[Dshield] tethereal question + routing question

Anthony Rodgers Anthony_Rodgers at dnv.org
Thu Apr 6 19:47:01 GMT 2006


For future reference, take a look at netdisco <http://netdisco.org/> - 
I find it extremely useful for this sort of hunting.

Regards,
-- 
Anthony Rodgers
Business Systems Analyst
District of North Vancouver
Web: http://www.dnv.org
RSS Feed: http://www.dnv.org/rss.asp


On Apr 6, 2006, at 8:39 AM, Pete Cap wrote:

> Aaron,
>  
>  This is precisely what I ended up doing--gathering routing data from 
> as many devices as I could find and drawing up a de facto map of the 
> network, plus a lookup table so I could automatically determine where 
> an IP was supposed to be.  This in turn is allowing me to know where 
> to place my snort boxes to find the offending traffic.
>
>  
>  This trip is definately one for the "lessons learned" book: How to do 
> an intrusion analysis when the local admins do not really have maps or 
> anything (e.g. you are going in completely blind).  Between the arp 
> data and a little anomoly detection I was able to lay hands on the 
> offending box and get the mitigation going.
>
>  
>  Thanks for you help :)
>  
>  Regards,
>  Pete
>
> Aaron Lewis <aaron at adldatacomm.net> wrote: I'm sorry I left something 
> out. Telnet or SSH to the switch. After your in
> EXEC mode type 'show arp' and 'show mac-address-table'
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org]On Behalf Of Pete Cap
> Sent: Wednesday, April 05, 2006 3:29 PM
> To: list at lists.dshield.org
> Subject: [Dshield] tethereal question + routing question
>
>
> List,
>
>  I am currently doing on-site mitigation.  Trying to track down a 
> couple of
> boxes and I'm running into some snags.  Could use some advice on the
> following.
>
>  First, I have got a snort box doing full packet captures in a good 
> spot,
> trying to find my bad guy AND get a feel for what traffic is zooming 
> about.
> I figured I could just configure tethereal to output some basic fields
> (timestamp, source/destination IP/port/mac, etc.).  Unfortunately, 
> instead
> of printing out blank fields, if data is missing for a field then 
> tethereal
> will just print another field where that one is supposed to go.  For
> example, if the fields go "source ip,source port,destination 
> ip,destination
> port" then you will have four fields for normal TCP/IP traffic.  For 
> ICMP
> packets, though, you will only see a line with "source ip,destination 
> ip."
> What I need is something like "source ip,,destination ip,".
>
>  Second question...I'm trying to track down these IPs but the only MAC
> addresses I'm seeing are the interfaces for the premise router.  I 
> think if
> I get the ARP tables then that should tell me what devices are hanging 
> off
> that router, but isn't there a way to do that for all switches, 
> remotely?  I
> seem to remember a whitepaper about that subject last year, for a cisco
> environment, but I can't find it.  Any other advice would be 
> appreciated.
>
>  Thanks,
>
>  Pete
>
>
> ---------------------------------
> Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
> countries) for 2¢/min or less.
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own 
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own 
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
>
>
>                
> ---------------------------------
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls.  Great 
> rates starting at 1&cent;/min.
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own 
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list