不多说,直接上干货!
关于tcpdump二进制格式,这个基本概念不说。
支持tcpdump二进制格式的嗅探器工具,这里我说两个:tcpdump或者ethereal。
[root@datatest SecondWeek]# pwd
/root/data/DARPA1999/SecondWeek
[root@datatest SecondWeek]# ll
total
-rw-r--r--. root root Aug : inside.tcpdump
[root@datatest SecondWeek]# snort -dv -r inside.tcpdump
我这里,读取的是DARPA 1999数据集的第二周的内网inside.tcpdump二进制数据。
这里的 -r命令,我就不说啦。 就是将一个tcpdump格式的二进制文件读取打印到屏幕上的意思。
这里,我扩展下
[root@datatest SecondWeek]# snort -v
这个命令搭配的意思是,使得snort只输出IP、TCP、UDP和ICMP的包头信息。
[root@datatest SecondWeek]# snort -v -r inside.tcpdump
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::46.461764 207.25.71.141: -> 172.16.112.194:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen:
***A**S* Seq: 0x328B83B0 Ack: 0x48DA2A1F Win: 0x7FE0 TcpLen:
TCP Options () => MSS:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::46.461920 172.16.112.194: -> 207.25.71.141:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x48DA2A1F Ack: 0x328B83B1 Win: 0x7D78 TcpLen: *** Caught Int-Signal
WARNING: No preprocessors configured for policy .
/-::46.869826 172.16.112.194: -> 207.25.71.141:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x6F2E7AF7 Ack: 0xB057C6D7 Win: 0x7D78 TcpLen:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ===============================================================================
Run time for packet processing was 0.228905 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 97.319%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 10.590%)
TCP: ( 86.729%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP6 Opts: ( 0.000%)
Frag6: ( 0.000%)
ICMP6: ( 0.000%)
UDP6: ( 0.000%)
TCP6: ( 0.000%)
Teredo: ( 0.000%)
ICMP-IP: ( 0.000%)
IP4/IP4: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 1.072%)
IPX: ( 0.000%)
Eth Loop: ( 1.340%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.268%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]# snort -d
这个命令搭配的意思是,使得snort只包的数据信息。
[root@datatest SecondWeek]# snort -d -r inside.tcpdump
得到
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::58.188692 206.48.44.18: -> 172.16.112.100:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x17AD29 Ack: 0x17AE81 Win: 0x2238 TcpLen: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::58.203130 172.16.112.100: -> 206.48.44.18:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0x17AE81 Ack: 0x17AD29 Win: 0x2238 TcpLen:
6D 4D 6F 6F hume Microso
ft FTP Service (
6F 6E 2E 2E 0D 0A Version 2.0)...
===============================================================================
Run time for packet processing was 0.232618 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 95.276%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 16.535%)
TCP: ( 78.740%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP6 Opts: ( 0.000%)
Frag6: ( 0.000%)
ICMP6: ( 0.000%)
UDP6: ( 0.000%)
TCP6: ( 0.000%)
Teredo: ( 0.000%)
ICMP-IP: ( 0.000%)
IP4/IP4: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 2.362%)
IPX: ( 0.000%)
Eth Loop: ( 1.969%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.394%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]#
[root@datatest SecondWeek]# snort -dv
这个命令搭配的意思是,使得snort在输出IP、TCP、UDP和ICMP的包头信息的通俗,还显示包的数据信息。
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::42.867811 195.73.151.50: -> 172.16.114.168:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0xE888C943 Ack: 0x9A021B4D Win: 0x7D78 TcpLen:
4D 4C 6F 6D 3A 3C MAIL From:<avrap
6C 6D 2E 6F 6E 2E @lambda.orange.c
6F 6D 3E 0D 0A om>.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::42.868044 172.16.114.168: -> 195.73.151.50:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0x9A021B4D Ack: 0xE888C968 Win: 0x7FE0 TcpLen:
3C 6C 6D <avrap@lambd
2E 6F 6E 2E 6F 6D 3E 2E 2E 2E a.orange.com>...
6E 4F 6B 0D 0A Sender Ok.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ *** Caught Int-Signal
WARNING: No preprocessors configured for policy .
/-::42.875769 195.73.151.50: -> 172.16.114.168:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0xE888CD92 Ack: 0x9A021BCE Win: 0x7D78 TcpLen:
6F 6E 2C 3A 0D 0A of gain, we:..
6F 6C 6C 6F could also
6F 4E uses The of Net
6F 6B 6E 6C 6E work neural netw
6F 6B 0D 0A orks a..
6F 6E Cascade routines
6C 6C year available
6E via price and Th
0D 0A e bug.. i
6C 6E 6F s a lecture note
2E 0D 0A 0D 0A s. .... W
6E 6F 6F 6E 6F hen he to do not
6E 6F 6E have anyone wit
6F 6D 6F 6F 2C h tomorrow, but
0D 0A 6C the.. eli
2C 6B te, But I I kept
6D 6E The remainder a
6F 6E re to train trac
6B 0D 0A ks by.. t
6C 3B 6F 6E itle; on high te
6D 6C 6D mperature limit
6E 6F The depends of T
0D 0A 6E he.. next
2E 6C 2E 4A 2E . Telex. Jr.
4C 6F 6E 6F 6E 6C 6E London plays And
6C 3A 6C 0D re Tel: a while.
0A 6C 6C . still i
6E 2C 6F 6F 6F 6D n a, good automa
6C 6C 6F tically which do
6D 6C 6E 0D 0A their mailing..
6C File If
6F 6E 6F 6E 6B The ones don't k
6E 6F 6E 6F 6F now Introductory
6F 6F 0D 0A course of..
6F 6F proofs I had
2E a prefix the.
6C I believe the va
6C 6F 6D 0D 0A lue From..
6F 6F 6F host host port
6F 6C 6F 6C to global each
6B 6F 6E Speaker recognit
6F 6E 0D 0A ion.. spe
===============================================================================
Run time for packet processing was 0.521737 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 94.169%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 21.283%)
TCP: ( 72.886%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 2.332%)
IPX: ( 0.000%)
Eth Loop: ( 2.915%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.583%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]#
进一步,见