tcpdump -nnvvAi eth1 -s0 | grep "Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland"So what does it all mean?
-nn This option disables name resolution for IP addresses and port numbers. Some versions of tcpdump do this with a single "-n", but the double "-nn" option should work on all of them.
vv This option enables Very Verbose output. It wasn't strictly needed for the purposes of this command, but I'm in a habit of using it.
A This option prints just the ASCII text in the packets. This is useful when looking for strings like "Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland" or "c99shell".
i This option allows you to specify the Interface (in this case eth1). eth1 on my Security Onion box at home is connected to a Dualcomm Switch Tap that monitors all ingress/egress of my home network. Doesn't everybody do full packet capture at home?
-s0 This option sets the snaplen. By default, tcpdump only captures 68 bytes and would therefore not see the entire payload of the HTTP connection. Setting snaplen to 0 forces tcpdump to capture the entire packet regardless of its size.
grep Since we had tcpdump output in ASCII, we can easily use the standard grep command to look for interesting text strings.
I was waiting on someone to ask the question "Why not use ngrep instead?". tcpdump's advantage is that it is more universally available than ngrep. If you're doing Incident Response on a Unix box of some kind, chances are that it already has tcpdump installed and you can use that to look for suspicious traffic as defined above.
Most Unix boxes do not have ngrep installed by default. But let's assume that you've got a dedicated IDS platform such as
ngrep -d eth1 -s0 "Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland"Here we use the "-d eth1" option to force ngrep to listen on device eth1 and the "-s0" option to force ngrep to look at the entire packet. Note that, unlike tcpdump's default snaplen of 68 bytes, ngrep defaults to 65536, so this option isn't strictly needed here, but is included for completeness. After specifying these options, we simply tell ngrep what string to look for.
Doug Burks is teaching SANS SEC503 Intrusion Detection In-Depth in Portland Oregon 8/22 - 8/27. Sign up today!