Ethereal

[XTC46]

I am currently learning the ins and outs of ethereal, and was wondering if any of you guys had some experience with it. specifily Im trying to figure out which filters I should use to look for "out of the ordinary" traffic. I have found the filters for messaging programs and things like that, but im not too sure on which I should use if im looking for things like spyware, trojans, etc. From just looking at the packets I can tell that atleast one of our machines is infected, but the traffic was so blatently obvious that a monkey would have noticed it. Im trying to set a filter to look for the more "stealth" types of programs.

any suggestions?

[Tiger Shark]

Without coming up with some super long packet filter within Ethereal or by starting it using a similarly long BPF, (Berkley Packet Filter), statement both of which would have to be refined to fit your specific network's traffic patterns there isn't much you could be helped with.

I would strongly recommend a Snort install on the same box you are using the Ethereal on and implement the Bleeding Snort Malware ruleset here or better yet, (more "rules"), implement this, which I have found in the last few days to be an elegant solution to spyware.... My Bleeding Snort Malware rules have gone all silent since I implemented it.

[Jebo Majku]

check the manual!

[Tiger Shark]

Jebu:

Once again, please, enlighten us with you knowledge and experience:-

What BPF filter would you use on XTC46's network to locate the unknown spyware? Please be precise.....

Or STFU.....

[rowdy_yates]

Hi. I have used ethereal to mostly troubleshoot tricky user login problems. My experience with it is limited.

But, what I sometimes do is run it overnight and filter out all internal destinted traffic and look at what it caught the next morning. Usually some very usual broadcast traffic. I don't know if this helps or gives you some ideas.

RY

[Jebo Majku]

okYE. that waz like real lame.

[XTC46]

thanks for the tips guys, im loading SNORT tomorrow. I have been using ethereal becasue i use it for wireless stuff also. I like the idea of filtering out inbound traffic. that would cut back alot of stuff. So far I like the program. Im also messing with airsnort, and Sniffer. ethereal seems to be the easiest to use for plain capturing.

[KuiXing-2005]

Hello-

Another tool you may wish to consider - depending on what you want to do, would be Hping. This tool is for packet crafting and manipulation. Per SANS: "It can be utilized for creating packets during audits to test firewalls and other network devices. It also functions as a network performance tester and a host availability checker. Hping allows you to modify the packet to fit your needs." It can handle manipulation on packet body and size, and fragmentation.

Here's the link (just confirmed too): http://www.hping.org/download.html

Tiger Shark - thanks for the info on the Bleeding Snort Malware ruleset didn't know about that. Woo-hoo! I can learn - and not just from pictures!

Also a question back to the group - any experiences of TCPDump vs. Ethereal?

TIA.

[ric-o]

Let me second the suggestion Tiger made recommending Bleeding Snort Malware rules on Snort. I have them deployed and they are great in helping detect spyware infected PCs.

Also, I use a script to update the rules on a daily basis at night. It actually does many things:
1) Kills Snort process
2) Archives up the alert log file
3) Downloads latest Bleeding Snort Malware rules
4) Downloads other snort rules from snort.org (which wont be free for much longer)
5) Restarts Snort

May not be the most elegant script but it works. I'm of course, open to any suggestions on improving it if anyone sees anything.

Here it is, in case you're interested....

LOG_PATH=/var/log/snort

# Date format: Year-month-day.Hour-Minute-Second
DATE=`/bin/date "+%Y%m%d"`

# Where to store the backup Tarball
BACKUP_PATH=/var/log/snort

#Unique Name for backup file
BACKUP_FILE=snort-alerts.$DATE

#Location of comon progs
RM=/bin/rm
#TAR=/bin/tar
MV=/bin/mv
LS=/bin/ls
GREP=/bin/grep
AWK=/bin/awk
GZIP=/bin/gzip


# main


#**********
# kill snort process
killall snort
#**********


#**********
# archives alert file

# gzip alert file
$GZIP $LOG_PATH/alert
$MV $LOG_PATH/alert.gz $BACKUP_PATH/$BACKUP_FILE.gz

# recreate alert file
touch $LOG_PATH/alert
#**********


#**********
# updates bleeding malware rules
cd /root

# remove existing files
rm bleeding*

# get new files
wget www.bleedingsnort.com/bleeding-malware.rules
wget www.bleedingsnort.com/bleeding-virus.rules
wget www.bleedingsnort.com/bleeding-p2p.rules
wget www.bleedingsnort.com/bleeding-exploit.rules

# copy rules --update if newere
cp -u -c *.rules /rules/snort/

# fix permissions
chmod +rwx /rules/snort/bleeding*
#**********


#**********
# update all other rules
# remove existing rules temp dir
rm -f rules/* | rmdir rules

# get new rules
wget http://www.snort.org/dl/rules/snortr...CURRENT.tar.gz

# unzip rules
gzip -d snortrules-snapshot-CURRENT.tar.gz
tar -xf snortrules-snapshot-CURRENT.tar

# copy new rules into production
cp rules/* /rules/snort
#**********


#**********
# restart snort
# restart snort process
/usr/local/bin/snort -N -D -A fast -y -c /etc/snort/snort.conf -i eth1
#**********

[omnipotent0689]

Originally posted here by KuiXing-2005
Also a question back to the group - any experiences of TCPDump vs. Ethereal?

TIA.

I personally like Ethereal better. My experiences with TCPDump are mostly positive, but the "Follow the TCP Stream" for Ethereal is great. I think TCPDump has the same functionality, but reasons unbeknownst to me... Ethereal just seems to work better for my purposes... at work and at play.