LinuxSever.Com - Türkiye'nin Linux platformu

LinuxSever.Com - Türkiye'nin Linux platformu (http://www.linuxsever.com/forum/)
-   Güvenlik Uygulamaları (http://www.linuxsever.com/forum/guvenlik-uygulamalari/)
-   -   Trafshow ile Saldırı İzlemek (http://www.linuxsever.com/forum/guvenlik-uygulamalari/17-trafshow-ile-saldiri-izlemek.html)

orhan 05-19-2009 10:35 AM

Trafshow ile Saldırı İzlemek
 
Merhaba arkadaşlar bu yazımda trafshow kurulumundan bahsetmek istiyorum. Trafshow bir nevi ntop gibi saldırı izleme aracıdır farklı olarak ssh uzerinde çalışabilen bir servistir. Test etmek için sabırsızlanan arkadaşlar için hemen kuruluma geçiyorum :)

Öncelikle serverimiza root girişi yapıyoruz.
Kod:

wget http://www.linuxsever.com/dosyalar/network/trafshow-5.2.2.tgz
wget ile tgz dosyamızı çektikten sonra açıyoruz.
Kod:

tar -zxvf trafshow-5.2.2.tgz
cd trafshow-5.2.2
./configure
make
make install

ile kurulumumuzu tamamlıyoruz.

artık trafshow komutumuzu ssh uzerinde çalıştırabiliriz
Örn :
80 portunu dinlemek için
Kod:

trafshow -n -i eth0 -a 32 dst port 80
25 portunu dinlemek için
Kod:

trafshow -n -i eth0 -a 32 dst port 80
ip adresinizi izlemek için
Kod:

trafshow -n -i eth0 -a 32 host ipadresiniz
Dip Not :
trafshow komutunu uyguladıktan sonra klavye yon tuşlarından iki sag yaparak gelen ip lerin PPS ve Packets lerini ayrıntılı olarak izleyebilirsiniz.
Yardım dosyası için
Kod:

man trafshow
http://www.linuxsever.com/uploads/2007/12/trafshow.jpg

Kaynak : LinuxSever.Com ( Orhan )

toroman61 05-20-2009 01:32 PM

Orhan hocam eline sağlık guzel anlatım olmuş. Benim sormak istediğim ntop veya trafshow dan hangisini kullanmamızı tavsiye edersin.

ismail 05-20-2009 01:44 PM

Bana soracak olursanız eğer:) trafshow kullanmanızı tavsiye ederim. Trafshow programı ile zamanında büyük bir network'u izliyorduk ve çok başarılı bir programdı. Bir çok datacenterda bu yazılımı kullanır. Anlık olarak gelen saldırıların hepsini bu yazılım vasıtasıyla detaylı şekilde görmeniz mümkündür.

toroman61 05-20-2009 01:50 PM

Çok teşekkürler ismail hocam kullanımı hakkın bilgi bulabileceğimiz bir adres varmı yada siz aktarabilirmisiniz :)

ismail 05-20-2009 02:17 PM

Orhan abinin yukarıda verdiği komutlar işinizi fazlasıyla görecektir.

Alican 05-22-2009 09:47 AM

Merhaba,
Kurulumda sorun yaşıyorum.
8GB ram mevcut sunucumda. Bu nedenle Centos 64bit kullanıyorum. Acaba sorun bu olabilir mi? :)

./configure çıktım şu şekilde:

Kod:

root@germany [/trafshow-5.2.2]# ./configure
loading cache ./config.cache
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
checking build system type... i686-pc-linux-gnu
checking for gcc... gcc
checking whether the C compiler (gcc  ) works... yes
checking whether the C compiler (gcc  ) is a cross-compiler... no
checking whether we are using GNU C... yes
checking whether gcc accepts -g... yes
checking for bison... bison -y
checking for flex... flex
checking for yywrap in -lfl... yes
checking how to run the C preprocessor... gcc -E
checking for AIX... no
checking for the pthreads library -lpthreads... no
checking whether pthreads work without any flags... no
checking whether pthreads work with -Kthread... no
checking whether pthreads work with -kthread... no
checking for the pthreads library -llthread... no
checking whether pthreads work with -pthread... yes
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking if more special flags are required for pthreads... no
checking for cc_r... gcc
checking for ANSI C header files... yes
checking whether time.h and sys/time.h may both be included... yes
checking for sys/termios.h... yes
checking for net/if_dl.h... no
checking for paths.h... yes
checking for resolv.h... yes
checking for working const... yes
checking for u_int8_t... yes
checking for u_int16_t... yes
checking for u_int32_t... yes
checking for u_int64_t... yes
checking for in_addr_t... yes
checking for socklen_t... yes
checking for struct sockaddr_storage... yes
checking for struct ether_addr... yes
checking for main in -lresolv... yes
checking for main in -linet... no
checking for gethostbyname in -lnsl... yes
checking for connect in -lsocket... no
checking for siginterrupt... yes
checking for snprintf... yes
checking for strftime... yes
checking for strcasecmp... yes
checking for pcap_findalldevs in -lpcap... no
configure: error: at least libpcap 0.7 is required; see the INSTALL notes

make, make install komutlarını da kullanamıyorum zaten :(

Kod:

root@germany [/trafshow-5.2.2]# make
make: *** No targets specified and no makefile found.  Stop.
root@germany [/trafshow-5.2.2]# make install
make: *** No rule to make target `install'.  Stop.


orhan 05-22-2009 10:26 AM

Alıntı:

toroman61 Nickli Üyeden Alıntı (Mesaj 115)
Çok teşekkürler ismail hocam kullanımı hakkın bilgi bulabileceğimiz bir adres varmı yada siz aktarabilirmisiniz :)

Kullanım ile ilgili gene Linuxun manuel dosyalarından faydalanabilirsiniz.

Kod:

man trafshow
çıktısı


Kod:

TRAFSHOW(1)                                                      TRAFSHOW(1)

NAME
      trafshow - full screen show network traffic

SYNOPSIS
      trafshow  [-vpnb]  [-a len] [-c conf] [-i name] [-s str] [-u port] [-R
      refresh] [-P purge] [-F file | expr]

DESCRIPTION
      TrafShow is a simple interactive program that gather the network traf-
      fic  from  all  libpcap-capable  interfaces to accumulate it in memory
      cache, and then separately display it on appropriated curses window in
      line-narrowed  manner as a list of network flows sorted by throughput.
      Display updates occurs nearly in real time,  asynchronously  from  the
      data  collecting.  It look like a live show of traffic flows. Any kind
      of network traffic are mixed together in the one live-show screen,  an
      Ethernet, IP, etc.
      Hint: Please press âHâ key inside a show to get brief help!

      The  IP  traffic  can be aggregated by netmask prefix bits and service
      ports to reorganize a heap of trivial flows into the treelike  hierar-
      chies suitable for human perception. The user can glance over the list
      of resulting flows and select at their to browse detail.  So  you  can
      deepen  into the traffic inheritance hierarchy and inspect the packets
      of each trivial flow in  variety  of  presentations:  raw-hex,  ascii,
      time-stamp.
      The  program  make aggregation automatically when number of flows will
      exceed some reasonable amount. Just a few seconds after launch may  be
      required  for adaptation to your volume of traffic.  Use -a len option
      (see below) to overwrite the default behaviour.

      TrafShow also listens on UDP port (9995 by default) for diverse  feed-
      ers of Cisco Netflow and then separately display the collected data in
      the same manner as described above. The following versions of  Netflow
      are  currently  supported: V1, V5, V7.  Use -u port option (see below)
      to overwrite the default behaviour.

      This program may be found wonderful at lest to locate suspicious traf-
      fic  on the net very quickly on demand, or to evaluate real time traf-
      fic bandwidth utilization, in a simplest and  convenient  environment.
      But  it  is  not  intended  for collecting and analysis of the network
      traffic for a long period of time, nor for billing!

      The program pretend to be IPv6 compatible and ready to using,  but  it
      is not tested enough. You can define INET6 to do so.

OPTIONS
      -v    Print detailed version information and exit.

      -p    Do not put interface(s) into promiscuous mode.

      -n    Do  not  convert  numeric values to names (host addresses, port
              numbers, etc.).  The mode can be toggled On/Off during  a  show
              by pressing the âNâ key.

      -b    To  place  a  backflow  entries near to the main streams in the
              sorted list of traffic flows.
              Note: this mode can raise  the  system  load  dangerously  high
              because it take a lot of CPU cycles!

      -a len To  aggregate  traffic  flows using IP netmask prefix len. This
              option also turn on service ports aggregation. The len expected
              as  number of bits in the network portion of IP addresses (like
              CIDR).  The aggragation len can be changed  during  a  show  by
              pressing the âAâ key, and turned Off by empty string.
              Hint:  Please use 0 to reduce output just for network services.

      -c conf
              Use alternate color config file instead of  default  /etc/traf-
              show.

      -i name
              Listen  on  the  specified network interface name.  If unspeci-
              fied, TrafShow collect data from all network  interfaces,  con-
              figured UP in the system. In the last case the system must sup-
              ply enough number of packet capture devices (like /dev/bpf#).

      -s str To search and follow for list item matched  by  string,  moving
              the  cursor  bar.  The  found item try to stay highlighted. The
              mode can be turned Off by âCtrl-/â  key  press  or  [re]entered
              again by â/â key directly in the live show.

      -u port
              Listen  on  the specified UDP port number for the Cisco Netflow
              feed.  The default port number is 9995.
              Hint: Please use 0 to disable this functionality.

      -R refresh
              Set the refresh period of data show to seconds,  2  seconds  by
              default.  This  option can be changed during a show by pressing
              the âRâ key.

      -P purge
              Set the expired data purge period to  seconds,  10  seconds  by
              default.  This  option can be changed during a show by pressing
              the âPâ key.

      -F file
              Use file as input for the filter expression.

      expr  Select which packets will be displayed.  If  no  expression  is
              given,  all  packets  on  the net will be displayed. Otherwise,
              only packets for which expression is âtrueâ will be  displayed.
              The  filter expression can be changed during a show by pressing
              the âFâ key, and turned Off by empty string.
              Please see tcpdump(1) man page for syntax of filter expression.

FILES
      /etc/trafshow
              The default colors configuration file if any.

      $HOME/.trafshow
              The personal file with the user defined colors.

COLORS
      If  TrafShow  has  been  compiled with modern curses libraries such as
      Slang or Ncurses it been able to show colored traffic  on  the  color-
      capable  terminal.  Hopefully,  no special actions required to install
      them because your system has it by default (leastwise last years).

      The syntax of TrafShow color configuration file as follow:

      default fcolor:bcolor
              Set the default screen background color-pair

      port[/proto] fcolor:bcolor
              Set color pattern by service port

      [proto] src[/mask][,port] dst[/mask][,port] fcolor:bcolor
              Set color pattern by pair of source and destination addresses

      The tokens *, any, or all matchs ANY in the pattern.  Where fcolor  is
      foreground color and bcolor is background color.
      The fcolor and bcolor may be one of the following:

      black red green yellow blue magenta cyan white
              It posible to indicate color as number from 0 to 7.

      The  upper-case  Fcolor  mean  bright  on.  The upper-case Bcolor mean
      blink on.

SEE ALSO
      pcap(3), tcpdump(1), bpf(4)

ACKNOWLEDGEMENTS
      Thanks to Van Jacobson <van(at)helios.ee.lbl.gov> and  Steven  McCanne
      <mccanne(at)helios.ee.lbl.gov>,  all  of Lawrence Berkeley Laboratory,
      University of California, Berkeley.  Special thank to Jun-ichiro  ito-
      jun Hagino <itojun(at)iijlab.net> for IPv6 patches.

AUTHOR
      Vladimir Vorobyev <bob(at)turbo.nsk.su>.

BUGS
      Depending of traffic volume, TrafShow can take a lot of CPU cycles and
      memory.
      It is impossible to use packet matching  expressions  in  the  NetFlow
      mode.

                                  May 2004                      TRAFSHOW(1)

Kod:

trafshow --help
çıktısı ;

Kod:

-v        Print version number, compile-time definitions, and exit
 -p        Don't put the interface(s) into promiscuous mode
 -n        Don't convert numeric values to names
 -b        To place a backflow near to the main stream
 -a len    To aggregate IP addresses using the prefix length
 -c conf    Color config file instead of default /etc/trafshow
 -i ifname  Network interface name; all by default
 -s str    To search & follow for string in the list show
 -u port    UDP port number to listen for Cisco Netflow; default 9995
 -R refresh Set the refresh-period of data show to seconds; default 2 sec
 -P purge  Set the expired data purge-period to seconds; default 10 sec
 -F file    Use file as input for the filter expression
 expr      Filter expression; see tcpdump(1) for syntax

Kolay gelsin..

orhan 05-22-2009 10:32 AM

Alıntı:

Alican Nickli Üyeden Alıntı (Mesaj 128)
Merhaba,
Kurulumda sorun yaşıyorum.
8GB ram mevcut sunucumda. Bu nedenle Centos 64bit kullanıyorum. Acaba sorun bu olabilir mi? :)

./configure çıktım şu şekilde:

Kod:

root@germany [/trafshow-5.2.2]# ./configure
loading cache ./config.cache
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
checking build system type... i686-pc-linux-gnu
checking for gcc... gcc
checking whether the C compiler (gcc  ) works... yes
checking whether the C compiler (gcc  ) is a cross-compiler... no
checking whether we are using GNU C... yes
checking whether gcc accepts -g... yes
checking for bison... bison -y
checking for flex... flex
checking for yywrap in -lfl... yes
checking how to run the C preprocessor... gcc -E
checking for AIX... no
checking for the pthreads library -lpthreads... no
checking whether pthreads work without any flags... no
checking whether pthreads work with -Kthread... no
checking whether pthreads work with -kthread... no
checking for the pthreads library -llthread... no
checking whether pthreads work with -pthread... yes
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking if more special flags are required for pthreads... no
checking for cc_r... gcc
checking for ANSI C header files... yes
checking whether time.h and sys/time.h may both be included... yes
checking for sys/termios.h... yes
checking for net/if_dl.h... no
checking for paths.h... yes
checking for resolv.h... yes
checking for working const... yes
checking for u_int8_t... yes
checking for u_int16_t... yes
checking for u_int32_t... yes
checking for u_int64_t... yes
checking for in_addr_t... yes
checking for socklen_t... yes
checking for struct sockaddr_storage... yes
checking for struct ether_addr... yes
checking for main in -lresolv... yes
checking for main in -linet... no
checking for gethostbyname in -lnsl... yes
checking for connect in -lsocket... no
checking for siginterrupt... yes
checking for snprintf... yes
checking for strftime... yes
checking for strcasecmp... yes
checking for pcap_findalldevs in -lpcap... no
configure: error: at least libpcap 0.7 is required; see the INSTALL notes

make, make install komutlarını da kullanamıyorum zaten :(

Kod:

root@germany [/trafshow-5.2.2]# make
make: *** No targets specified and no makefile found.  Stop.
root@germany [/trafshow-5.2.2]# make install
make: *** No rule to make target `install'.  Stop.


Sorun libpcap 0.7 paketinden kaynaklanıyor.

Kod:

ftp://ftp.uni-bayreuth.de/pub/redhat.com/fedora/linux/core/updates/1/x86_64/libpcap-0.7.2-8.fc1.2.x86_64.rpm
paketini indirip

Kod:

rpm -ivh libpcap-0.7.2-8.fc1.2.x86_64.rpm --force
ile kurduktan sonra yeniden compile etmeyi denermisin ?

Alican 05-22-2009 10:47 AM

Şöyle bir hata almaktayım (ek paketimizi kurarken)

Alıntı:

root@germany [/]# rpm -ivh libpcap-0.7.2-8.fc1.2.x86_64.rpm --force
warning: libpcap-0.7.2-8.fc1.2.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
error: Failed dependencies:
kernel >= 2.2.0 is needed by libpcap-0.7.2-8.fc1.2.x86_64
libc.so.6()(64bit) is needed by libpcap-0.7.2-8.fc1.2.x86_64
libc.so.6(GLIBC_2.2.5)(64bit) is needed by libpcap-0.7.2-8.fc1.2.x86_64
libc.so.6(GLIBC_2.3)(64bit) is needed by libpcap-0.7.2-8.fc1.2.x86_64

toroman61 05-22-2009 01:53 PM

hata
 
Orhan hocamın belirtmiş oldugu libpcap-0.7.2-8.fc1.2.x86_64 bu paketi kurabilmen için

kernel >= 2.2.0
libc.so.6()(64bit)
libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3)(64bit)

yukardaki paketlerin gerekli oldugundan bahsediyor.


Tüm Zamanlar GMT +3 Olarak Ayarlanmış. Şuanki Zaman: 12:04 PM.

Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.