427 Botnet fm qxd

way. For example, the botnet software might be spyware, recording
keystrokes and sending them out on some channel you don’t know
about. Or the host might sit there today and join a DDoS attack
tomorrow. 
The 
ngrep
tool is a nice custom sniffer that can be used to pick ASCII
strings out of packet data payloads. It can be used for watching for messages
from a known C&C botnet IP address. It can also be used with pattern
matching since it has 
grep
regular expressions (really, Perl Compatible Regular
Expressions, or PCRE; see www.pcre.org) built into it. It can also read and
write tcpdump format files. Here we will just give a few syntax examples,
explain them, and then look at one example of 
ngrep
in combat.
The overall syntax for 
ngrep
has the form:
# ngrep –flags "pattern" tcpdump-expression
Here are three examples. First:
ngrep –q host 10.0.0.1
We use 
–q
to make 
ngrep
quiet, so it only prints out strings.The 
host
10.0.0.1
part is a tcpdump expression to tell it to print strings for any packets
to and from that particular host.This expression format is the same for other
sniffers, too, including tcpdump and WireShark (and Snort and ourmon, for
that matter). Our goal is to watch traffic to and from the suspicious host in
question.This might be IRC traffic or HTTP traffic or something else
entirely.
Second:
ngrep –q "PRIVMSG|JOIN" host 10.0.0.1 or host 10.0.0.2
In this case we want any packet with 
PRIVMSG
or 
JOIN
in it from two
possible hosts.These both might be botnet servers. We are trying to use pat-
tern matching to look at interesting IRC messages, and this pattern would
rule out any PING or PONG messages or other types of IRC messages.
Third:
# script
serverip.log
# ngrep –q host 10.0.0.1
# Cntrl-D

Download 6,98 Mb.

Do'stlaringiz bilan baham: