The document provides a summary of various IPv6 tools including iperf for testing network performance, nmap for port scanning, scapy for packet manipulation and analysis, and traceroute for mapping routes between hosts. Key points covered include using these tools to test firewall rules, send packets with different protocols, sniff network traffic, and trace routes over IPv6 networks.
3. Iperf to test the network
performances
¡ One End is started as a server
¡ One End as a client
¡ Iperf is a traffic generator to test the IP or IPv6 Network
Performances
¡ Usefull to test a firewall rules
¡ TCP or UDP and Port number can be given to the CLI
4. Iperf –V to test IPv6
Client
Report bugs to <iperf-users@lists.sourceforge.net>
root@ks363021:~# iperf -c 2001:41d0:8:68dd:1:2:3:4 -V -u -t 30 -i 1 -b 5M -p 25
------------------------------------------------------------
Client connecting to 2001:41d0:8:68dd:1:2:3:4, UDP port 25
Sending 1470 byte datagrams
UDP buffer size: 122 KByte (default)
------------------------------------------------------------
[ 3] local 2001:41d0:1:f24a:1:2:3:4 port 48738 connected with 2001:41d0:8:68dd:1:2:3:4 port 25
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 1.0 sec 612 KBytes 5.01 Mbits/sec
[ 3] 1.0- 2.0 sec 610 KBytes 5.00 Mbits/sec
[ 3] 2.0- 3.0 sec 610 KBytes 5.00 Mbits/sec
[ 3] 3.0- 4.0 sec 610 KBytes 5.00 Mbits/sec
SERVER
root@ns3000172# iperf -s -V -u -B 2001:41d0:8:68dd:1:2:3:4 25
------------------------------------------------------------
Server listening on UDP port 25
Binding to local address 2001:41d0:8:68dd:1:2:3:4
Receiving 1470 byte datagrams
UDP buffer size: 122 KByte (default)
------------------------------------------------------------
6. nmap -6 to scan open open
port with IPv6
root@ks363021:~# nmap -6 2001:41d0:8:68dd:1:2:3:4
Starting Nmap 5.00 ( http://nmap.org ) at 2012-08-26 18:02 CEST
Interesting ports on ipv6forlife.com (2001:41d0:8:68dd:1:2:3:4):
Not shown: 993 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 4.49 seconds
root@ks363021:~#
8. What is Scapy?
“Scapy is a powerful interactive packet manipulation program.
It is able to forge or decode packets of a wide number of
protocols, send them on the wire, capture them, match
requests and replies, and much more.
It can easily handle most classical tasks like scanning,
tracerouting, probing, unit tests, attacks or network discovery
(it can replace hping, 85% of nmap, arpspoof, arp-sk, arping,
tcpdump, tethereal, p0f, etc.).
It also performs very well at a lot of other specific tasks that most
other tools can't handle, like sending invalid frames, injecting
your own 802.11 frames, combining techniques (VLAN hopping
+ARP cache poisoning, VOIP decoding on WEP encrypted
channel ...), etc.”
(Sourced from https://www.secdev.org/projects/Scapy/).
9. Scapy installation
¡ Scapy is python application which uses many
libraries.
¡ To make sure that you do not forget anything,
here is the line command to use:
¡ apt-get install tcpdump graphviz imagemagick
python-gnuplot python-crypto python-pyx
10. Scapy: Send a packet
>>> send(IPv6(dst="2001:41d0:8:68dd:1:2:3:4")/ICMP()/"HelloWorld")
.
Sent 1 packets.
>>>
¡ send - this tells Scapy that you want to send a packet (just a single packet)
¡ IPv6 - the type of packet you want to create, in this case an IPv6 packet
¡ (dst=” 2001:41d0:8:68dd:1:2:3:4”) - the destination to send the packet to (in
this case my router)
¡ /ICMP() - you want to create an ICMP packet with the default values
provided by Scapy
¡ /”HelloWorld”) - the payload to include in the ICMP packet (you don’t have
to provide this in order for it to work.
11. Scapy: Send TCP
>>> h=sr(IPv6(dst="2001:41d0:8:68dd:1:2:3:4")/TCP(dport=21))
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
>>> h
(<Results: TCP:1 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0
UDP:0 ICMP:0 Other:0>)
>>>
12. Scapy: Send a range of TCP
>>> h=sr(IPv6(dst="2001:41d0:8:68dd:1:2:3:4")/
TCP(dport=[21,22,80]))
Begin emission:
*...*Finished to send 3 packets.
*
Received 6 packets, got 3 answers, remaining 0 packets
>>> h
(<Results: TCP:3 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0
UDP:0 ICMP:0 Other:0>)
>>>
16. Traceroute
>>> traceroute6(["2001:41d0:8:68dd:1:2:3:4","www.cisco.com","yoda.ipv6forlife.com"])
Begin emission:
.................*..........*..*.*........*.....*.*..*..*.*...**..*..*.*...*...*.....**....*.........**..*...*.*.*....**..*...**...*......*.*.....*..........**......
*........*.*..*.......**...*...*.*...*...**Finished to send 90 packets.
...*......*....*..*............*.*..*.....**..*....**..*..........*.*....*......**....*..........**.....**.*.....*.....*....*............*.....*......*..............
...................
Received 392 packets, got 79 answers, remaining 11 packets
2001:41d0:0008:68dd:0001:0002:0003:0004 :tcpwww 2a01:0e35:2f26:d340:8249:71ff:fe15:69c3 :tcpwww 2a02:26f0:0026:0003:8700:0000:0000:0090 :tcpwww
1 2001:41d0:1:f2ff:ff:ff:ff:fe 3 - -
2 2001:41d0::a91 3 2001:41d0::aa1 3 2001:41d0::6b1 3
3 2001:41d0::167 3 2001:41d0::b72 3 -
4 2001:41d0:8:68dd:1:2:3:4 SA 2001:41d0::163 3 2001:7f8:4::7577:1 3
5 2001:41d0:8:68dd:1:2:3:4 SA 2001:41d0::542 3 2001:7f8:4::51cc:1 3
6 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e00:2:e::2 3 2a02:26f0:26:3:8700::90 SA
7 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340::1 3 2a02:26f0:26:3:8700::90 SA
8 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
9 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
10 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
11 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
12 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
13 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
14 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
15 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
16 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
17 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
18 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
19 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
20 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
21 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
22 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
23 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
24 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
25 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA -
26 2001:41d0:8:68dd:1:2:3:4 SA - 2a02:26f0:26:3:8700::90 SA
27 2001:41d0:8:68dd:1:2:3:4 SA - 2a02:26f0:26:3:8700::90 SA
28 2001:41d0:8:68dd:1:2:3:4 SA - -
29 - - 2a02:26f0:26:3:8700::90 SA
30 - 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA 2a02:26f0:26:3:8700::90 SA
(<Traceroute: TCP:67 UDP:0 ICMP:0 Other:12>, <Unanswered: TCP:11 UDP:0 ICMP:0 Other:0>)
>>>
17. Traceroute
>>> traceroute6(["2001:41d0:8:68dd:1:2:3:4","www.ipv6.cisco.com","yoda.ipv6forlife.com"])
Begin emission:
....................................................................................*...........................*.....*.....*......*.*....*..*..*...*....*.*..*...*
..*....*....................*......*.*...................*.*..........*..*......*....*..Finished to send 90 packets.
....*...*..*..*....*.*.................*..*....*.......*...*.............*.*.*....*...*..*..*.*..........**...*......**..*...*..........*.......*.*..........*.*...
.....*.*....*...*.....
Received 436 packets, got 60 answers, remaining 30 packets
2001:0420:1101:0001:0000:0000:0000:000a :tcpwww 2001:41d0:0008:68dd:0001:0002:0003:0004 :tcpwww 2a01:0e35:2f26:d340:8249:71ff:fe15:69c3 :tcpwww
1 2001:41d0:1:f2ff:ff:ff:ff:fd 3 2001:41d0:1:f2ff:ff:ff:ff:fe 3 2001:41d0:1:f2ff:ff:ff:ff:fd 3
2 2001:41d0::aa1 3 2001:41d0::a91 3 2001:41d0::aa1 3
3 2001:41d0::782 3 2001:41d0::171 3 2001:41d0::b72 3
4 2001:7f8:1::a500:6939:1 3 2001:41d0:8:68dd:1:2:3:4 SA 2001:41d0::163 3
5 2001:470:0:3f::1 3 2001:41d0:8:68dd:1:2:3:4 SA 2001:41d0::542 3
6 2001:470:0:128::1 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e00:2:e::2 3
7 2001:470:0:1dd::2 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340::1 3
8 2001:1890:ff:ffff:12:122:81:110 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
9 2001:1890:ff:ffff:12:122:3:38 3 2001:41d0:8:68dd:1:2:3:4 SA -
10 2001:1890:ff:ffff:12:122:1:173 3 - -
11 - 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
12 - - 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
13 - 2001:41d0:8:68dd:1:2:3:4 SA -
14 2001:420:1100:6::1 3 - -
15 2001:420:1100:2::1 3 - -
16 - 2001:41d0:8:68dd:1:2:3:4 SA -
17 2001:420:1101:1::a SA - -
18 - 2001:41d0:8:68dd:1:2:3:4 SA -
19 2001:420:1101:1::a SA - 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
20 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
21 2001:420:1101:1::a SA - 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
22 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
23 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
24 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA -
25 2001:420:1101:1::a SA - -
26 2001:420:1101:1::a SA - 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
27 2001:420:1101:1::a SA - 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
28 - - 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
29 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA -
30 - 2001:41d0:8:68dd:1:2:3:4 SA -
(<Traceroute: TCP:38 UDP:0 ICMP:0 Other:22>, <Unanswered: TCP:30 UDP:0 ICMP:0 Other:0>)
>>>
18. Display the packet again
>>> ans,unans=_
>>> unans
<Unanswered: TCP:6 UDP:0 ICMP:0 Other:0>
>>> unans.show()
0000 IPv6 / TCP 2001:41d0:1:f24a:1:2:3:4:irc > 2001:41d0:0008:68dd:0001:0002:0003:0004:www S
0001 IPv6 / TCP 2001:41d0:1:f24a:1:2:3:4:7363 > 2a01:0e35:2f26:d340:8249:71ff:fe15:69c3:www S
0002 IPv6 / TCP 2001:41d0:1:f24a:1:2:3:4:35159 > 2a01:0e35:2f26:d340:8249:71ff:fe15:69c3:www S
0003 IPv6 / TCP 2001:41d0:1:f24a:1:2:3:4:3113 > 2001:0420:1101:0001:0000:0000:0000:000a:www S
0004 IPv6 / TCP 2001:41d0:1:f24a:1:2:3:4:15173 > 2001:0420:1101:0001:0000:0000:0000:000a:www S
0005 IPv6 / TCP 2001:41d0:1:f24a:1:2:3:4:27103 > 2001:0420:1101:0001:0000:0000:0000:000a:www S
>>> ans.show()
2001:0420:1101:0001:0000:0000:0000:000a :tcpwww 2001:41d0:0008:68dd:0001:0002:0003:0004 :tcpwww 2a01:0e35:2f26:d340:8249:71ff:fe15:69c3 :tcpwww
1 2001:41d0:1:f2ff:ff:ff:ff:fd 3 2001:41d0:1:f2ff:ff:ff:ff:fe 3 2001:41d0:1:f2ff:ff:ff:ff:fd 3
2 2001:41d0::aa1 3 2001:41d0::a91 3 2001:41d0::aa1 3
3 2001:41d0::782 3 2001:41d0::167 3 2001:41d0::b72 3
4 2001:7f8:1::a500:6939:1 3 2001:41d0:8:68dd:1:2:3:4 SA 2001:41d0::163 3
5 2001:470:0:3f::1 3 2001:41d0:8:68dd:1:2:3:4 SA 2001:41d0::542 3
6 2001:470:0:128::1 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e00:2:e::2 3
7 2001:470:0:1dd::2 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340::1 3
8 2001:1890:ff:ffff:12:122:81:110 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
9 2001:1890:ff:ffff:12:122:3:38 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
10 2001:1890:ff:ffff:12:122:1:173 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
11 2001:1890:ff:ffff:12:122:28:174 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
12 2001:1890:ff:ffff:12:122:119:9 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
13 2001:1890:c00:8701::11b7:3f7f 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
14 2001:420:1100:6::1 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
15 2001:420:1100:2::1 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
16 2001:420:1100:100::1 3 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
17 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
18 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
19 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
20 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
21 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
22 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
23 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
24 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
25 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
26 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
27 - 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
28 2001:420:1101:1::a SA 2001:41d0:8:68dd:1:2:3:4 SA 2a01:e35:2f26:d340:8249:71ff:fe15:69c3 SA
29 - 2001:41d0:8:68dd:1:2:3:4 SA -
>>>
19. Ping TCP flag « A »
>>> ans,unans=sr(IPv6(dst="yoda.ipv6forlife.com")/TCP(dport=[80,666],flags="A"))
Begin emission:
..............Finished to send 2 packets.
..............**
Received 30 packets, got 2 answers, remaining 0 packets
>>> ans.show()
0000 IPv6 / TCP 2001:41d0:1:f24a:1:2:3:4:ftp_data > 2a01:0e35:2f26:d340:8249:71ff:fe15:69c3:www A ==>
IPv6 / TCP 2a01:e35:2f26:d340:8249:71ff:fe15:69c3:www > 2001:41d0:1:f24a:1:2:3:4:ftp_data R
0001 IPv6 / TCP 2001:41d0:1:f24a:1:2:3:4:ftp_data > 2a01:0e35:2f26:d340:8249:71ff:fe15:69c3:666 A ==>
IPv6 / TCP 2a01:e35:2f26:d340:8249:71ff:fe15:69c3:666 > 2001:41d0:1:f24a:1:2:3:4:ftp_data R
>>>
>>> ans,unans=sr(IPv6(dst="yoda.ipv6forlife.com")/TCP(dport=[80,25],flags="A"))
Begin emission:
......Finished to send 2 packets.
.......................*.......*
Received 38 packets, got 2 answers, remaining 0 packets
>>> ans.show()
0000 IPv6 / TCP 2001:41d0:1:f24a:1:2:3:4:ftp_data > 2a01:0e35:2f26:d340:8249:71ff:fe15:69c3:www A ==>
IPv6 / TCP 2a01:e35:2f26:d340:8249:71ff:fe15:69c3:www > 2001:41d0:1:f24a:1:2:3:4:ftp_data R
0001 IPv6 / TCP 2001:41d0:1:f24a:1:2:3:4:ftp_data > 2a01:0e35:2f26:d340:8249:71ff:fe15:69c3:smtp A ==>
IPv6 / TCP 2a01:e35:2f26:d340:8249:71ff:fe15:69c3:smtp > 2001:41d0:1:f24a:1:2:3:4:ftp_data R
>>> unans.show()
>>>
23. What is Nessus?
¡ Nessus is a powerfull Security Scanner
¡ It scan a host or a subnet for the host and look for all the
system weaknesses which could be used to attack your
system
¡ It is a great tool to perform a Security Audit before a
change in the Network and After
27. CISCO Firewall
¡ PIX Firewall since the early 90s
¡ PIX was the #1 IP firewall for many years
¡ The #2 was Checkpoint on Windows with its own
IP Stack
¡ The PIX and now the ASA has its own OS which is
much stronger than other Firewalls running on
Windows
¡ Today FORTINET propose a very powerfull
Appliance to compete with ASA
32. What is Snort ?
Snort is an open source network intrusion detection system, capable of performing real-time
traffic analysis and packet logging on IP networks. It can perform protocol analysis, content
searching/matching and can be used to detect a variety of attacks and probes, such as
buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts,
and much more.
Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as
a detection engine that utilizes a modular plugin architecture.
Snort also has a modular real-time alerting capability, incorporating alerting and logging
plugins for syslog, a ASCII text files, UNIX sockets, database (Mysql/PostgreSQL/Oracle/ODBC)
or XML.
Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a
packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion
detection system.
Snort logs packets in tcpdump(1) binary format, to a database or in Snort's decoded ASCII
format to a hierarchy of logging directories that are named based on the IP address of the
"foreign" host.
Log info in Syslog
http://manual.snort.org/node2.html
33.
34.
35. SNORT Example from Syslog
while shutdown host
Aug 28 06:46:02 ns3000172 snort[21339]: Breakdown by protocol (includes rebuilt packets):
Aug 28 06:46:02 ns3000172 snort[21339]: ETH: 672145 (100.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: ETHdisc: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: VLAN: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: IPV6: 107583 (16.006%)
Aug 28 06:46:02 ns3000172 snort[21339]: IP6 EXT: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: IP6opts: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: IP6disc: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: IP4: 505375 (75.188%)
Aug 28 06:46:02 ns3000172 snort[21339]: IP4disc: 9988 (1.486%)
Aug 28 06:46:02 ns3000172 snort[21339]: TCP 6: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: UDP 6: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: ICMP6: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: ICMP-IP: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: TCP: 124453 (18.516%)
Aug 28 06:46:02 ns3000172 snort[21339]: UDP: 269581 (40.108%)
Aug 28 06:46:02 ns3000172 snort[21339]: ICMP: 91894 (13.672%)
Aug 28 06:46:02 ns3000172 snort[21339]: TCPdisc: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: UDPdisc: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: ICMPdis: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: FRAG: 84 (0.012%)
Aug 28 06:46:02 ns3000172 snort[21339]: FRAG 6: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: ARP: 59187 (8.806%)
Aug 28 06:46:02 ns3000172 snort[21339]: EAPOL: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: ETHLOOP: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: IPX: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: OTHER: 9375 (1.395%)
Aug 28 06:46:02 ns3000172 snort[21339]: DISCARD: 12087 (1.798%)
Aug 28 06:46:02 ns3000172 snort[21339]: InvChkSum: 70086 (10.427%)
Aug 28 06:46:02 ns3000172 snort[21339]: S5 G 1: 0 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: S5 G 2: 1 (0.000%)
Aug 28 06:46:02 ns3000172 snort[21339]: Total: 672145
Aug 28 06:46:02 ns3000172 snort[21339]:
38. SNMP Version 3
¡ MD5 or SHA Hash for Authetntication not to send
password in Clear Text
¡ DES is used to Encrypt/Decrypt SNMP Messages
39. In SNMPv3
no more Manager and Objects but Entities
SNMP Entities
SNMP Engine Identified by (SnmpEngineID)
Message Access
Security
DISPATCHER Processing Control
Subsystems
Subsystem Subsystems
w
Application(s)
Command Notification Proxy
Generator Receiver Forwarder
Command Notification
Other
Responder Originator
40. SNMPv3 Minimum
Parameters
¡ Username
¡ Security Level
« Some applications require you to explicitly set the security level and
others determine it based on the combination of authentication and
privacy protocol in use.
« The specified values are noAuthNoPriv, which is no authentication and no
privacy, authNoPriv,which is authentication and no privacy,and authPriv,
which is authentication and privacy. Note that you cannot have privacy
without authentication, but you can have authentication without privacy.
41. SNMPv6 on IPv6
Edit /etc/snmp/snmpd.conf
rocommunity IPv6ForLife63
rocommunity6 IPv6ForLife63
syslocation "OVH Datacenter"
syscontact fred@ipv6forlife.com
#Users Creation
createUser monitor SHA monitorpw
createUser engineer MD5 engineerpw
createUser supervisor MD5 supervisorpw DES supervisorx
#Access features
rouser monitor noauth .1.3.6.1.2.1
rouser engineer auth .1.3.6.1.2.1
rwuser supervisor auth .1.3.6.1.2.1.1
rouser supervisor priv .1.3.6.1.2.1
"/etc/snmp/snmpd.conf"
Restart the server
root@ns3000172:/etc/snmp# snmpd udp:161,udp6:161
Try the Client locally
root@ns3000172:/etc/snmp# snmpget -v 3 -u engineer -l authNoPriv -a MD5
-A engineerpw localhost .1.3.6.1.2.1.1.6.0
SNMPv2-MIB::sysLocation.0 = STRING: "OVH Datacenter”
Try with IPv4 Client
root@ubuntu:/home/fred# snmpget -v 3 -u engineer -l authNoPriv -a MD5 -A
engineerpw ns3000172.ovh.net .1.3.6.1.2.1.1.6.0
iso.3.6.1.2.1.1.6.0 = STRING: ""OVH Datacenter"”
Try with IPv6 Client
root@ubuntu:/home/fred# snmpget -v 3 -u engineer -l authNoPriv -a MD5 -A
engineerpw udp6:[2001:41d0:8:68dd:1:2:3:4] .1.3.6.1.2.1.1.6.0
iso.3.6.1.2.1.1.6.0 = STRING: ""OVH Datacenter"”