LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-15-2006, 06:27 AM   #1
fakie_flip
Senior Member
 
Registered: Feb 2005
Location: San Antonio, Texas
Distribution: Gentoo Hardened using OpenRC not Systemd
Posts: 1,495

Rep: Reputation: 85
ngrep questions


Does anyone know how to use ngrep to show only packets from a certain ip range? Does anyone know how to use ngrep to show only packets with certain patterns in them? I tried to use it like normal grep and with the -v option, but that didn't work.
 
Old 08-15-2006, 06:53 AM   #2
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Pop!_OS && Windows 10 && Arch Linux
Posts: 830

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
multiple words as a pattern.
'pattern1|pattern2|pattern3'

Hex as a pattern.
ngrep -xX '0xc5d5e5f55666768696a6b6c6d6e6' port 80

http://ngrep.sourceforge.net/usage.html
 
Old 08-16-2006, 04:25 AM   #3
fakie_flip
Senior Member
 
Registered: Feb 2005
Location: San Antonio, Texas
Distribution: Gentoo Hardened using OpenRC not Systemd
Posts: 1,495

Original Poster
Rep: Reputation: 85
Why would I want to use hexadecimal?
 
Old 08-17-2006, 08:11 AM   #4
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Pop!_OS && Windows 10 && Arch Linux
Posts: 830

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
Quote:
Originally Posted by fakie_flip
Why would I want to use hexadecimal?
You can catch virus/trojan/exploit packets with hex strings.
I believe you could catch this ssh exploit ..

Code:
drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;)
.. with string like this:
Code:
ngrep -xX '0x90909090909090909090909090909090' port 22
I'm not a expert with this stuff, maybe there is someone that knows more and could confirm this ?
 
Old 08-19-2006, 08:31 AM   #5
fakie_flip
Senior Member
 
Registered: Feb 2005
Location: San Antonio, Texas
Distribution: Gentoo Hardened using OpenRC not Systemd
Posts: 1,495

Original Poster
Rep: Reputation: 85
I've been trying to catch my password with ngrep. I run this.

Code:
ngrep -d eth1 mypassword
Then I login to websites, instant messenger, and I haven't been able to catch my password yet. I do not know why. I don't think all of the instant message protocols use ssl with gaim.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
basic questions on hostname and domain name + related postfix questions Moebius Linux - Newbie 7 09-04-2007 12:50 PM
Few Questions yar110 Linux - Enterprise 8 05-25-2006 05:53 PM
ngrep usage sailu_mvn Linux - Networking 0 01-17-2006 12:18 AM
Solaris - Questions! Questions! Questions! qs_tahmeed Solaris / OpenSolaris 2 07-16-2005 06:27 AM
window manager questions and/or theme questions t3gah Linux - Software 2 02-27-2005 05:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration