Friday, July 1, 2011

More Parsing for Beginners

If you're new to NetSec, you don't have to learn a ton about any one subject to get started doing your job. There are more resources out there than you could possibly ever use to quickly get enough knowledge to take care of the job at hand and then go back later and learn more. Say you have a directory of packet captures. You've been using tcpdump or Daemonlogger to get raw packets as an audit trail (or IDABench, an outdated but still useful favorite of mine). Your boss wants you to do a sanity check for some sort of PII, to validate some control. A search on doing iteration in bash will probably lead you to the for command, where you can feed ngrep with your packet captures, one by one...
Here's an example...


for i in $( ls | grep -v .gz );do ngrep -q -I $i ' [0-9]{3}-[0-9]{2}-[0-9]{4} ';done

This is simply using the for command to use ls to search for any of your captures that aren't gzipped (if you use bzip, you'll need to modify it) and populate a variable called $i, then run ngrep against the value contained in that variable (one of your packet captures) and look for numbers in the Social Security format. There are all kinds of regex sites with common searches you can use without having to become a regex guru first.

Handle the job at hand, then backtrack and learn...

No comments:

Blog Archive