DNS LINUX BIND

/etc/bind/db.* CONFIGURATION

[name] [TTL] [class] type data

; 引入注释
@ 当前域名的缩写,也可以写完整域名www.google.com.
() 允许数据跨行

NAME
. 以.结尾的是完整域名形式,例如google.com和google.com.的区别,前者是相对名,所以可以和单名组合成型如www.google.com的形式,而后者只能是google.com;
$TTL 用作定义缓存时间。因为一旦服务器的DNS被缓存下载到主机中,就只有下次再下载记录中带有TTL被下到的时候才能够更改,而不能靠DNS服务器去强行要求个人主机更改记录。所以过长时间的缓存TTL会造成安全问题,一旦有不良DNS记录被下载到个人主机而主机又没发现,如果不能既是更改会很麻烦;
CLASS
IN: internet;
TYPE
SOA: Start of Authority 定义一个DNS区域,就是WIN DNS中的地址类名;
NS: Name Server 表示区的服务器,授权子域;
A: IPv4 Address 名字到地址的服务器,正向指针;
PTR: Pointer 地址到名字的转换,反向转换指针;
MX: Mail Exchanger 控制邮件的路由;
CNAME: Canonical Name 主机昵称,别名;
SRV: Service 提供知名服务的位置;
TXT: Text 注释或非键入的信息。

DNS 中的named.conf文件记录了有哪些DNS配置文件是应该调用的,会有如:

zone “ooo.com” {
type master;
file “/etc/bind/db.ooo”;
};

zone “192.in-addr.arpa” {
type master;
file “/etc/bind/db.192”;
};
的配置内容出现。其中,zone后面的是主域名,可以在具体配置文件中以@代表。一个有效的DNS记录配置文件需要正反向两个配置文件协同工作,一个负责将名字转换成IP,一个负责将IP转换成名字。

name     class   type     主名服务器    管理员邮箱root@localhost
@            IN       SOA      NSserver.    root.localhost. (
1 ; Serial  一个REVISION号码,和VTP中的作用一样
604800 ; Refresh   核对时间,以秒为单位,也可加上m,h,d,w表示别的
86400 ; Retry   重试时间
2419200 ; Expire   过期时间
86400 ) ; Negative Cache TTL

IN NS ns.google.com.
ns             IN       A         10.1.1.1
因为名字服务器ns.google.com并不存在于权威DNS服务器的记录中,而是我们自己瞎改的,所以需要在此处添加A类记录,否则DNS会找不到。IN NS那行前面没有@是因为跟上文所以省略了。

*.in-addr.arpa 反向映射文件的写法:

就是把IP地址的顺序,按照域名的规律重写,比如 http://www.google.com 的 IP 是 192.168.11.128, 那么根据域名规则, COM应该是最大的,所以相应的192也就是最大的,所以写的时候反向映射文件可以在zone中宣告为192.in-addr.arpa,而具体文件内容则为:
128.11.168 IN PTR name.ooo.com.
128.11.168 IN PTR http://www.ooo.com.
就是说将IP从右到左反着写。因为192已经包含在主域中,所以不需要宣告了,只用写相对名字128.11.168即可,所以这种同样的文件中可以让一个192文件对应好多IP的反映射域名。

CNAME: 不同名字可以嵌套8层。

nickname [TTL] IN CNAME hostname

例如:
ns IN A 10.1.1.1
mail IN CNAME ns

这里要求如果主机有CNAME,则其他服务如MX或A等要引用的话,就必须用这主机的真是名字,而不能是CNAME。

Advertisements
By Ctrl | Alt | Del Posted in Linux

Snort

Configuration:

Snort -dev

-v Be verbose.  Prints packets out to the console.  There is one big problem with verbose mode: it’s slow.  If you are doing IDS work with Snort, don’t use the ‘-v’ switch, you WILL drop packets.
-d Dump the application layer data (Packet Payload) when displaying packets in verbose or packet logging mode.
-e Display/log the link layer packet headers.
-X Dump the raw packet data starting at the link layer (Entire Packet). This switch overrides the ‘-d’ switch. The whole file will be dumped, which means dummy bits included.
-K logging-mode Select a packet logging mode. The default is pcap.
<loggin-mode> Valid logging modes include pcap, ascii, and none. Pcap logs packets through the pcap library into pcap (tcpdump) format. Ascii logs packets in the old “directories and files” format with packet printouts in each file. None Turns off packet logging.
-l log-dir. Set the output logging directory to log-dir. All plain text alerts and packet logs go into this directory. If this option is not specified, the default logging directory is set to /var/log/snort.
-A alert-mode. Alert using the specified alert-mode. Valid alert modes include fast, full, none, and unsock. Fast writes alerts to the default “alert” file in a single-line, syslog style alert message. Full writes the alert to the “alert” file with the full decoded header as well as the alert message. None turns off alerting. Unsock is an experimental mode that sends the alert information out over a UNIX socket to another process that attaches to that socket.

The default conf for snort is in /etc/snort/snort.conf.
You can test your newly created conf by using “snort -T -c new.conf”, where -T means self test mode.

Snort rules:

action protocol SIP SPT ->(<>)DIP DPT (options)

Action: Alert (alert and log packet), Log (only log, no alert), pass (drop packet)

SIP DIP: 192.168.1.1/24

Direction: only two, -> or <>

Options: specific words that we are looking for, could be set as (flag:SF; msg:”SYN-FIN scan”; sid:100001). Sid is the snort rule id.

msg and sid are used for notification when alarm is triggered; while content is used for when you want to search some specific payload content in a packet message, such as (content: “what’s in your ass(|0x units|)”; msg: “ass found”; sid: 100001)

 
1、 msg – 在报警和包日志中打印一个消息
2、 logto – 把包记录到用户指定的文件中而不是记录到标准输出
3、 ttl – 检查ip头的ttl的值
4、 tos- 检查ip头的tos域的值
5、 id – 检查ip头的分片id值
6、 ipoption- 检查ip头的option域
7、 fragbits- 检查ip头的分片标志位
8、 dsize – 检查包的数据部分大小
9、 content – 在包的数据部分中搜索指定的样式
10、 offset – content选项的修饰符,设定开始搜索的位置
11、 depth – content选项的修饰符,设定搜索的最大深度
12、 nocase – 指定对content字符串大小写不敏感
13、 content-list – 在数据包中搜索多种可能匹配
14、 flags -检查tcp flags的值
15、 seq – 检查tcp顺序号的值
16、 ack – 检查tcp应答(acknowledgement)的值
17、 itype – 检查icmp type的值
18、 icode – 检查icmp code的值
19、 session – 记录指定会话的应用层信息的内容
20、 icmp_id – 检查ICMP ECHO ID的值
21、 icmp_seq – 检查ICMP ECHO 顺序号的值
22、 ipoption – 监视IP option的特定代码
23、 rpc – 监视特定应用/进程调用的RPC服务
24、 resp – 主动反应(切断连接等)
25、 reference- 外部参考id
26、 sid- snort的规则id
27、 rev- 规则的修正号
28、 classtype- 规则的分类号
29、 priority- 规则的优先级
30、 uricontent- 在数据包的URI部分搜索指定的匹配
31、 tag- 高级记录动作
32、 ip_proto- ip头的协议值
33、 sameip- 源地址和目标地址相同
34、 stateless- 无状态连接
35、 regex- 通配符模式匹配

By Ctrl | Alt | Del Posted in Linux

TCPDUMP

IP Header

IP Header len=5*4=20 bytes, and for each line there’s 16 bytes units started from 0 unit. so the ip data starts from 0035 after 20 bytes header.

TCP Header

TCP Header starts after the IP Header in a IP packet, so if the first bytes stand 45 which means IPv4 and 5*4=20 bytes header, then we should count TCP header after first 20 bytes in a IP packet.

TCPDUMP

tcpdump -s 0 : -s zero will capture entire ethernet header and ip packet.

tcpdump -xX : -x will show ip packet data including link layers in hex;
-X will show ip data in hex and ascii;
so if you want to show data in hex and ascii, just use X is enough.

-n: Don’t convert addresses (i.e., host addresses, port numbers, etc.) to names.

-r: Read packets from file (which was created with the -w option).  Standard input is used if file is “-”.

tcpdump filter syntax expression:

<protocol header>[offset:length]<relation><value>
if there’s nothing with the value of length, it means 1 bit [9:1]=[9];
<value> is Dec unit, so normally we need to first convert original Hex to Dec to fit, if you want to use Hex, please input as type as 0x0f;
ip[9]=6 embedded protocol is TCP
tcp[2:2]=80 destination port is 80
upd[6:2]!=0 udp checksum not zero
icmp[0]=8 echo packet

if you want to pick up any of one offset byte’s bit set, just use ip[8]$128=128, which means 128(Dec)=10000000 & ? =10000000.
The symbol of & means and, which stands for:
0 and 0 = 0
0 and 1 = 0
1 and 0 = 0
1 and 1 = 1
just like a multiply function.
so if we use 1111 to and any byte, we would be able to pick up any bit set we want. e.g: ip[0]&0xf=0x5, or ip[0]&0xf!=5

TCPDUMP on F5

在F5上,如果所要DUMP的分区不是原始分区,即rdsh 不是0,则必须指定分区/INT,如下:

tcpdump -ni /Orange/Vlan_207 -f “ip host 10.240.8.8”

tcpdump -ni /Orange/Vlan_215 -f “port 8905”

config # openssl verify -purpose sslclient -CAfile /config/filestore/files_d/Orange_d/certificate_d/:\:Orange\:Self_BSAPartnerSolutionOrder.crt_1 /tmp/Self_BSAPartnerSolutionOrder.cer

Capture on ACE

在ACE上也有类似TCPDUMP的功能,只是名称不同,使用CAPTURE语句。

操作方法是:

  1. 创建一个兴趣流量的ACL。access-list lulu line 8 extended permit tcp host 10.240.13.134 any
    access-list lulu line 16 extended permit tcp host 10.240.13.135 any
  2. 定义CAPTURE和ACL的相关性。capture test interface vlan 264 access-list lulu bufsize 5000
  3. 开启CAPTURE。capture test start
By Ctrl | Alt | Del Posted in Linux Tagged