본문 바로가기
조회 수 3362 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
http://www.krcert.or.kr

###################
# DDoS 분석도구 설치
###################

tcpdstat : 수집된 트래픽의 프로토콜 종류등에 관한 정보 확인 
ngrep, httpry : http header에 관한 정보 확인
argus : concurrent connection에 관한 정보 확인 (monitoring tool)

** tcpdstat
http://sickbits.net/tcpdstat-fixing-a-compilation-bug-and-using-statistics/
http://staff.washington.edu/dittrich/talks/core02/tools/tools.html

yum -y install libpcap
cd /tmp
wget http://staff.washington.edu/dittrich/talks/core02/tools/tcpdstat-uw.tar
tar xf tcpdstat-uw.tar
cd tcpdstat-uw
vi net_read.c
------------------8<--------------------
int packet_length;               /* length of current packet */
------------------8<--------------------
make
make install
echo 'export PATH=$PATH:/usr/local/bin' >> ~/.bashrc
source ~/.bashrc
tcpdstat -h

** ngrep
cd /tmp
rpm -Uvh http://ftp.cuhk.edu.hk/pub/linux/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
yum -y install ngrep

** httpry (from EPEL)
yum -y install httpry

** argus
http://www.qosient.com/argus/index.shtml


##################
# tcpdstat 사용 예
##################
: 평균/최대 트래픽, 사용 중인 프로토콜 종류, 프로토콜별 사용량

[root@localhost tmp]# tcpdstat packets.pcap 

DumpFile:  packets.pcap
FileSize: 1.51MB
Id: 201407251602
StartTime: Fri Jul 25 16:02:34 2014
EndTime:   Fri Jul 25 16:03:16 2014
TotalTime: 41.46 seconds
TotalCapSize: 1.47MB  CapLen: 1514 bytes
# of packets: 2593 (1.47MB)
AvgRate: 299.68Kbps  stddev:1031.94K   PeakRate: 6.72Mbps

### IP flow (unique src/dst pair) Information ###
# of flows: 27  (avg. 96.04 pkts/flow)
Top 10 big flow size (bytes/total in %):
 50.5% 13.3% 12.8%  6.3%  5.4%  3.2%  1.6%  1.6%  1.2%  0.9%

### IP address Information ###
# of IPv4 addresses: 16 
Top 10 bandwidth usage (bytes/total in %):
 100.0% 53.7% 14.9% 14.4%  7.0%  6.1%  1.3%  1.0%  0.6%  0.5%
### Packet Size Distribution (including MAC headers) ###
<<<<
 [   32-   63]:        619
 [   64-  127]:        890
 [  128-  255]:         10
 [  256-  511]:         30
 [  512- 1023]:        103
 [ 1024- 2047]:        941
>>>>


### Protocol Breakdown ###
<<<<
     protocol packets bytes bytes/pkt
------------------------------------------------------------------------
[0] total             2593 (100.00%)          1537843 (100.00%)    593.07
[1] ip                2581 ( 99.54%)          1537123 ( 99.95%)    595.55
[2]  tcp              2578 ( 99.42%)          1536909 ( 99.94%)    596.16
[3]   ssh                3 (  0.12%)              374 (  0.02%)    124.67
[3]   smtp              13 (  0.50%)             1034 (  0.07%)     79.54
[3]   http(s)         1389 ( 53.57%)          1406765 ( 91.48%)   1012.79
[3]   http(c)         1172 ( 45.20%)           128670 (  8.37%)    109.79
[3]   http-a             1 (  0.04%)               66 (  0.00%)     66.00
[2]  icmp                1 (  0.04%)               94 (  0.01%)     94.00
[2]  igmp                2 (  0.08%)              120 (  0.01%)     60.00

##################
# ngrep 사용 예
##################
: Header 및 데이터 확인(Method, User-agent, Host, Referrer)

[root@localhost tmp]# ngrep -I packets.pcap -tWbyline | more
input: packets.pcap
##
T 2014/07/25 16:02:34.834819 66.249.77.67:63502 -> 218.49.116.75:80 [AP]
GET /index.php?mid=board_dev_perl&sort_index=readed_count&order_type=asc&comment_srl=7388&document_srl=5400 HTTP/1.1.
Host: www.ylabs.co.kr.
Connection: Keep-alive.
Accept: */*.
From: googlebot(at)googlebot.com.
Accept-Encoding: gzip,deflate.
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://w
ww.google.com/bot.html).
[...]

** Header의 내용 중 특정 문자열을 검색하여 호출 횟수가 많은 URL에 대한 분석
[root@localhost tmp]# ngrep -I packets.pcap -tWbyline | egrep 'GET.*HTTP/' | sort | uniq -c | sort -nr | head -3
      1 GET /widgets/language_select/skins/default/js/language_select.js?20140204155901 HTTP/1.1.
      1 GET /modules/editor/styles/default/style.css?20140204155901 HTTP/1.1.
      1 GET /modules/board/tpl/js/board.min.js?20140204155901 HTTP/1.1.

##################
# httpry 사용 예
##################
: SRC IP, DST IP, Method, URL

[root@localhost tmp]# httpry -r packets.pcap | head
httpry version 0.1.7 -- HTTP logging and information retrieval tool
Copyright (c) 2005-2012 Jason Bittel <jason.bittel@gmail.com>
2014-07-25 16:02:34 66.249.77.67 218.49.116.75 > GET www.ylabs.co.kr /index.php?mid=board_dev_perl&sort_index=readed_count&order_type=asc&comment_srl=7388&document_srl=5400 HTTP/1.1 - -
2014-07-25 16:02:35 218.49.116.75 66.249.77.67 < - - - HTTP/1.1 200 OK
2014-07-25 16:02:35 66.249.77.57 218.49.116.75 > GET www.ylabs.co.kr /?d0cument_srl=6889&mid=board_centos&page=16&sort_index=readed_count&order_type=desc&document_srl=4953 HTTP/1.1 - -
2014-07-25 16:02:35 23.89.196.80 218.49.116.75 > POST www.ylabs.co.kr /index.php HTTP/1.1 - -
2014-07-25 16:02:35 218.49.116.75 66.249.77.57 < - - - HTTP/1.1 200 OK
2014-07-25 16:02:35 218.49.116.75 23.89.196.80 < - - - HTTP/1.1 200 OK
2

** 연결횟수가 많은 IP에 대한 분석
[root@localhost tmp]# httpry -r packets.pcap | egrep 'GET|POST' | cut -f2 | sort | uniq -c | sort -nr
httpry version 0.1.7 -- HTTP logging and information retrieval tool
Copyright (c) 2005-2012 Jason Bittel <jason.bittel@gmail.com>
188 http packets parsed
     32 203.241.152.1
     19 66.249.77.67
     19 66.249.77.57
     12 175.126.171.204
      8 66.249.77.77
      1 37.58.100.167
      1 23.89.196.80
      1 207.46.13.106
      1 157.55.39.59
      1 157.55.39.223



Title
List of Articles
번호 제목 글쓴이 날짜 조회 수
20 How to Decrypt SSL and TLS Traffic using Wireshark (test with sample file) file Hojung 2015.01.23 2392
19 자바스크립트 난독화 기법 / 분석 방법론 (정리예정) Hojung 2015.01.05 1420
18 Base64 encode/decode with OpenSSL Hojung 2015.01.04 1303
17 Convert ascii to hex and vice versa (hexdump, od, xxd, echo -e) Hojung 2015.01.04 1020
16 Simple ruby script to de-obfuscate with XOR string Hojung 2015.01.01 654
15 Installing yara on CentOS and test with Ruby script Hojung 2014.12.31 1916
14 Installing Yara for ruby on Mac Hojung 2014.12.31 705
13 How to find the original email sender (check X-Originating-IP or Received headers) Hojung 2014.12.29 821
12 Links for FireEye Deployment Check Hojung 2014.12.11 2501
11 Get timezone info from system logs which is /var/log/messages Hojung 2014.12.07 729
10 Analysing NTPd logs file Hojung 2014.12.07 1408
9 Sguil with tcpreplay (Security Onion) file Hojung 2014.12.01 2233
8 Wireshark settings for traffic analysis file Hojung 2014.11.29 1046
7 Security Onion with Snort and Snorby (pulledpork and snort with offline pcap included) file Hojung 2014.11.24 3511
6 Snort on Ubuntu 14 (Barnyard2, PulledPork, BASE, Snort with pcap) file Hojung 2014.11.22 3204
5 How to install Snorby in Kali (snort) file Hojung 2014.11.21 9094
4 install geoiplookup on Mac Hojung 2014.08.06 2817
3 DDoS 공격대응 가이드 Hojung 2014.07.29 3948
» DDoS 분석도구 설치 및 분석 (tcpdstat, ngrep, httpry) Hojung 2014.07.25 3362
1 Perl script to push samples to Virustotal Hojung 2014.02.20 1213
Board Pagination ‹ Prev 1 Next ›
/ 1

Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5