/l3/trainings/xg-ids/2005-12-19/fbsd1.linux.nt/root :1 :2 :3 :4 :5 :6 :7 :8
[ править ]

Журнал лабораторных работ

Содержание

Журнал

Суббота (12/23/06)

/dev/ttyp4
17:13:39
#vi /usr/local/share/honeyd/nmap.prints
17:16:07
#vi /usr/local/bin/honeyd.conf
17:17:21
#vi /usr/local/bin/honeyd.conf
17:18:30
#honeyd -p nmap.prints -f /usr/local/bin/honeyd.conf 192.168.1.100-192.168.15.109 
Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[65063]: started with -p nmap.prints -f /usr/local/bin/honeyd.conf 192.168.1.100-192.168.15.109
honeyd: fopen(nmap.prints): No such file or directory
17:18:48
#honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.1.100-192.168.15.109
Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[65072]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.1.100-192.168.15.109
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[65072]: listening promiscuously on xl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (dst net 192.168.1.100/30 or dst net 192.168.1.104/29 or dst net 192.168.1.112/28 or dst net 192.168.1.128/25 or dst net 192.168.2.0/23 or dst net 192.168.4.0/22 or dst net 192.168.8.0/22 or dst net 192.168.12.0/23 or dst net 192.168.14.0/24 or dst net 192.168.15.0/26 or dst net 1
Honeyd starting as background process
17:19:01
#ps ax|grep honeyd
52125  ??  S      0:16.50 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
52126  ??  S      0:29.45 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
65086  p5  S+     0:00.00 grep honeyd
17:20:17
#killall honeyd 
No matching processes were found
17:20:39
#honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.1.100-192.168.15.109
Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[65104]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.1.100-192.168.15.109
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[65104]: listening promiscuously on xl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (dst net 192.168.1.100/30 or dst net 192.168.1.104/29 or dst net 192.168.1.112/28 or dst net 192.168.1.128/25 or dst net 192.168.2.0/23 or dst net 192.168.4.0/22 or dst net 192.168.8.0/22 or dst net 192.168.12.0/23 or dst net 192.168.14.0/24 or dst net 192.168.15.0/26 or dst net 1
Honeyd starting as background process
17:20:53
#ps aw|grep honeyd
52125  ??  S      0:16.65 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
52126  ??  S      0:29.60 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
17:22:25
#pkg_info -Lx honeyd
Information for honeyd-1.0_1:
Files:
/usr/local/man/man1/honeydctl.1.gz
/usr/local/man/man8/honeyd.8.gz
/usr/local/bin/honeyd
/usr/local/bin/honeydctl
/usr/local/include/honeyd/debug.h
/usr/local/include/honeyd/hooks.h
/usr/local/include/honeyd/plugins.h
/usr/local/include/honeyd/plugins_config.h
...
/usr/local/share/honeyd/scripts/mydoom.pl
/usr/local/share/honeyd/scripts/README.mydoom
/usr/local/share/honeyd/scripts/cmdexe.pl
/usr/local/share/honeyd/scripts/README.cmdexe
/usr/local/share/honeyd/scripts/README.kuang2
/usr/local/share/honeyd/scripts/INSTALL.kuang2
/usr/local/share/honeyd/scripts/kuang2.pl
/usr/local/share/honeyd/scripts/kuang2.conf
/usr/local/share/honeyd/scripts/smtp.pl
/usr/local/share/honeyd/scripts/proxy.pl
17:23:39
#honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15100-192.168.15.109
Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[65149]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.100-192.168.15.109
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[65149]: listening promiscuously on xl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (dst net 192.168.15.100/30 or dst net 192.168.15.104/30 or dst net 192.168.15.108/31))) and not ether src 00:04:75:82:53:43
Honeyd starting as background process
17:26:07
#ps awx|grep honeyd
52125  ??  S      0:16.94 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
52126  ??  S      0:29.89 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
17:26:25
#vi /usr/local/bin/ho
17:26:25
#vi /usr/local/bin/honeyd
17:27:30
#vi /usr/local/bin/honeyd.conf
17:28:12
#ps awx|grep honeyd
52125  ??  S      0:17.84 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
52126  ??  S      0:30.78 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
65263  p5  S+     0:00.00 grep honeyd
прошло 10 минут
17:39:05
#honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.100-192.168.15.109
Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[65275]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.100-192.168.15.109
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[65275]: listening promiscuously on xl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (dst net 192.168.15.100/30 or dst net 192.168.15.104/30 or dst net 192.168.15.108/31))) and not ether src 00:04:75:82:53:43
Honeyd starting as background process
17:40:27
#ps awx|grep honeyd
52125  ??  S      0:17.96 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
52126  ??  S      0:30.90 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
65286  p5  R+     0:00.00 grep honeyd
17:40:45
#honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.100-192.168.15.109 -d
Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[65295]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf -d 192.168.15.100-192.168.15.109
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[65295]: listening promiscuously on xl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (dst net 192.168.15.100/30 or dst net 192.168.15.104/30 or dst net 192.168.15.108/31))) and not ether src 00:04:75:82:53:43
honeyd[65295]: Demoting process privileges to uid 32767, gid 32767
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
...
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
^[[A^[[A^Z
[2]+  Stopped                 honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.100-192.168.15.109 -d
/dev/ttyp8
17:41:17
#ps awx |grep honeyd
exit
exit
52125  ??  S      0:18.02 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
52126  ??  S      0:30.96 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
65295  p5  S+     0:00.14 honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.100-192.168.15.109 -d
65351  p9  R+     0:00.00 grep honeyd
17:41:34
#ps ax |grep honeyd
52125  ??  S      0:18.06 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
52126  ??  S      0:31.01 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
65295  p5  S+     0:00.16 honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.100-192.168.15.109 -d
17:42:14
#top
last pid: 65461;  load averages:  0.28,  0.21,  0.12                                                                                 up 0+08:33:28  18:03:59
               2            2
104 processe98.1 running 0.03 sleepi 1.9           0.0              0.0
       7                                                           6
CPU states:     % user,     % nice,     % system,     % interrupt,     % idle
Mem: 266M Active, 268M Inact, 126M Wired, 1960K Cache, 110M Buf, 327M Free
34442                96       8328K  6888K RUN      7:13 23.44% perl5.8.7
S1378 2007M Total, 2096M Free58656K 55000K select  11:52  1.61% kdeinit
5 705                          202M 89068K select  16:25  1.56% Xorg
 1378                96      45544K 41940K select   2:48  1.03% kdeinit
...
  537 www         1   4    0  5040K  4328K accept   0:01  0.00% httpd
 1051 root        1  96    0 25928K 20652K select   0:01  0.00% kdeinit
65295  32767      1   4    0  3708K  3188K kqread   0:01  0.00% honeyd
  536 www         1   4    0  5012K  4304K accept   0:00  0.00% httpd
  538 www         1   4    0  5040K  4328K accept   0:00  0.00% httpd
29511 www         1   4    0  5008K  4300K accept   0:00  0.00% httpd
  540 www         1   4    0  5012K  4304K accept   0:00  0.00% httpd
26973 www         1   4    0  5008K  4300K accept   0:00  0.00% httpd
  552 root        1  96    0  1388K  1056K select   0:00  0.00% syslog-ng
31267 www         1   4    0  5040K  4324K accept   0:00  0.00% httpd
/dev/ttyp4
17:51:46
#cat /etc/rc.local
nohup /usr/local/sbin/syslog_mysql.sh &
17:52:12
#bg
[2]+ honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.100-192.168.15.109 -d &
17:54:00
#ps ax |grep honey
52125  ??  S      0:18.95 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
52126  ??  S      0:31.88 kpdf /root/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -miniicon kpdf -caption KPDF
65295  p5  S      0:00.47 honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.100-192.168.15.109 -d
17:54:34
#honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.103 -> 192.168.15.22
прошло 10 минут
18:04:50
#honeyd[65295]: Sending ICMP Echo Reply: 192.168.15.105 -> 192.168.15.22
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:2121)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:599)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:3455)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:1394)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:381)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:615)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:949)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:961)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:1526)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:27007)
...
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:5001)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:674)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:263)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:126)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:528)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:5236)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:715)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:5192)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:995)
honeyd[65295]: Killing attempted connection: tcp (192.168.15.22:33928 - 192.168.15.103:838)
18:11:45
#killall -9 honeyd
[2]+  Killed: 9               honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.100-192.168.15.109 -d
18:12:00
#honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.103-d
Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[65538]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf -d 192.168.15.103
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[65538]: listening promiscuously on xl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (host 192.168.15.103))) and not ether src 00:04:75:82:53:43
honeyd[65538]: Demoting process privileges to uid 32767, gid 32767
^Z
[2]+  Stopped                 honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.103 -d
18:12:17
#bg
[2]+ honeyd -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf 192.168.15.103 -d &
18:12:22
#honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49661 - 192.168.15.103:23)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:775)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:831)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:829)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:18183)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:1023)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:1662)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:522)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:800)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:1668)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:72)
...
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:589)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:727)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:2045)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:173)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:24)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:229)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:1248)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:4000)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:313)
honeyd[65538]: Killing attempted connection: tcp (192.168.15.22:49660 - 192.168.15.103:850)
18:21:35
#tail -n20 /var/log/messages
Dec 23 17:40:27 src@fbsd1 honeyd[65276]: Kqueue does not recognize bpf filedescriptor.
Dec 23 17:40:27 src@fbsd1 xl0: promiscuous mode disabled
Dec 23 17:40:59 src@fbsd1 honeyd[65295]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf -d 192.168.15.100-192.168.15.109
Dec 23 17:40:59 src@fbsd1 xl0: promiscuous mode enabled
Dec 23 17:40:59 src@fbsd1 honeyd[65295]: Demoting process privileges to uid 32767, gid 32767
Dec 23 17:42:38 src@fbsd1 syslog-ng[552]: STATS: dropped 0
Dec 23 17:52:38 src@fbsd1 syslog-ng[552]: STATS: dropped 0
Dec 23 18:02:38 src@fbsd1 syslog-ng[552]: STATS: dropped 0
Dec 23 18:07:12 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.135 and others, ports 80, 443, 3389, 256, 21, 22, 554, ..., fSrpauxy @18:07:12
Dec 23 18:07:18 src@fbsd1 scanlogd: 192.168.15.22:33928 to 192.168.15.103 ports 201, 1449, 109, 6101, 1484, 1358, 767, 792, ..., fSrpauxy, TOS 00 @18:07:18
Dec 23 18:07:45 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.103 and others, ports 80, 23, 3389, 636, 256, 53, 1723, 443, ..., f??pauxy, TOS 00 @18:07:45
Dec 23 18:09:52 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.105 ports 722, 80, 389, 53, 21, 25, ..., f??pauxy, TOS 00 @18:09:52
Dec 23 18:12:00 src@fbsd1 xl0: promiscuous mode disabled
Dec 23 18:12:13 src@fbsd1 honeyd[65538]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf -d 192.168.15.103
Dec 23 18:12:13 src@fbsd1 xl0: promiscuous mode enabled
Dec 23 18:12:13 src@fbsd1 honeyd[65538]: Demoting process privileges to uid 32767, gid 32767
Dec 23 18:12:39 src@fbsd1 syslog-ng[552]: STATS: dropped 4107
Dec 23 18:19:58 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.105 and others, ports 470, 21, 3389, 389, 554, 80, 636, ..., f??pauxy, TOS 00 @18:19:58
Dec 23 18:20:39 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.100 ports 6008, 1021, 495, 693, 11, 659, 377, ..., fSrpauxy, TOS 00 @18:20:39
Dec 23 18:21:17 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.100 ports 496, 125, 5520, 6009, 18182, 843, 622, 600, ..., fSrpauxy, TOS 00 @18:21:17
18:21:53
#honeyd[65538]: Expiring OS fingerprint for 192.168.15.22










18:27:40




#tail -n20 /var/log/messages


Dec 23 17:40:27 src@fbsd1 xl0: promiscuous mode disabled
Dec 23 17:40:59 src@fbsd1 honeyd[65295]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf -d 192.168.15.100-192.168.15.109
Dec 23 17:40:59 src@fbsd1 xl0: promiscuous mode enabled
Dec 23 17:40:59 src@fbsd1 honeyd[65295]: Demoting process privileges to uid 32767, gid 32767
Dec 23 17:42:38 src@fbsd1 syslog-ng[552]: STATS: dropped 0
Dec 23 17:52:38 src@fbsd1 syslog-ng[552]: STATS: dropped 0
Dec 23 18:02:38 src@fbsd1 syslog-ng[552]: STATS: dropped 0
Dec 23 18:07:12 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.135 and others, ports 80, 443, 3389, 256, 21, 22, 554, ..., fSrpauxy @18:07:12
Dec 23 18:07:18 src@fbsd1 scanlogd: 192.168.15.22:33928 to 192.168.15.103 ports 201, 1449, 109, 6101, 1484, 1358, 767, 792, ..., fSrpauxy, TOS 00 @18:07:18
Dec 23 18:07:45 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.103 and others, ports 80, 23, 3389, 636, 256, 53, 1723, 443, ..., f??pauxy, TOS 00 @18:07:45
Dec 23 18:09:52 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.105 ports 722, 80, 389, 53, 21, 25, ..., f??pauxy, TOS 00 @18:09:52
Dec 23 18:12:00 src@fbsd1 xl0: promiscuous mode disabled
Dec 23 18:12:13 src@fbsd1 honeyd[65538]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf -d 192.168.15.103
Dec 23 18:12:13 src@fbsd1 xl0: promiscuous mode enabled
Dec 23 18:12:13 src@fbsd1 honeyd[65538]: Demoting process privileges to uid 32767, gid 32767
Dec 23 18:12:39 src@fbsd1 syslog-ng[552]: STATS: dropped 4107
Dec 23 18:19:58 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.105 and others, ports 470, 21, 3389, 389, 554, 80, 636, ..., f??pauxy, TOS 00 @18:19:58
Dec 23 18:20:39 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.100 ports 6008, 1021, 495, 693, 11, 659, 377, ..., fSrpauxy, TOS 00 @18:20:39
Dec 23 18:21:17 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.100 ports 496, 125, 5520, 6009, 18182, 843, 622, 600, ..., fSrpauxy, TOS 00 @18:21:17
Dec 23 18:22:39 src@fbsd1 syslog-ng[552]: STATS: dropped 889











18:27:50




#tail -n20 /var/log/messages


Dec 23 17:40:27 src@fbsd1 xl0: promiscuous mode disabled
Dec 23 17:40:59 src@fbsd1 honeyd[65295]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf -d 192.168.15.100-192.168.15.109
Dec 23 17:40:59 src@fbsd1 xl0: promiscuous mode enabled
Dec 23 17:40:59 src@fbsd1 honeyd[65295]: Demoting process privileges to uid 32767, gid 32767
Dec 23 17:42:38 src@fbsd1 syslog-ng[552]: STATS: dropped 0
Dec 23 17:52:38 src@fbsd1 syslog-ng[552]: STATS: dropped 0
Dec 23 18:02:38 src@fbsd1 syslog-ng[552]: STATS: dropped 0
Dec 23 18:07:12 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.135 and others, ports 80, 443, 3389, 256, 21, 22, 554, ..., fSrpauxy @18:07:12
Dec 23 18:07:18 src@fbsd1 scanlogd: 192.168.15.22:33928 to 192.168.15.103 ports 201, 1449, 109, 6101, 1484, 1358, 767, 792, ..., fSrpauxy, TOS 00 @18:07:18
Dec 23 18:07:45 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.103 and others, ports 80, 23, 3389, 636, 256, 53, 1723, 443, ..., f??pauxy, TOS 00 @18:07:45
Dec 23 18:09:52 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.105 ports 722, 80, 389, 53, 21, 25, ..., f??pauxy, TOS 00 @18:09:52
Dec 23 18:12:00 src@fbsd1 xl0: promiscuous mode disabled
Dec 23 18:12:13 src@fbsd1 honeyd[65538]: started with -p /usr/local/share/honeyd/nmap.prints -f /usr/local/bin/honeyd.conf -d 192.168.15.103
Dec 23 18:12:13 src@fbsd1 xl0: promiscuous mode enabled
Dec 23 18:12:13 src@fbsd1 honeyd[65538]: Demoting process privileges to uid 32767, gid 32767
Dec 23 18:12:39 src@fbsd1 syslog-ng[552]: STATS: dropped 4107
Dec 23 18:19:58 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.105 and others, ports 470, 21, 3389, 389, 554, 80, 636, ..., f??pauxy, TOS 00 @18:19:58
Dec 23 18:20:39 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.100 ports 6008, 1021, 495, 693, 11, 659, 377, ..., fSrpauxy, TOS 00 @18:20:39
Dec 23 18:21:17 src@fbsd1 scanlogd: 192.168.15.22 to 192.168.15.100 ports 496, 125, 5520, 6009, 18182, 843, 622, 600, ..., fSrpauxy, TOS 00 @18:21:17
Dec 23 18:22:39 src@fbsd1 syslog-ng[552]: STATS: dropped 889











/dev/ttyp2
18:29:05




#telnet 193.111.9.10 63389





Trying 193.111.9.10...
telnet: connect to address 193.111.9.10: Operation timed out
telnet: Unable to connect to remote host











18:37:25




#telnet 193.111.9.10 63389





Trying 193.111.9.10...
telnet: connect to address 193.111.9.10: Operation timed out
telnet: Unable to connect to remote host











18:41:36




#telnet 193.111.9.10 63389





Trying 193.111.9.10...
telnet: connect to address 193.111.9.10: Operation timed out
telnet: Unable to connect to remote host











18:43:15




#telnet 193.111.9.10 63389





Trying 193.111.9.10...
telnet: connect to address 193.111.9.10: Operation timed out
telnet: Unable to connect to remote host











18:44:38




#telnet 193.111.9.10 63388





Trying 193.111.9.10...
telnet: connect to address 193.111.9.10: Operation timed out
telnet: Unable to connect to remote host











18:46:16




#telnet 193.111.9.10 63389





Trying 193.111.9.10...
telnet: connect to address 193.111.9.10: Operation timed out
telnet: Unable to connect to remote host











18:47:36




#telnet 193.111.9.10 63389





Trying 193.111.9.10...
telnet: connect to address 193.111.9.10: Operation timed out
telnet: Unable to connect to remote host











/dev/ttyp4
18:51:06




#pkg_add -r rdp





Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.0-release/Latest/rdp.tbz: File unavailable (e.g., file not found, no access)
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.0-release/Latest/rdp.tbz' by URL











/dev/ttyp2
18:51:33




#telnet 193.111.9.10 63389





Trying 193.111.9.10...
telnet: connect to address 193.111.9.10: Operation timed out
telnet: Unable to connect to remote host











/dev/ttyp4
18:51:56




#pkg_add -r rdpclient





Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.0-release/Latest/rdpclient.tbz: File unavailable (e.g., file not found, no access)
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.0-release/Latest/rdpclient.tbz' by URL











/dev/ttyp2
18:52:52




#telnet 193.111.9.10 63389





Trying 193.111.9.10...
telnet: connect to address 193.111.9.10: Operation timed out
telnet: Unable to connect to remote host











/dev/ttyp4
19:00:44




#cd /usr/ports










прошла 41 минута




19:41:56




#make search name=rdp


Port:   chordpack-0.8.0
Path:   /usr/ports/audio/chordpack
Info:   Script to convert ChordPro files to HTML, ASCII, and TeX
Maint:  sethk@meowfishies.com
B-deps:
R-deps:
WWW:    http://sweb.cz/dan.polansky/chordpack/
Port:   cardpics-0.4
Path:   /usr/ports/games/cardpics
Info:   Free cards for your free card games!
...
B-deps:
R-deps: apache-1.3.33_2 expat-1.95.8_3 mysql-client-4.1.13 perl-5.8.7 php4-4.4.0 php4-mysql-4.4.0 php4-pcre-4.4.0 php4-xml-4.4.0
WWW:    http://wordpress.org/
Port:   wordpress-mu-1.5.1.3,1
Path:   /usr/ports/www/wordpress-mu
Info:   Multi-user version of the famous WordPress blogging application
Maint:  tjs@cdpa.nsysu.edu.tw
B-deps:
R-deps: apache-1.3.33_2 expat-1.95.8_3 mysql-client-4.1.13 perl-5.8.7 php4-4.4.0 php4-mysql-4.4.0 php4-pcre-4.4.0 php4-xml-4.4.0
WWW:    http://mu.wordpress.org/











19:42:09




#pwd


/usr/ports











19:44:28




#cd /lan





bash: cd: /lan: No such file or directory











19:44:35




#cd /var/ports/lan





bash: cd: /var/ports/lan: No such file or directory











19:44:51




#cd /usr/ports/












19:45:29




#pwd


/usr/ports











19:45:32




#ls


.cvsignore      Templates       benchmarks      devel           games           korean          net-mgmt        security        x11-clocks
CHANGES         Tools           biology         distfiles       german          lang            news            shells          x11-fm
INDEX-6         UPDATING        cad             dns             graphics        mail            palm            sysutils        x11-fonts
LEGAL           accessibility   chinese         editors         hebrew          math            polish          textproc        x11-servers
MOVED           arabic          comms           emulators       hungarian       mbone           portuguese      ukrainian       x11-themes
Makefile        archivers       converters      finance         irc             misc            print           vietnamese      x11-toolkits
Mk              astro           databases       french          japanese        multimedia      russian         www             x11-wm
README          audio           deskutils       ftp             java            net             science         x11











19:45:34




#ls -l


total 7374
-rw-r--r--     1 root  wheel       19 Jul 15  1997 .cvsignore
-rw-r--r--     1 root  wheel    34741 Jun 18  2005 CHANGES
-rw-r--r--     1 root  wheel  6905144 Nov  3 10:09 INDEX-6
-rw-r--r--     1 root  wheel    31415 Jul 31 01:42 LEGAL
-rw-r--r--     1 root  wheel   107736 Aug 18 04:09 MOVED
-rw-r--r--     1 root  wheel     4922 Dec 17  2004 Makefile
drwxr-xr-x     2 root  wheel      512 Dec 18 21:36 Mk
-rw-r--r--     1 root  wheel     1423 Aug  4  2002 README
drwxr-xr-x     2 root  wheel      512 Dec 18 21:36 Templates
...
drwxr-xr-x    19 root  wheel      512 Dec 18 21:34 vietnamese
drwxr-xr-x   874 root  wheel    20480 Dec 18 21:34 www
drwxr-xr-x   280 root  wheel     5632 Dec 18 21:34 x11
drwxr-xr-x    54 root  wheel     1536 Dec 18 21:34 x11-clocks
drwxr-xr-x    37 root  wheel     1024 Dec 18 21:34 x11-fm
drwxr-xr-x    70 root  wheel     2048 Dec 18 21:34 x11-fonts
drwxr-xr-x    19 root  wheel      512 Dec 18 21:34 x11-servers
drwxr-xr-x   146 root  wheel     4608 Dec 18 21:34 x11-themes
drwxr-xr-x   220 root  wheel     4608 Dec 18 21:34 x11-toolkits
drwxr-xr-x   122 root  wheel     2560 Dec 18 21:34 x11-wm











19:45:42




#cd /usr/ports/net/












19:46:04




#ls -l


drwxr-xr-x  3 root  wheel    512 Dec 18 21:35 rwhois
drwxr-xr-x  4 root  wheel    512 Dec 18 21:35 samba
drwxr-xr-x  2 root  wheel    512 Dec 18 21:35 samba-libsmbclient
drwxr-xr-x  3 root  wheel    512 Dec 18 21:35 samba3
drwxr-xr-x  3 root  wheel    512 Dec 18 21:35 sambasentinel
drwxr-xr-x  2 root  wheel    512 Dec 18 21:35 samplicator
drwxr-xr-x  3 root  wheel    512 Dec 18 21:35 sbd
drwxr-xr-x  3 root  wheel    512 Dec 18 21:35 scamper
drwxr-xr-x  2 root  wheel    512 Dec 18 21:35 scand
drwxr-xr-x  2 root  wheel    512 Dec 18 21:35 scr_ipfm
...
drwxr-xr-x  3 root  wheel    512 Dec 18 21:34 wistumbler2
drwxr-xr-x  2 root  wheel    512 Dec 18 21:34 wmlj
drwxr-xr-x  2 root  wheel    512 Dec 18 21:34 wmnd
drwxr-xr-x  3 root  wheel    512 Dec 18 21:34 wmnet
drwxr-xr-x  3 root  wheel    512 Dec 18 21:34 wmnet2
drwxr-xr-x  2 root  wheel    512 Dec 18 21:34 wmnetload
drwxr-xr-x  3 root  wheel    512 Dec 18 21:34 wmnetmon
drwxr-xr-x  3 root  wheel    512 Dec 18 21:34 wmpiki
drwxr-xr-x  2 root  wheel    512 Dec 18 21:34 wmping
drwxr-xr-x  3 root  wheel    512 Dec 18 21:34 wmq3











19:46:08




#ls -l|grep rdp


drwxr-xr-x  2 root  wheel    512 Dec 18 21:35 py-rrdpipe











19:46:17




#cd ..












19:46:33




#cd /usr/ports/ne





net/      net-mgmt/ news/











19:46:33




#cd /usr/ports/net-mgmt/












19:47:03




#ls -l


drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 aspathtree
drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 bandwidthd
drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 bgpq
drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 bigsister
drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 bpft
drwxr-xr-x  2 root  wheel   512 Dec 18 21:34 braa
drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 bsd-airtools
drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 cdpd
drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 cdpr
drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 cfgstoragemk
...
drwxr-xr-x  2 root  wheel   512 Dec 18 21:34 subcalc
drwxr-xr-x  2 root  wheel   512 Dec 18 21:34 sysmon
drwxr-xr-x  2 root  wheel   512 Dec 18 21:34 tas
drwxr-xr-x  2 root  wheel   512 Dec 18 21:34 tcpreplay
drwxr-xr-x  2 root  wheel   512 Dec 18 21:34 tcptrack
drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 trafd
drwxr-xr-x  2 root  wheel   512 Dec 18 21:34 whatmask
drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 wide-dhcp
drwxr-xr-x  3 root  wheel   512 Dec 18 21:34 yabm
drwxr-xr-x  4 root  wheel   512 Dec 18 21:34 zabbix











19:47:09




#ls -l|grep rdp















19:51:22




#cd /tmp












19:51:28




#ls -l


total 796
drwxrwxrwt  2 root   wheel        512 Dec 23 09:33 .ICE-unix
-r--r--r--  1 root   wheel         11 Dec 23 09:32 .X0-lock
drwxrwxrwt  2 root   wheel        512 Dec 23 09:32 .X11-unix
drwxrwxrwt  2 root   wheel        512 Dec 23 09:31 .XIM-unix
drwxrwxrwt  2 root   wheel        512 Dec 23 09:31 .font-unix
drwxrwxr-x  2 root   operator     512 Dec 21 09:25 .snap
-r-sr-sr-x  1 root   wheel     281372 Dec 20 11:07 .vi
drwx------  5 500    500          512 Dec 19 10:52 Term-VT102-0.82
-rw-r--r--  1 root   wheel      25211 Dec 19 10:53 Term-VT102-0.82.tar.gz
...
-rw-------  1 root   wheel      71238 Dec 23 11:33 nessus-GYDjEB
-rw-------  1 root   wheel      98605 Dec 23 15:05 nessus-wC2UGh
-rw-r--r--  1 root   wheel     216017 Dec 23 19:51 rdesktop-1.4.1.tar.gz
-rwxr-xr-x  1 root   wheel        121 Dec 19 14:59 save-log-line.sh
-rw-r--r--  1 root   wheel        258 Dec 19 14:59 saved-log-lines
drwx------  2 user   wheel        512 Dec 19 12:39 scrollkeeper-user
-rw-r--r--  1 root   wheel       3213 Dec 20 11:38 suid-md5-1
-rw-r--r--  1 root   wheel       3213 Dec 20 11:39 suid-md5-22
-rw-r--r--  1 root   wheel        280 Dec 19 16:45 swatch.log
-rw-r--r--  1 root   wheel         58 Dec 22 10:40 time











19:51:32




#tar -xvfz rdesktop-1.4.1.tar.gz





tar: Error opening archive: Failed to open 'z': No such file or directory











19:51:58




#tar -xvf rdesktop-1.4.1.tar.gz


x rdesktop-1.4.1/COPYING
x rdesktop-1.4.1/README
x rdesktop-1.4.1/configure
x rdesktop-1.4.1/configure.ac
x rdesktop-1.4.1/config.sub
x rdesktop-1.4.1/config.guess
x rdesktop-1.4.1/bootstrap
x rdesktop-1.4.1/install-sh
x rdesktop-1.4.1/Makefile.in
x rdesktop-1.4.1/rdesktop.spec
...
x rdesktop-1.4.1/doc/AUTHORS
x rdesktop-1.4.1/doc/TODO
x rdesktop-1.4.1/doc/ChangeLog
x rdesktop-1.4.1/doc/keymapping.txt
x rdesktop-1.4.1/doc/keymap-names.txt
x rdesktop-1.4.1/doc/ipv6.txt
x rdesktop-1.4.1/doc/licensing.txt
x rdesktop-1.4.1/doc/patches.txt
x rdesktop-1.4.1/doc/redirection.txt
x rdesktop-1.4.1/doc/rdesktop.1











19:52:06




#ls


.ICE-unix               .snap                   Text-Iconv-1.4.tar.gz   ksocket-user            nessus-wC2UGh           scrollkeeper-user
.X0-lock                .vi                     dd                      mcop-root               rdesktop-1.4.1          suid-md5-1
.X11-unix               Term-VT102-0.82         kde-root                mcop-user               rdesktop-1.4.1.tar.gz   suid-md5-22
.XIM-unix               Term-VT102-0.82.tar.gz  kde-user                mysql.sock              save-log-line.sh        swatch.log
.font-unix              Text-Iconv-1.4          ksocket-root            nessus-GYDjEB           saved-log-lines         time











19:52:09




#cd rdesktop-1.4.1












19:52:29




#ls


COPYING         channels.c      constants.h     iso.c           orders.h        pstcache.c      rdpdr.c         scancodes.h     xkeymap.c
Makefile.in     cliprdr.c       disk.c          keymaps         parallel.c      rdesktop.c      rdpsnd.c        secure.c        xproto.h
README          config.guess    disk.h          licence.c       parse.h         rdesktop.h      rdpsnd_libao.c  serial.c        xwin.c
bitmap.c        config.sub      doc             mcs.c           printer.c       rdesktop.spec   rdpsnd_oss.c    tcp.c
bootstrap       configure       ewmhints.c      mppc.c          printercache.c  rdp.c           rdpsnd_sgi.c    types.h
cache.c         configure.ac    install-sh      orders.c        proto.h         rdp5.c          rdpsnd_sun.c    xclip.c











19:52:30




#make install





make: don't know how to make install. Stop











19:52:44




#pkg_add -r rdesktop


Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.0-release/Latest/rdesktop.tbz... Done.











19:54:19




#rdeskop





rdesktop: A Remote Desktop Protocol client.
Version 1.4.1. Copyright (C) 1999-2005 Matt Chapman.
See http://www.rdesktop.org/ for more information.
Usage: rdesktop [options] server[:port]
   -u: user name
   -d: domain
   -s: shell
   -c: working directory
   -p: password (- to prompt)
   -n: client hostname
...
             for redirected disks
         '-r lptport:LPT1=/dev/lp0': enable parallel redirection of /dev/lp0 to LPT1
             or      LPT1=/dev/lp0,LPT2=/dev/lp1
         '-r printer:mydeskjet': enable printer redirection
             or      mydeskjet="HP LaserJet IIIP" to enter server driver as well
         '-r sound:[local|off|remote]': enable sound redirection
                     remote would leave sound on server
   -0: attach to console
   -4: use RDP version 4
   -5: use RDP version 5 (default)











19:54:27




#rdesktop 193.111.9.10:63389





^C











19:55:54




#rdesktop 195.234.213.194





ERROR: connect: Operation timed out









Воскресенье (12/24/06)


/dev/ttyp4
09:41:39




#df


Filesystem  1K-blocks    Used   Avail Capacity  Mounted on
/dev/ad1s1a    507630  168382  298638    36%    /
devfs               1       1       0   100%    /dev
/dev/ad1s1f   1982798   16790 1807386     1%    /home
/dev/ad1s1e    507630    2866  464154     1%    /tmp
/dev/ad1s1g   4954158 2929048 1628778    64%    /usr
/dev/ad1s1d   2004526   81754 1762410     4%    /var









прошла 101 минута




11:22:49




#disk -e





bash: disk: command not found











11:24:07




#disklabel





usage: bsdlabel disk
                (to read label)
        bsdlabel -w [-n] [-m machine] disk [type]
                (to write label with existing boot program)
        bsdlabel -e [-n] [-m machine] disk
                (to edit label)
        bsdlabel -R [-n] [-m machine] disk protofile
                (to restore label with existing boot program)
        bsdlabel -B [-b boot] [-m machine] disk
                (to install boot program with existing on-disk label)
        bsdlabel -w -B [-n] [-b boot] [-m machine] disk [type]
                (to write label and install boot program)
        bsdlabel -R -B [-n] [-b boot] [-m machine] disk protofile
                (to restore label and install boot program)











11:24:14




#/dev/ads1





bash: /dev/ads1: No such file or directory











11:25:58




#pkg_add -r snort


Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.0-release/Latest/snort.tbz... Done.
         ***********************************
         * !!!!!!!!!!! WARNING !!!!!!!!!!! *
         ***********************************
snort now uses rcNG startup scripts and must be enabled via /etc/rc.conf
Available variables:
  snort_enable (bool):          Set to YES to enable snort
                                Default: NO
  snort_flags (str):            Extra flags passed to snort
                                Default: -Dq
  snort_interface (str):        Network interface to sniff
                                Default: ""
  snort_conf (str):             Snort configuration file
                                Default: ${PREFIX}/etc/snort.conf











/dev/ttyp6
11:31:07




#ssh m02


 10:09am  up 5 days, 21:54,  1 user,  load average: 0.00, 0.00, 0.00
47 processes: 44 sleeping, 3 running, 0 zombie, 0 stopped
CPU states:  0.3% user, 39.5% system,  0.0% nice, 60.0% idle
Mem:   125856K av,  123340K used,    2516K free,       0K shrd,   30612K buff
Swap:  401584K av,     224K used,  401360K free                   32116K cached
  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
    3 root      16   0     0    0     0 RW   39.2  0.0  4045m kapm-idled
10735 root      10   0  1060 1060   852 R     0.3  0.8   0:00 top
 1418 squid      9   0 31748  31M  1340 S     0.1 25.2   2:27 squid
    1 root       8   0   468  468   400 S     0.0  0.3   0:03 init
...
   along with the mailing lists, can be searched by going to
   http://www.FreeBSD.org/search/.  If the doc distribution has
   been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list.  If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page.  If you are not familiar with manual pages, type `man man'.
You may also use sysinstall(8) to re-enter the installation and
configuration utility.  Edit /etc/motd to change this login announcement.









прошло 69 минут




/dev/ttyp4
12:40:51




#vi /etc/rc.conf


31a32,33
> snort_enable="YES"
> snort_interface="xl0"









12:44:13




#vi /etc/snort.conf










12:45:22




#cat /usr/local/etc/snort.conf


#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
#
# This example will create a rule type that will log to syslog and a mysql
# database:
# ruletype redalert
...
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them.
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\threshold.conf
# Uncomment if needed.
# include threshold.conf











12:45:43




#init 0










Файлы
  • /etc/rc.local
  • /usr/local/etc/snort.conf
    • /etc/rc.local
    

    >
    nohup /usr/local/sbin/syslog_mysql.sh &

    /usr/local/etc/snort.conf
    

    >
    #   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
#
# This example will create a rule type that will log to syslog and a mysql
# database:
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
#   (msg:"Someone is being LEET"; flags:A+;)
#
# Include classification & priority settings
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\classification.config
#
include ../share/snort/classification.config
#
# Include reference systems
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\reference.config
#
include ../share/snort/reference.config
####################################################################
# Step #4: Configure snort with config statements
#
# See the snort manual for a full set of configuration references
config flowbits_size: 256
####################################################################
# Step #5: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own custom snort
# rules.
#
# The rules included with this distribution generate alerts based on on
# suspicious activity. Depending on your network environment, your security
# policies, and what you consider to be suspicious, some of these rules may
# either generate false positives ore may be detecting activity you consider to
# be acceptable; therefore, you are encouraged to comment out rules that are
# not applicable in your environment.
#
# The following individuals contributed many of rules in this distribution.
#
# Credits:
#   Ron Gula <rgula@securitywizards.com> of Network Security Wizards
#   Max Vision <vision@whitehats.com>
#   Martin Markgraf <martin@mail.du.gtn.com>
#   Fyodor Yarochkin <fygrave@tigerteam.net>
#   Nick Rogness <nick@rapidnet.com>
#   Jim Forster <jforster@rapidnet.com>
#   Scott McIntyre <scott@whoi.edu>
#   Tom Vandepoel <Tom.Vandepoel@ubizen.com>
#   Brian Caswell <bmc@snort.org>
#   Zeno <admin@cgisecurity.com>
#   Ryan Russell <ryan@securityfocus.com>
#=========================================
# Include all relevant rulesets here
#
# The following rulesets are disabled by default:
#
#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
#   chat, multimedia, and p2p
#
# These rules are either site policy specific or require tuning in order to not
# generate false positive alerts in most enviornments.
#
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are triggered.
#=========================================
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
 include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them.
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\threshold.conf
# Uncomment if needed.
# include threshold.conf

    Статистика
    Время первой команды журнала17:13:39 2006-12-23
    Время последней команды журнала12:45:43 2006-12-24
    Количество командных строк в журнале85
    Процент команд с ненулевым кодом завершения, %24.71
    Процент синтаксически неверно набранных команд, % 2.35
    Суммарное время работы с терминалом *, час 2.24
    Количество командных строк в единицу времени, команда/мин 0.63
    Частота использования команд
    cd10|==========| 10.31%
    grep10|==========| 10.31%
    telnet9|=========|  9.28%
    ls9|=========|  9.28%
    ps8|========|  8.25%
    vi8|========|  8.25%
    honeyd7|=======|  7.22%
    pkg_add4|====|  4.12%
    tail3|===|  3.09%
    pwd2|==|  2.06%
    make2|==|  2.06%
    bg2|==|  2.06%
    rdesktop2|==|  2.06%
    honeyd[65538]:2|==|  2.06%
    192.168.15.222|==|  2.06%
    cat2|==|  2.06%
    killall2|==|  2.06%
    honeyd[65295]:2|==|  2.06%
    tar2|==|  2.06%
    top1|=|  1.03%
    ads11|=|  1.03%
    pkg_info1|=|  1.03%
    df1|=|  1.03%
    init1|=|  1.03%
    ssh1|=|  1.03%
    disklabel1|=|  1.03%
    rdeskop1|=|  1.03%
    disk1|=|  1.03%
    ____
    *) Интервалы неактивности длительностью 30 минут и более не учитываются
    Справка
        Для того чтобы использовать LiLaLo, не нужно знать ничего особенного:
    всё происходит само собой.
    Однако, чтобы ведение и последующее использование журналов
    было как можно более эффективным, желательно иметь в виду следующее:
    
      
    
    1.  
    В журнал автоматически попадают все команды, данные в любом терминале системы.
    
      2. 
    
    2. 
    Для того чтобы убедиться, что журнал на текущем терминале ведётся, 
    и команды записываются, дайте команду w.
    В поле WHAT, соответствующем текущему терминалу, 
    должна быть указана программа script.
    
      3. 
    
    3. 
    Команды, при наборе которых были допущены синтаксические ошибки, 
    выводятся перечёркнутым текстом:

      

      


      $ l s-l
      

      bash: l: command not found

      
      		

      

      

      
    
      4. 
    
    4. 
    Если код завершения команды равен нулю, 
    команда была выполнена без ошибок.
    Команды, код завершения которых отличен от нуля, выделяются цветом.

      

      


      $ test 5 -lt 4
      

      		

      

      
    Обратите внимание на то, что код завершения команды может быть отличен от нуля
    не только в тех случаях, когда команда была выполнена с ошибкой.
    Многие команды используют код завершения, например, для того чтобы показать результаты проверки

      
    
      5. 
    
    5. 
    Команды, ход выполнения которых был прерван пользователем, выделяются цветом.

      

      


      $ find / -name abc
      

      find: /home/devi-orig/.gnome2: Keine Berechtigung
find: /home/devi-orig/.gnome2_private: Keine Berechtigung
find: /home/devi-orig/.nautilus/metafiles: Keine Berechtigung
find: /home/devi-orig/.metacity: Keine Berechtigung
find: /home/devi-orig/.inkscape: Keine Berechtigung
^C

      
      		

      

      

      
    
      6. 
    
    6. 
    Команды, выполненные с привилегиями суперпользователя,
    выделяются слева красной чертой.

      

      


      # id
      

      uid=0(root) gid=0(root) Gruppen=0(root)

      
      		

      

      
    
      
    
      7. 
    
    7. 
    Изменения, внесённые в текстовый файл с помощью редактора, 
    запоминаются и показываются в журнале в формате ed.
    Строки, начинающиеся символом "<", удалены, а строки,
    начинающиеся символом ">" -- добавлены.

      

      


      $ vi ~/.bashrc
      

      2a3,5
>    if [ -f /usr/local/etc/bash_completion ]; then
>         . /usr/local/etc/bash_completion
>        fi

      		

      

      
    
      
    
      8. 
    
    8. 
    Для того чтобы изменить файл в соответствии с показанными в диффшоте
    изменениями, можно воспользоваться командой patch.
    Нужно скопировать изменения, запустить программу patch, указав в
    качестве её аргумента файл, к которому применяются изменения,
    и всавить скопированный текст:

      

      


      $ patch ~/.bashrc
      
      		

      

      
    В данном случае изменения применяются к файлу ~/.bashrc
    
      9. 
    
    9. 
    Для того чтобы получить краткую справочную информацию о команде, 
    нужно подвести к ней мышь. Во всплывающей подсказке появится краткое
    описание команды.
    
      
    
      
    Если справочная информация о команде есть, 
    команда выделяется голубым фоном, например: vi.
    Если справочная информация отсутствует,
    команда выделяется розовым фоном, например: notepad.exe.
    Справочная информация может отсутствовать в том случае, 
    если (1) команда введена неверно; (2) если распознавание команды LiLaLo выполнено неверно;
    (3) если информация о команде неизвестна LiLaLo.
    Последнее возможно для редких команд.
    
      10. 
    
    10. 
    Большие, в особенности многострочные, всплывающие подсказки лучше 
    всего показываются браузерами KDE Konqueror, Apple Safari и Microsoft Internet Explorer.
    В браузерах Mozilla и Firefox они отображаются не полностью, 
    а вместо перевода строки выводится специальный символ.
    
      11. 
    
    11. 
    Время ввода команды, показанное в журнале, соответствует времени 
    начала ввода командной строки, которое равно тому моменту, 
    когда на терминале появилось приглашение интерпретатора
    
      12. 
    
    12. 
    Имя терминала, на котором была введена команда, показано в специальном блоке.
    Этот блок показывается только в том случае, если терминал
    текущей команды отличается от терминала предыдущей.
    
      13. 
    
    13. 
    Вывод не интересующих вас в настоящий момент элементов журнала,
    таких как время, имя терминала и других, можно отключить.
    Для этого нужно воспользоваться формой управления журналом
    вверху страницы.
    
      14. 
    
    14. 
    Небольшие комментарии к командам можно вставлять прямо из командной строки.
    Комментарий вводится прямо в командную строку, после символов #^ или #v.
    Символы ^ и v показывают направление выбора команды, к которой относится комментарий:
    ^ - к предыдущей, v - к следующей.
    Например, если в командной строке было введено:

      $ whoami

      

      user

      

      $ #^ Интересно, кто я?

      
    в журнале это будет выглядеть так:
    

      $ whoami

      

      user

      

      

        Интересно, кто я?
       
       
    
      15. 
    
    15. 
    Если комментарий содержит несколько строк,
    его можно вставить в журнал следующим образом:

      $ whoami

      

      user

      

      $ cat > /dev/null #^ Интересно, кто я?

      

      Программа whoami выводит имя пользователя, под которым 
мы зарегистрировались в системе.
-
Она не может ответить на вопрос о нашем назначении 
в этом мире.

      
    В журнале это будет выглядеть так:

      

      


      $ whoami
      

      user

      

      Интересно, кто я?
      
Программа whoami выводит имя пользователя, под которым
      
мы зарегистрировались в системе.
      

      
Она не может ответить на вопрос о нашем назначении
      
в этом мире.
      

      
      		

      

      
    Для разделения нескольких абзацев между собой
    используйте символ "-", один в строке.
    
      

      16. 
    
    16. 
    Комментарии, не относящиеся непосредственно ни к какой из команд, 
    добавляются точно таким же способом, только вместо симолов #^ или #v 
    нужно использовать символы #=
    
      17. 

    
    17. 
    Содержимое файла может быть показано в журнале.
    Для этого его нужно вывести с помощью программы cat.
    Если вывод команды отметить симоволами #!, 
    содержимое файла будет показано в журнале
    в специально отведённой для этого секции.
    
      18. 

    
      
    
    18. 
    Для того чтобы вставить скриншот интересующего вас окна в журнал,
    нужно воспользоваться командой l3shot.
    После того как команда вызвана, нужно с помощью мыши выбрать окно, которое
    должно быть в журнале.
    
      19. 
    
      

    
      
    
    19. 
    Команды в журнале расположены в хронологическом порядке.
    Если две команды давались одна за другой, но на разных терминалах,
    в журнале они будут рядом, даже если они не имеют друг к другу никакого отношения.

      1
    2
3   
    4

      
    Группы команд, выполненных на разных терминалах, разделяются специальной линией.
    Под этой линией в правом углу показано имя терминала, на котором выполнялись команды.
    Для того чтобы посмотреть команды только одного сенса, 
    нужно щёкнуть по этому названию.
    
      20. 
    
      

    

    О программе
        
    
    LiLaLo (L3) расшифровывается как Live Lab Log.
    
    Программа разработана для повышения эффективности обучения Unix/Linux-системам.
    
    (c) Игорь Чубин, 2004-2008
    
    
    
$Id$