Malware collector and report generation is a linux command based collection of tool in which different tools used such as tcpdump,
Snort :
Snort is a lightweight intrusion detection system that can log packets coming across your network.This program can be used on smaller networks but on larger ones, with Gigabit Ethernet, snort can become unreliable. Snort doesn't require that you recompile your kernel or add any software or hardware to your existing distribution but it does require that you have root privileges.
The simplest way to start snort to see what is does is to use this command:
snort -v -i eth0
command after tcpdump cmd :
snort -vc /etc/snort/snort.conf -l /var/log/ -i /test
chmod a+rwx example.sh
ifconfig | lessif
snort -vc/etc/snort/snort.conf -l /var/log/ exit.
-->
wireshark for packet capturing and snortalog to report generate through a bash shell script that’s why known as automatic malware collector and report generation. .
The description of tools are given as:
1) Tcpdump.
2) Wireshark.
3) Snort.
4) SnortAlog.
Tcpdump:
Tcpdump is a powerful command line interface packet
sniffer.It must be launched as root or with superuser
rights because of the its use of the promiscuous mode
or to be sure to have sufficent privilileges on a network
device or a socket.
Promiscuous mode :
In a local area network (LAN), promiscuous mode is a mode
of operation in which every data packet transmitted is received
and read by every network adapter.
Command for packet capturing :
tcpdump-v-I eth0-w/var/logkk.pcap
WireShark:
Wireshark is free opensource and packet analyzer.it is used
for network troubleshooting and analysis of protocol filteration.
Snort :
Snort is a lightweight intrusion detection system that can log packets coming across your network.This program can be used on smaller networks but on larger ones, with Gigabit Ethernet, snort can become unreliable. Snort doesn't require that you recompile your kernel or add any software or hardware to your existing distribution but it does require that you have root privileges.
The simplest way to start snort to see what is does is to use this command:
snort -v -i eth0
command after tcpdump cmd :
snort -vc /etc/snort/snort.conf -l /var/log/ -i /test
chmod a+rwx example.sh
ifconfig | lessif
snort -vc/etc/snort/snort.conf -l /var/log/ exit.
SnortAlog:
SnortALog is a powerfull perl script that summarizes snort logs making it easy to view any attacks against your network. SnortALog works with all versions of SNORT and is the only script who can analyse snort's logs in all formats (Syslog, Fast and Full alerts). Also, it is able to summarize a lot of exported firewalls logs, more informations in the features page.
Different packages under snortalog :
Now the simple command for report generation:
cat /home/sxnsaur/Desktop/alert_sample | perl snortalog.pl -r -g gif -o /home/sxnsaur/Desktop/kk.html -report.
The complete bash shell script for automatic report generation is given as :
tcpdump -i eth0 -w kk.pcap
snort -vc /etc/snort/snort.conf -l /var/log/ -i /test
chmod 755 s.sh
ifconfig | lessif
snort -vc /etc/snort/snort.conf -l /var/log/ exit
cat /home/sxnsaur/Desktop/alert_sample | perl snortalog.pl -r -g gif -o /home/sxnsaur/Desktop/abc.html -report
save as: s.sh
run as : sh s.sh
and also you should have a alert file sample of captured packets.
your report should be like this :
No comments:
Post a Comment