daemonlogger, the packet capturing utility by Marty Roesch can also act as a soft tap (meaning a software tap as opposed to a physical tap). What this means is you can sniff traffic from one interface and replay those packets to another interface.
For example, say you have a packet capture box that is receiving packets from a tap on interface 1. You have an IDS sensor you want to generate traffic to and test a policy or a signature, or that you're doing an evaluation of.
You can use daemonlogger to sniff the traffic on interface 1 and send that traffic to another interface that is patched to the sensor.
Assuming you have eth1 patched to the tap and eth2 patched to the monitoring interface on the sensor:
Run the command:
daemonlogger -i eth1 -o eth2
and all the packets from eth1 will be streamed to eth2.
You can also replay a pcap in a similar manner. Just substitute -i with -R (note this is capital R; lower case r activates the ring buffer).
daemonlogger -R new_trojan.pcap -o eth2
You can use BPF's as well, the same way you would when capturing traffic.
If you put your Berkeley Packet Filters in a file you can load it using -f.
Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
No comments:
Post a Comment