不多说,直接上干货!
关于tcpdump二进制格式,这个基本概念不说。
支持tcpdump二进制格式的嗅探器工具,这里我说两个:tcpdump或者ethereal。
[root@datatest SecondWeek]# pwd /root/data/DARPA1999/SecondWeek [root@datatest SecondWeek]# ll total 391652 -rw-r--r--. 1 root root 401046958 Aug 9 12:40 inside.tcpdump [root@datatest SecondWeek]# snort -dv -r inside.tcpdump
我这里,读取的是DARPA 1999数据集的第二周的内网inside.tcpdump二进制数据。
这里的 -r命令,我就不说啦。 就是将一个tcpdump格式的二进制文件读取打印到屏幕上的意思。
这里,我扩展下
[root@datatest SecondWeek]# snort -v
这个命令搭配的意思是,使得snort只输出IP、TCP、UDP和ICMP的包头信息。
[root@datatest SecondWeek]# snort -v -r inside.tcpdump
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 03/08-21:01:46.461764 207.25.71.141:80 -> 172.16.112.194:1306 TCP TTL:63 TOS:0x0 ID:498 IpLen:20 DgmLen:44 ***A**S* Seq: 0x328B83B0 Ack: 0x48DA2A1F Win: 0x7FE0 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 03/08-21:01:46.461920 172.16.112.194:1306 -> 207.25.71.141:80 TCP TTL:64 TOS:0x0 ID:729 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x48DA2A1F Ack: 0x328B83B1 Win: 0x7D78 TcpLen: 20 *** Caught Int-Signal WARNING: No preprocessors configured for policy 0. 03/08-21:01:46.869826 172.16.112.194:1559 -> 207.25.71.141:80 TCP TTL:64 TOS:0x0 ID:776 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x6F2E7AF7 Ack: 0xB057C6D7 Win: 0x7D78 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =============================================================================== Run time for packet processing was 0.228905 seconds Snort processed 746 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 746 =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 925696 Bytes in mapped regions (hblkhd): 12906496 Total allocated space (uordblks): 669520 Total free space (fordblks): 256176 Topmost releasable block (keepcost): 185520 =============================================================================== Packet I/O Totals: Received: 746 Analyzed: 746 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 746 (100.000%) VLAN: 0 ( 0.000%) IP4: 726 ( 97.319%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 79 ( 10.590%) TCP: 647 ( 86.729%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 8 ( 1.072%) IPX: 0 ( 0.000%) Eth Loop: 10 ( 1.340%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 2 ( 0.268%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 746 =============================================================================== Snort exiting
[root@datatest SecondWeek]# snort -d
这个命令搭配的意思是,使得snort只包的数据信息。
[root@datatest SecondWeek]# snort -d -r inside.tcpdump
得到
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 03/08-21:00:58.188692 206.48.44.18:1054 -> 172.16.112.100:21 TCP TTL:126 TOS:0x0 ID:39424 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x17AD29 Ack: 0x17AE81 Win: 0x2238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 03/08-21:00:58.203130 172.16.112.100:21 -> 206.48.44.18:1054 TCP TTL:128 TOS:0x0 ID:38400 IpLen:20 DgmLen:87 DF ***AP*** Seq: 0x17AE81 Ack: 0x17AD29 Win: 0x2238 TcpLen: 20 32 32 30 20 68 75 6D 65 20 4D 69 63 72 6F 73 6F 220 hume Microso 66 74 20 46 54 50 20 53 65 72 76 69 63 65 20 28 ft FTP Service ( 56 65 72 73 69 6F 6E 20 32 2E 30 29 2E 0D 0A Version 2.0)... =============================================================================== Run time for packet processing was 0.232618 seconds Snort processed 254 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 254 =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 925696 Bytes in mapped regions (hblkhd): 13180928 Total allocated space (uordblks): 669520 Total free space (fordblks): 256176 Topmost releasable block (keepcost): 185520 =============================================================================== Packet I/O Totals: Received: 254 Analyzed: 254 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 254 (100.000%) VLAN: 0 ( 0.000%) IP4: 242 ( 95.276%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 42 ( 16.535%) TCP: 200 ( 78.740%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 6 ( 2.362%) IPX: 0 ( 0.000%) Eth Loop: 5 ( 1.969%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 1 ( 0.394%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 254 =============================================================================== Snort exiting [root@datatest SecondWeek]#
[root@datatest SecondWeek]# snort -dv
这个命令搭配的意思是,使得snort在输出IP、TCP、UDP和ICMP的包头信息的通俗,还显示包的数据信息。
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 03/08-21:01:42.867811 195.73.151.50:1028 -> 172.16.114.168:25 TCP TTL:63 TOS:0x0 ID:494 IpLen:20 DgmLen:77 DF ***AP*** Seq: 0xE888C943 Ack: 0x9A021B4D Win: 0x7D78 TcpLen: 20 4D 41 49 4C 20 46 72 6F 6D 3A 3C 61 76 72 61 70 MAIL From:<avrap 40 6C 61 6D 62 64 61 2E 6F 72 61 6E 67 65 2E 63 @lambda.orange.c 6F 6D 3E 0D 0A om>.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 03/08-21:01:42.868044 172.16.114.168:25 -> 195.73.151.50:1028 TCP TTL:64 TOS:0x0 ID:542 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0x9A021B4D Ack: 0xE888C968 Win: 0x7FE0 TcpLen: 20 32 35 30 20 3C 61 76 72 61 70 40 6C 61 6D 62 64 250 <avrap@lambd 61 2E 6F 72 61 6E 67 65 2E 63 6F 6D 3E 2E 2E 2E a.orange.com>... 20 53 65 6E 64 65 72 20 4F 6B 0D 0A Sender Ok.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ *** Caught Int-Signal WARNING: No preprocessors configured for policy 0. 03/08-21:01:42.875769 195.73.151.50:1028 -> 172.16.114.168:25 TCP TTL:63 TOS:0x0 ID:498 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xE888CD92 Ack: 0x9A021BCE Win: 0x7D78 TcpLen: 20 6F 66 20 67 61 69 6E 2C 20 77 65 3A 0D 0A 20 20 of gain, we:.. 20 20 20 20 20 20 63 6F 75 6C 64 20 61 6C 73 6F could also 20 75 73 65 73 20 54 68 65 20 6F 66 20 4E 65 74 uses The of Net 77 6F 72 6B 20 6E 65 75 72 61 6C 20 6E 65 74 77 work neural netw 6F 72 6B 73 20 61 0D 0A 20 20 20 20 20 20 20 20 orks a.. 43 61 73 63 61 64 65 20 72 6F 75 74 69 6E 65 73 Cascade routines 20 79 65 61 72 20 61 76 61 69 6C 61 62 6C 65 20 year available 76 69 61 20 70 72 69 63 65 20 61 6E 64 20 54 68 via price and Th 65 20 62 75 67 0D 0A 20 20 20 20 20 20 20 20 69 e bug.. i 73 20 61 20 6C 65 63 74 75 72 65 20 6E 6F 74 65 s a lecture note 73 2E 20 0D 0A 0D 0A 20 20 20 20 20 20 20 20 57 s. .... W 68 65 6E 20 68 65 20 74 6F 20 64 6F 20 6E 6F 74 hen he to do not 20 68 61 76 65 20 61 6E 79 6F 6E 65 20 77 69 74 have anyone wit 68 20 74 6F 6D 6F 72 72 6F 77 2C 20 62 75 74 20 h tomorrow, but 74 68 65 0D 0A 20 20 20 20 20 20 20 20 65 6C 69 the.. eli 74 65 2C 20 42 75 74 20 49 20 49 20 6B 65 70 74 te, But I I kept 20 54 68 65 20 72 65 6D 61 69 6E 64 65 72 20 61 The remainder a 72 65 20 74 6F 20 74 72 61 69 6E 20 74 72 61 63 re to train trac 6B 73 20 62 79 0D 0A 20 20 20 20 20 20 20 20 74 ks by.. t 69 74 6C 65 3B 20 6F 6E 20 68 69 67 68 20 74 65 itle; on high te 6D 70 65 72 61 74 75 72 65 20 6C 69 6D 69 74 20 mperature limit 54 68 65 20 64 65 70 65 6E 64 73 20 6F 66 20 54 The depends of T 68 65 0D 0A 20 20 20 20 20 20 20 20 6E 65 78 74 he.. next 2E 20 20 54 65 6C 65 78 2E 20 20 4A 72 2E 20 20 . Telex. Jr. 4C 6F 6E 64 6F 6E 20 70 6C 61 79 73 20 41 6E 64 London plays And 72 65 20 54 65 6C 3A 20 61 20 77 68 69 6C 65 0D re Tel: a while. 0A 20 20 20 20 20 20 20 20 73 74 69 6C 6C 20 69 . still i 6E 20 61 2C 20 67 6F 6F 64 20 61 75 74 6F 6D 61 n a, good automa 74 69 63 61 6C 6C 79 20 77 68 69 63 68 20 64 6F tically which do 20 74 68 65 69 72 20 6D 61 69 6C 69 6E 67 0D 0A their mailing.. 20 20 20 20 20 20 20 20 46 69 6C 65 20 49 66 20 File If 54 68 65 20 6F 6E 65 73 20 64 6F 6E 27 74 20 6B The ones don't k 6E 6F 77 20 49 6E 74 72 6F 64 75 63 74 6F 72 79 now Introductory 20 63 6F 75 72 73 65 20 6F 66 0D 0A 20 20 20 20 course of.. 20 20 20 20 70 72 6F 6F 66 73 20 49 20 68 61 64 proofs I had 20 61 20 70 72 65 66 69 78 20 74 68 65 2E 20 20 a prefix the. 49 20 62 65 6C 69 65 76 65 20 74 68 65 20 76 61 I believe the va 6C 75 65 20 46 72 6F 6D 0D 0A 20 20 20 20 20 20 lue From.. 20 20 68 6F 73 74 20 68 6F 73 74 20 70 6F 72 74 host host port 20 74 6F 20 67 6C 6F 62 61 6C 20 65 61 63 68 20 to global each 53 70 65 61 6B 65 72 20 72 65 63 6F 67 6E 69 74 Speaker recognit 69 6F 6E 0D 0A 20 20 20 20 20 20 20 20 73 70 65 ion.. spe =============================================================================== Run time for packet processing was 0.521737 seconds Snort processed 343 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 343 =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 925696 Bytes in mapped regions (hblkhd): 13180928 Total allocated space (uordblks): 669520 Total free space (fordblks): 256176 Topmost releasable block (keepcost): 185520 =============================================================================== Packet I/O Totals: Received: 343 Analyzed: 343 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 343 (100.000%) VLAN: 0 ( 0.000%) IP4: 323 ( 94.169%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 73 ( 21.283%) TCP: 250 ( 72.886%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 8 ( 2.332%) IPX: 0 ( 0.000%) Eth Loop: 10 ( 2.915%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 2 ( 0.583%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 343 =============================================================================== Snort exiting [root@datatest SecondWeek]#
进一步,见