|
ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ )
ÀÛ¼ºÀÏ : 2001.09.24 ºÎÅÍ ¼ö½Ã·Î
Á¤¸®ÀÏ : 2003.11.07(±Ý)
ngrepÀº ÆÐŶ ³»¿ëÀ» ½º´ÏÆÛó·³ º¸¿©ÁÖ´Â ÅøÀÌ´Ù. grepÀÇ ³×Æ®¿÷¿ëÀ̶ó »ý°¢ÇÏ¸é ½¬¿ï °ÍÀÌ´Ù.
ngrepÀÌ ¼³Ä¡µÈ ¼¹ö°¡ ´õ¹ÌÇãºê¿¡ ¿¬°áµÇ¾î ÀÖÀ» °æ¿ì ³»ºÎ ³×Æ®¿÷ÀÇ ¸ðµç ÆÐŶÀ» º¼ ¼öµµ ÀÖ´Ù.
1. ngrep »ç¿ë
* ngrep Ȩ : http://ngrep.sourceforge.net/
80Æ÷Æ®¸¦ º¸±âÀ§Çؼ´Â ´ÙÀ½°ú °°ÀÌ ÇÏ¸é µÈ´Ù.
|
# ngrep -t port 80
interface: eth0 (192.168.xxx.0/255.255.255.0)
filter: ip and ( port 80 )
####
T 2003/11/07 12:46:32.005250 192.168.xxx.xxx:35898 -> 218.xxx.xx.xx:80 [AP]
GET /news/ HTTP/1.1..Host: coffeenix.net..User-Agent: Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.5) Gecko/20031007 Firebird/0.7..Accept: text/xml,application/xml,applicat
ion/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/
... Áß·« ...
........ ...., ........ - ........ .... LINUX/UNIX ....
... »ý·« ...
| |
-t : ½Ã°£µµ ÇÔ²² Ç¥½Ã
-x : 16Áø¼ö¿Í ÇÔ²² Ç¥½Ã
-d device : µð¹ÙÀ̽º¸¦ ÁöÁ¤ÇÒ ¶§
-i : ´ë¼Ò¹®ÀÚ¸¦ ¹«½ÃÇÑ´Ù.
»ç¿ë ¿¹)
* ƯÁ¤ IP·Î ¿À°¡´Â ÆÐŶÁß 80Æ÷Æ®´Â Àç¿Ü
# ngrep -v -qt host IP and not port 80
* Codered ÆÐŶÀ» º¼ ¶§
# ngrep -iqt 'default.ida' port 80
* ƯÁ¤ È£½ºÆ®·Î ¿À°í°¡´Â ¸ÞÀÏ, FTP, ÅÚ³Ý ÀÛ¾÷ È®ÀÎ
# ngrep -qx host IP and port 25 or port 110 or port 21 or port 23
* ¿À¶óŬ ¸®½º³Ê·Î °¡´Â ÆÐŶ È®ÀÎ (ÇÁ·Î±×·¥¿¡¼ ´øÁ®Áö´Â SQL¹® È®Àνà À¯¿ë)
# ngrep -qx dst port 1521
2. ÇÑ±Û Ç¥½ÃÇÏ·Á¸é
±×·¯³ª ngrepÀº ¿µ¹®ÀÚ¿Í ¼ýÀÚ ÀÌ¿Ü´Â ¸ðµÎ Á¡(.)À¸·Î Ç¥½ÃÇÑ´Ù.
2001³â ¼ÒÀÎÀÌ ¸¸µç conv.pl À» ÀÌ¿ëÇϸé Çѱ۵µ Ç¥½ÃÇÒ ¼ö ÀÖ´Ù.
ÁÖÀÇÇÒ °ÍÀº À¥À» ÅëÇØ ÆÄÀÏÀ» Àü¼ÛÇÑ´ÙµçÁö ÇÒ °æ¿ì, ÀÌ»óÇÑ ¹®ÀÚµéÀÌ È¸é¿¡ °¡µæÂû °ÍÀÌ´Ù.
ÆÄÀÏ Àü¼ÛÀÌ ºó¹øÈ÷ ÀÌ·ïÁö´Â Æ÷Æ®¸¦ Á¦¿ÜÇÏ°í »ç¿ëÇؾßÇÑ´Ù.
|
#!/usr/bin/perl
#
# ngrep ÇÑ±Û Ç¥½Ã¿ë
#
# Made by ÁÁÀºÁøÈ£(truefeel)
# 2001.9.24
# T 211.xxx.xx.xxx:1886 -> 205.xxx.xxx.xxx:80 [AP]
# 47 45 54 20 2f 69 6d 61 67 65 2f 39 33 30 35 32 GET /image/93052
while ( $P=<STDIN> ) {
if ( $P =~ /^\s+(.+)/ ) {
$P_HEX = substr($P,0,54);
@HEX = split(' ',$P_HEX);
for ( $c = 0; $c <= $#HEX; $c++ ) {
# 32, 0x20 = Spacebar
if ( hex($HEX[$c]) < 32 &&
$HEX[$c] ne "0d" && $HEX[$c] ne "0a" &&
$HEX[$c] ne "08" && $HEX[$c] ne "1b" ) {
$HEX[$c] = '20';
}
}
$P_HEX = "@HEX";
$P_HEX =~ s/\s//g;
$P_CONV= pack ("H*", $P_HEX);
printf("%s",$P_CONV);
}
}
| |
* ´Ù¿î·Îµå¿ë : http://coffeenix.net/truefeel/files/conv.pl.txt
»ç¿ë ¹æ¹ýÀº -x ¿É¼ÇÀ» ¹Ýµå½Ã ºÙÀÌ°í »ç¿ëÇÏ¸é µÈ´Ù.
|
# ngrep -qx dst port 1521 | ./conv.pl
| |
3. ¾Ç¿ëÇÏÁö ¸»ÀÚ
ngrepÀº ¾Ç¿ëÇÒ °æ¿ì Æнº¿öµå´Â ¹°·Ð ¸ðµç ¼Û¼ö½ÅÇÏ´Â ¸ÞÀÏ ³»¿ë°ú ¸Þ½ÅÀú·Î ÇÏ´Â ´ëÈ ³»¿ë±îÁöµµ
º¼ ¼ö ÀÖ´Ù. (NIDS¼³Ä¡Çϸé ÀÌ·±°Ç ½±°Ô È®ÀÎ °¡´ÉÇÏÁö¸¸.)
°ü¸®ÀÚÀÇ µµ´ö¼º°ú °ü·ÃµÈ ºÎºÐÀÌ´Ï ÀÌ·± ¿ëµµ·Î´Â »ç¿ëÇÏÁö ¸»±â¸¦ ¹Ù¶õ´Ù.
¿ÀÁ÷ °ü¸® ¸ñÀû, ÇÁ·ÎÅäÄÝ ºÐ¼®, ³×Æ®¿÷ ÇÁ·Î±×·¡¹ÖÇÒ ¶§ ¼Û¼ö½ÅµÇ´Â ÆÐŶÀÌ Á¤»óÀûÀÎÁö È®ÀÎÇÏ´Â
¿ëµµ·Î »ç¿ëÇؾßÇÑ´Ù.
|