Remember when using tcpdump to filter down your pcaps to a smaller segment of traffic, that if you
don’t specify the fields when you read the traffic, it won’t be in the new pcap. I know that sounds
obvious to the point of being silly, but it’s easier to forget than you think. If you need to see Ethernet
headers, use -e. If you need to see length, TTL, etc., use -v.
If you want both hex and ASCII displayed, use -X. And don’t forget to use -nn so you’re not flooding
your DNS (or tipping off your attacker you’re investigating) and to make sure you see the actual
port in use, not what nmap’s services file thinks it is…
Tuesday, March 31, 2020
Quick Tips
I'm going to start posting some quick tips for beginners in NetSec as I think of them..hope they're helpful, and if they seem over obvious, remember we're all at different points in our learning. Someone else may not encountered the information yet. That's why this is a mentoring site... =-)
jeff
jeff
Tuesday, March 17, 2020
Cleaning up Splunks .CSV export
Exported a bunch of IPs from Splunk that met a certain criteria.. best it could do was .csv, which gave me this… I needed the count too, temporarily...
10.61.2.66",1
”
10.61.3.253",1
”
10.61.6.74",1
”
10.61.9.102",1
”
10.61.9.141",1
”
10.62.11.161",1
”
….
Fortunately Linux has the built in tools to take this output and easily give me a list of IPs, one per line with no duplicates that I can then script to get the hostname..
eowyn02:~ jeffsoh$ awk ‘NR%2==1’ mad_clients.csv | cut -d ‘“’ -f1 | sort -u
10.16.110.121
10.165.64.189
10.165.70.155
10.17.100.7
10.184.192.251
10.184.192.252
10.184.193.112
10.184.193.166
10.184.193.171
10.184.193.172
10.184.193.219
10.184.193.37
10.184.193.43
10.184.194.17
10.184.21.18
10.184.21.90
10.184.22.188
10.184.22.229
The awk command shows every second line, so the line with the IP address and not the line with a double quote only.
The cut command sets the double quote character as the delimiter and shows the first field, so what is before the double quote, the IP address.
And then we sort and remove dups with the -u, the unique parameter to sort..
10.61.2.66",1
”
10.61.3.253",1
”
10.61.6.74",1
”
10.61.9.102",1
”
10.61.9.141",1
”
10.62.11.161",1
”
….
Fortunately Linux has the built in tools to take this output and easily give me a list of IPs, one per line with no duplicates that I can then script to get the hostname..
eowyn02:~ jeffsoh$ awk ‘NR%2==1’ mad_clients.csv | cut -d ‘“’ -f1 | sort -u
10.16.110.121
10.165.64.189
10.165.70.155
10.17.100.7
10.184.192.251
10.184.192.252
10.184.193.112
10.184.193.166
10.184.193.171
10.184.193.172
10.184.193.219
10.184.193.37
10.184.193.43
10.184.194.17
10.184.21.18
10.184.21.90
10.184.22.188
10.184.22.229
The awk command shows every second line, so the line with the IP address and not the line with a double quote only.
The cut command sets the double quote character as the delimiter and shows the first field, so what is before the double quote, the IP address.
And then we sort and remove dups with the -u, the unique parameter to sort..
Subscribe to:
Posts (Atom)