Ethereal
Results 1 to 10 of 10

Thread: Ethereal

  1. #1
    Senior Member
    Join Date
    May 2003
    Posts
    1,199

    Ethereal

    I am currently learning the ins and outs of ethereal, and was wondering if any of you guys had some experience with it. specifily Im trying to figure out which filters I should use to look for "out of the ordinary" traffic. I have found the filters for messaging programs and things like that, but im not too sure on which I should use if im looking for things like spyware, trojans, etc. From just looking at the packets I can tell that atleast one of our machines is infected, but the traffic was so blatently obvious that a monkey would have noticed it. Im trying to set a filter to look for the more "stealth" types of programs.

    any suggestions?
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Without coming up with some super long packet filter within Ethereal or by starting it using a similarly long BPF, (Berkley Packet Filter), statement both of which would have to be refined to fit your specific network's traffic patterns there isn't much you could be helped with.

    I would strongly recommend a Snort install on the same box you are using the Ethereal on and implement the Bleeding Snort Malware ruleset here or better yet, (more "rules"), implement this, which I have found in the last few days to be an elegant solution to spyware.... My Bleeding Snort Malware rules have gone all silent since I implemented it.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    check the manual!

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Jebu:

    Once again, please, enlighten us with you knowledge and experience:-

    What BPF filter would you use on XTC46's network to locate the unknown spyware? Please be precise.....

    Or STFU.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    137
    Hi. I have used ethereal to mostly troubleshoot tricky user login problems. My experience with it is limited.

    But, what I sometimes do is run it overnight and filter out all internal destinted traffic and look at what it caught the next morning. Usually some very usual broadcast traffic. I don't know if this helps or gives you some ideas.

    RY

  6. #6
    okYE. that waz like real lame.

  7. #7
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    thanks for the tips guys, im loading SNORT tomorrow. I have been using ethereal becasue i use it for wireless stuff also. I like the idea of filtering out inbound traffic. that would cut back alot of stuff. So far I like the program. Im also messing with airsnort, and Sniffer. ethereal seems to be the easiest to use for plain capturing.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  8. #8
    Senior Member
    Join Date
    Jan 2005
    Posts
    100
    Hello-

    Another tool you may wish to consider - depending on what you want to do, would be Hping. This tool is for packet crafting and manipulation. Per SANS: "It can be utilized for creating packets during audits to test firewalls and other network devices. It also functions as a network performance tester and a host availability checker. Hping allows you to modify the packet to fit your needs." It can handle manipulation on packet body and size, and fragmentation.

    Here's the link (just confirmed too): http://www.hping.org/download.html

    Tiger Shark - thanks for the info on the Bleeding Snort Malware ruleset didn't know about that. Woo-hoo! I can learn - and not just from pictures!

    Also a question back to the group - any experiences of TCPDump vs. Ethereal?

    TIA.
    \"An ant may well destroy a whole dam.\" - Chinese Proverb
    \"Not only can water float a craft, it can sink it also.\" - Chinese Proverb

    http://www.AntiOnline.com/sig.php?imageid=764

  9. #9
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Let me second the suggestion Tiger made recommending Bleeding Snort Malware rules on Snort. I have them deployed and they are great in helping detect spyware infected PCs.

    Also, I use a script to update the rules on a daily basis at night. It actually does many things:
    1) Kills Snort process
    2) Archives up the alert log file
    3) Downloads latest Bleeding Snort Malware rules
    4) Downloads other snort rules from snort.org (which wont be free for much longer)
    5) Restarts Snort

    May not be the most elegant script but it works. I'm of course, open to any suggestions on improving it if anyone sees anything.

    Here it is, in case you're interested....
    LOG_PATH=/var/log/snort

    # Date format: Year-month-day.Hour-Minute-Second
    DATE=`/bin/date "+%Y%m%d"`

    # Where to store the backup Tarball
    BACKUP_PATH=/var/log/snort

    #Unique Name for backup file
    BACKUP_FILE=snort-alerts.$DATE

    #Location of comon progs
    RM=/bin/rm
    #TAR=/bin/tar
    MV=/bin/mv
    LS=/bin/ls
    GREP=/bin/grep
    AWK=/bin/awk
    GZIP=/bin/gzip


    # main


    #**********
    # kill snort process
    killall snort
    #**********


    #**********
    # archives alert file

    # gzip alert file
    $GZIP $LOG_PATH/alert
    $MV $LOG_PATH/alert.gz $BACKUP_PATH/$BACKUP_FILE.gz

    # recreate alert file
    touch $LOG_PATH/alert
    #**********


    #**********
    # updates bleeding malware rules
    cd /root

    # remove existing files
    rm bleeding*

    # get new files
    wget www.bleedingsnort.com/bleeding-malware.rules
    wget www.bleedingsnort.com/bleeding-virus.rules
    wget www.bleedingsnort.com/bleeding-p2p.rules
    wget www.bleedingsnort.com/bleeding-exploit.rules

    # copy rules --update if newere
    cp -u -c *.rules /rules/snort/

    # fix permissions
    chmod +rwx /rules/snort/bleeding*
    #**********


    #**********
    # update all other rules
    # remove existing rules temp dir
    rm -f rules/* | rmdir rules

    # get new rules
    wget http://www.snort.org/dl/rules/snortr...CURRENT.tar.gz

    # unzip rules
    gzip -d snortrules-snapshot-CURRENT.tar.gz
    tar -xf snortrules-snapshot-CURRENT.tar

    # copy new rules into production
    cp rules/* /rules/snort
    #**********


    #**********
    # restart snort
    # restart snort process
    /usr/local/bin/snort -N -D -A fast -y -c /etc/snort/snort.conf -i eth1
    #**********

  10. #10
    Junior Member
    Join Date
    Mar 2005
    Posts
    8
    Originally posted here by KuiXing-2005
    Also a question back to the group - any experiences of TCPDump vs. Ethereal?

    TIA.
    I personally like Ethereal better. My experiences with TCPDump are mostly positive, but the "Follow the TCP Stream" for Ethereal is great. I think TCPDump has the same functionality, but reasons unbeknownst to me... Ethereal just seems to work better for my purposes... at work and at play.
    Omnipotent 0689, MCSE, CCNA
    -- Without Information Assurance, where would we be? --

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •