATH=/usr/local/lib
In Ubuntu when we get the following error "Error while loading shared libraries" Check to see if you have the shared libraries which it complaints is present on your system.
Run the following command as shown in the image, then the error disappear.
export LD_LIBRARY_PATH=/usr/local/lib
Sunday, June 23, 2013
Synergy setup for my friend
This is the synergy client script which runs at the client end.
At the synergys side do like the following
synergys -a 127.0.0.1 --config /etc/synergy.conf &
cat /etc/synergy.conf
section: screens
synergys:
synergyc:
end
section: aliases
synergyc:
127.0.0.1
end
section: links
synergys:
left = synergyc
synergyc:
right = synergys
end
section: options
screenSaverSync = false
keystroke(f12) = lockCursorToScreen(toggle)
end
Sunday, May 12, 2013
Edit a binary file in VI
Let us edit a file in binary mode with the -b switch
$ vi -b somefile.bin
Once inside the file go to the command mode then press the following, I am not sure about the % is for, However !xxd is to run the xxd command.
:%!xxd
Now navigate around and begin editing the HEX characters, Ahhhh one picture is definitely worth a thousand words.
Sunday, April 21, 2013
View Unbilled usage in Airtel Internet
Log on to this website https://ebpp.airtelworld.com/myaccount/
After logging in you need to select you internet account, first click on "My account" > Then drop down > Then select you DSL connection.
Now select on my account
Friday, April 19, 2013
Startup script for gnome-terminal
http://www.linuxquestions.org/questions/linux-general-1/run-command-in-new-gnome-terminal-185216/
Open up the start up script here over GUI here.
gnome-session-properties
In that click on ADD and then
1. Give the startup script some name.
2. Give the command as shown
gnome-terminal -x /bin/bash -c "ls"
3. Give what ever comment you want to give and save it.
Next time you login with you credential, a gnome-terminal will pop out of nowhere and it will list all the files. You can replace the list command with what ever script you want :-D
One more thing I did see the shell which gets spawned getting closed automatically, In order to prevent that we need to exec bash as shown. Ref(http://stackoverflow.com/questions/3512055/avoid-gnome-terminal-close-after-script-execution)
$ gnome-terminal -e "bash -c \"echo foo; echo bar; exec bash\""We can also start many sessions in multiple windows with the following command
gnome-terminal --tab --title="Listing" -e "bash -c \"ls; exec bash\"" --tab --title="cat example.txt" -e "bash -c \"cat example.txt; exec bash\""
Thursday, April 18, 2013
Chennai Property Tax
One of my acquaintance wanted to pay property tax online hence approached me for help thinking I can help, well what do you know after a bit of google search I was able to come up with this :-)
http://www.chennaicorporation.gov.in/online-civic-services/ptbillSearch.do?do=getOldLoad
With this link you can enter old data get new
Zone Number:
Ward Number:
Bill No:
Sub No:
Sunday, April 14, 2013
Get page numbers of PDF files
This small script would list all PDF files in a folder along with the number of pages in each one of them.
a.py is nothing by the pdfid python script.
#!/bin/bash
for f in *.pdf
do
#echo $f
pagenumber=`/usr/bin/a.py "$f" | grep "Page" | cut -de -f2`
echo "$f $pagenumber"
done
1.pdf 5
2.pdf 6
3.pdf 7
4.pdf 8
a.py is nothing by the pdfid python script.
#!/bin/bash
for f in *.pdf
do
#echo $f
pagenumber=`/usr/bin/a.py "$f" | grep "Page" | cut -de -f2`
echo "$f $pagenumber"
done
1.pdf 5
2.pdf 6
3.pdf 7
4.pdf 8
Tuesday, February 19, 2013
Get a chunk of PCAP from a larger PCAP
One way of extracting pcap within a time constrain.
#editcap -A "2013-02-19 05:19:00" -B "2013-02-19 05:21:00" Input.pcap output.pcap
Second method
wireshark -r input.tcpdump -w output.tcpdump -R 'frame.time >=
"Aug 15, 1990 00:00:00" && frame.time <= "Aug 15, 1990 00:01:00"
Thursday, February 7, 2013
SSH client predefine your Source Port
Hi
I was actually searching to see how I can set my source port to be of some fixed value while SSHing to a server, I found the way in this link
http://www.linuxforums.org/forum/security/182001-how-do-i-specify-source-port-ssh-client.html
These are all that you would be require to do.
# ncat -l 2222 --sh-exec "ncat SSH_SERVER_IP 22 -p 443"
From another terminal you can see that port 2222 is listening on my system locally
# netstat -antulp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 847/cupsd
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 13219/ncat
Form another terminal I tried to ssh to my local machine port 2222.
$ ssh bala@localhost -p 2222
bala@localhost's password:
Linux SSH_SERVER_IP 2.6.32-5
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
bala@SSH_SERVER_IP:~$ exit
logout
Connection to localhost closed.
bala@bala-desktop:~$
Before I closed the connection shown above, I did this command from another terminal, which clearly shows that my source port to be 443.
bala@bala-desktop:~$ ss | grep 22
ESTAB 0 0 10.0.2.15:https SSH_SERVER_IP:22
I was actually searching to see how I can set my source port to be of some fixed value while SSHing to a server, I found the way in this link
http://www.linuxforums.org/forum/security/182001-how-do-i-specify-source-port-ssh-client.html
These are all that you would be require to do.
# ncat -l 2222 --sh-exec "ncat SSH_SERVER_IP 22 -p 443"
From another terminal you can see that port 2222 is listening on my system locally
# netstat -antulp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 847/cupsd
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 13219/ncat
Form another terminal I tried to ssh to my local machine port 2222.
$ ssh bala@localhost -p 2222
bala@localhost's password:
Linux SSH_SERVER_IP 2.6.32-5
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
bala@SSH_SERVER_IP:~$ exit
logout
Connection to localhost closed.
bala@bala-desktop:~$
Before I closed the connection shown above, I did this command from another terminal, which clearly shows that my source port to be 443.
bala@bala-desktop:~$ ss | grep 22
ESTAB 0 0 10.0.2.15:https SSH_SERVER_IP:22
Subscribe to:
Posts (Atom)