I have updated my PcapParser to support more options and have included a web interface. You can download the latest version here. The web interface uses a php extension that you must install that verifies bpf syntax that is passed as userinput. I'm using pfring so if you are not look at the README in the bpfcompile subdirectory for instructions. The perl script also now requires
Net::Pcap and Mail::Sendmail.
The updated version also has a configuration file that usually lives at /etc/pcapp/pcapp.conf.
All of the options can also be passed as command line options. Anything passed via command line overrides what is in the config file.
The pcap parser will work with or without the web interface. The conf file has to modified to fit your environment.
If you are using the web interface you must also modify the processpcap2_conf.php to supply the directories where your argus and pcap files are stored. These should be the same as your pcapdir and argusdir in your pcapp.conf file
Sample command line usage...
In this example we are going to use all argus files to extract sessiondata about our attacker and then use that to determine which out of all of our pcap files traffic resides in. The traffic is then merged into a single pcap and then tcpflow,chaosreader,afterglow and honeysnap are run against the pcap. The files are then md5sum'd and the output of these runs are put into a tar.bz file with a web index.
/usr/bin/parsep4.pl -ip="192.168.1.1" -netmask="32" -argusnum=0 -pcapnum=0 -dotcpflow=yes -domd5deep=yes -dochaosreader=yes -doafterglow=yes -dohoneysnap=yes
This is the same as above although now we are using a bpf to see all tcp traffic that is not 80,443,20, or 21, and we are only looking through the last 1 argus file i.e. today's traffic.
/usr/bin/parsep4.pl -bpf="tcp and not port 80 and not port 443 and not port 21 and not port 20" -argusnum=1 -pcapnum=0 -dotcpflow=yes -domd5deep=yes -dochaosreader=yes -doafterglow=yes -dohoneysnap=yes
0 comments:
Post a Comment