[ править ]

Журнал лабораторных работ

Содержание

Журнал

Четверг (11/16/06)

Файлы
Статистика
Справка
О программе

Журнал

Четверг (11/16/06)

/dev/pts/6

19:18:18

#tail /var/log/snort/

alert                   tcpdump.log.1163696993  tcpdump.log.1163697182  tcpdump.log.1163697407  tcpdump.log.1163697488

19:18:18

#tail /var/log/snort/alert

19:18:40

#tail /var/log/snort/alert

[**] [122:1:0] (portscan) TCP Portscan [**]
11/16-12:18:50.490329 192.168.15.2 -> 192.168.15.1
PROTO255 TTL:0 TOS:0x0 ID:6230 IpLen:20 DgmLen:159 DF

19:18:54

#less /etc/snort/

19:18:54

#less /etc/snort/classification.config

19:23:22

#grep scan /etc/snort/*

/etc/snort/classification.config:config classification: network-scan,Detection of a Network Scan,3
/etc/snort/gen-msg.map:100 || 1 || spp_portscan: Portscan Detected
/etc/snort/gen-msg.map:100 || 2 || spp_portscan: Portscan Status
/etc/snort/gen-msg.map:100 || 3 || spp_portscan: Portscan Ended
/etc/snort/gen-msg.map:117 || 1 || spp_portscan2: Portscan detected!
/etc/snort/gen-msg.map:121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
/etc/snort/gen-msg.map:121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
/etc/snort/gen-msg.map:121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
/etc/snort/gen-msg.map:121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
/etc/snort/gen-msg.map:122 || 1 || portscan: TCP Portscan
...
/etc/snort/snort.conf:# ignore_scanned { Snort IP List }
/etc/snort/snort.conf:# option specifies the IP(s) to watch for portscan. The
/etc/snort/snort.conf:# 'ignore_scanners' option specifies the IP(s) to ignore as scanners.
/etc/snort/snort.conf:# Note that these hosts are still watched as scanned hosts. The
/etc/snort/snort.conf:# 'ignore_scanners' option is used to tune alerts from very active
/etc/snort/snort.conf:# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
/etc/snort/snort.conf:# specifies the IP(s) to ignore as scanned hosts. Note that these hosts
/etc/snort/snort.conf:# are still watched as scanner hosts. The 'ignore_scanned' option is
/etc/snort/snort.conf:preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
/etc/snort/snort.conf:include $RULE_PATH/scan.rules

19:23:31

#grep portscan /etc/snort/*

/etc/snort/gen-msg.map:100 || 1 || spp_portscan: Portscan Detected
/etc/snort/gen-msg.map:100 || 2 || spp_portscan: Portscan Status
/etc/snort/gen-msg.map:100 || 3 || spp_portscan: Portscan Ended
/etc/snort/gen-msg.map:117 || 1 || spp_portscan2: Portscan detected!
/etc/snort/gen-msg.map:121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
/etc/snort/gen-msg.map:121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
/etc/snort/gen-msg.map:121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
/etc/snort/gen-msg.map:121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
/etc/snort/gen-msg.map:122 || 1 || portscan: TCP Portscan
/etc/snort/gen-msg.map:122 || 2 || portscan: TCP Decoy Portscan
...
/etc/snort/snort.conf:# scan_type { portscan portsweep decoy_portscan distributed_portscan all }
/etc/snort/snort.conf:# sensitivity in which to detect portscans. The 'low' sensitivity
/etc/snort/snort.conf:# tuning. The 'medium' sensitivity level detects portscans and
/etc/snort/snort.conf:# filtered portscans (portscans that receive no response). This
/etc/snort/snort.conf:# lower thresholds for portscan detection and a longer time window than
/etc/snort/snort.conf:# The maximum number of bytes to allocate for portscan detection. The
/etc/snort/snort.conf:# This option specifies the file to log portscan and detailed portscan
/etc/snort/snort.conf:# configured log directory. Refer to README.sfportscan for details on
/etc/snort/snort.conf:# option specifies the IP(s) to watch for portscan. The
/etc/snort/snort.conf:preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }

19:23:35

#vi /etc/snort/snort.conf

19:25:23

#ls /var/log/snort/

alert  tcpdump.log.1163696993  tcpdump.log.1163697182  tcpdump.log.1163697407  tcpdump.log.1163697488

19:25:26

#tail /var/log/snort/alert

[**] [122:1:0] (portscan) TCP Portscan [**]
11/16-12:18:50.490329 192.168.15.2 -> 192.168.15.1
PROTO255 TTL:0 TOS:0x0 ID:6230 IpLen:20 DgmLen:159 DF

19:25:30

#vi /etc/acidlab/a

19:25:30

#vi /etc/acidlab/acid_conf.php

19:27:31

#less /usr/share/doc/snort

19:27:31

#less /usr/share/doc/snort-

19:27:31

#less /usr/share/doc/snort-

19:27:31

#less /usr/share/doc/snort-common/

19:27:31

#apt-cache search snort-doc

snort-doc - Documentation for the Snort IDS [documentation]

19:27:59

#apt-get install snort-doc

Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
  snort-doc
0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded.
Need to get 1120kB of archives.
After unpacking 12.5MB of additional disk space will be used.
Get:1 http://debian.org.ua stable/main snort-doc 2.3.2-3 [1120kB]
Fetched 1120kB in 20s (54.2kB/s)
Selecting previously deselected package snort-doc.
(Reading database ... 91746 files and directories currently installed.)
Unpacking snort-doc (from .../snort-doc_2.3.2-3_all.deb) ...
Setting up snort-doc (2.3.2-3) ...

19:28:34

#ls /usr/share/doc/snort

snort                snort-common         snort-doc            snort-mysql          snort-rules-default

19:28:34

#ls /usr/share/doc/snort-doc/

FAQ.txt.gz        README.UNSOCK.gz       README.database.gz       README.flowbits         README.wireless  changelog.Debian.gz  snort_manual.pdf.gz
NEWS.Debian.gz    README.WIN32.gz        README.docs              README.gz               RULES.todo.gz    changelog.gz         snort_schema_v106.pdf.gz
README.FLEXRESP   README.alert_order.gz  README.event_queue       README.http_inspect.gz  TODO             copyright
README.INLINE.gz  README.asn1.gz         README.flow              README.sfportscan.gz    USAGE.gz         examples
README.PLUGINS    README.csv             README.flow-portscan.gz  README.thresholding.gz  WISHLIST         signatures

19:28:46

#zless /usr/share/doc/snort-doc/README.sfportscan.gz

19:29:56

#ls /var/log/snort/

alert  tcpdump.log.1163696993  tcpdump.log.1163697182  tcpdump.log.1163697407  tcpdump.log.1163697488

19:30:03

#vi /etc/acidlab/a

19:30:03

#vi /etc/acidlab/acid_conf.php

19:33:50

#zless /usr/share/doc/snort-doc/README.

19:33:50

#zless /usr/share/doc/snort-doc/README.flow-portscan.gz

19:34:20

#less /var/log/snort/alert

19:38:22

#less /var/log/snort/alert

19:39:51

#less /var/log/snort/alert

19:41:23

#tail /var/log/snort/alert

[**] [122:1:0] (portscan) TCP Portscan [**]
11/16-12:18:50.490329 192.168.15.2 -> 192.168.15.1
PROTO255 TTL:0 TOS:0x0 ID:6230 IpLen:20 DgmLen:159 DF

19:43:20

#vi /etc/snort/snort.conf

19:48:57

#less /usr/share/doc/snort-doc/README.

19:48:57

#zless /usr/share/doc/snort-doc/README.database.gz

19:49:33

#/etc/init.d/

Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0)No /etc/snort/snort.eth0.conf, defaulting to snort.conf
.

19:49:42

#tail -f /var/log/

XFree86.0.log        base-config.timings  exim4                lp-acct              messages             nessus               uucp.log
XFree86.0.log.old    btmp                 fontconfig.log       lp-errs              mysql                news                 wtmp
apache2              daemon.log           gdm                  lpr.log              mysql.err            scrollkeeper.log
aptitude             debian-installer     honeypot             mail.err             mysql.err.1.gz       snort
auth.log             debug                kern.log             mail.info            mysql.log            syslog
backup               dirmngr.log          ksymoops             mail.log             mysql.log.1.gz       syslog.1.gz
base-config.log      dmesg                lastlog              mail.warn            mysql.pipe           user.log

19:49:42

#tail -f /var/log/snort/

alert                   tcpdump.log.1163696993  tcpdump.log.1163697182  tcpdump.log.1163697407  tcpdump.log.1163697488

19:49:42

#tail -f /var/log/snort/alert

PROTO255 TTL:0 TOS:0x0 ID:51614 IpLen:20 DgmLen:170
[**] [1:1420:11] SNMP trap tcp [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/16-12:53:43.746297 22.202.150.251:34170 -> 192.168.15.1:162
TCP TTL:56 TOS:0x0 ID:48466 IpLen:20 DgmLen:44
******S* Seq: 0xD951EA7E  Ack: 0x0  Win: 0x400  TcpLen: 24
TCP Options (1) => MSS: 1460
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]
[**] [122:1:0] (portscan) TCP Portscan [**]
11/16-14:20:49.210555 192.168.15.1 -> 192.168.15.2
...
***AP*** Seq: 0xDC99D22  Ack: 0xE67CCB8  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 10553735 19147651
[**] [122:1:0] (portscan) TCP Portscan [**]
11/16-14:39:38.735613 192.168.15.2 -> 192.168.15.1
PROTO255 TTL:0 TOS:0x0 ID:39787 IpLen:20 DgmLen:162 DF
[**] [119:18:1] (http_inspect) WEBROOT DIRECTORY TRAVERSAL [**]
11/16-14:39:39.703655 192.168.15.2:58887 -> 192.168.15.1:80
TCP TTL:64 TOS:0x0 ID:39314 IpLen:20 DgmLen:346 DF
***AP*** Seq: 0xDA0907B  Ack: 0xDC10E2A  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 10553837 19147750

/dev/pts/17

19:51:30

#ps ax | grep snort

24887 pts/9    S+     0:00 tail -f /var/log/snort/alert
24895 pts/18   R+     0:00 grep snort

19:51:37

#tail /var/log/syslog

Nov 16 12:49:42 linux1 snort: telnet_decode arguments:
Nov 16 12:49:42 linux1 snort:     Ports to decode telnet on: 21 23 25 119
Nov 16 12:49:42 linux1 snort: Portscan Detection Config:
Nov 16 12:49:42 linux1 snort:     Detect Protocols:  TCP UDP ICMP IP
Nov 16 12:49:42 linux1 snort:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
Nov 16 12:49:42 linux1 snort:     Sensitivity Level: Low
Nov 16 12:49:42 linux1 snort:     Memcap (in bytes): 10000000
Nov 16 12:49:42 linux1 snort:     Number of Nodes:   36900
Nov 16 12:49:42 linux1 snort:
Nov 16 12:49:42 linux1 snort: FATAL ERROR: Cannot open performance log file '/var/snort/snort.stats'

19:51:45

#vi /etc/snort/snort.conf

451c451
< preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
---
> preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000

19:52:08

#/etc/init.d/snort restart

Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0)No /etc/snort/snort.eth0.conf, defaulting to snort.conf
.

19:52:18

#tail /var/log/syslog

Nov 16 12:52:19 linux1 snort: | gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60
Nov 16 12:52:19 linux1 snort: | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60
Nov 16 12:52:19 linux1 snort: | gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2
Nov 16 12:52:19 linux1 snort: | gen-id=1      sig-id=4984       type=Threshold tracking=src count=5   seconds=2
Nov 16 12:52:19 linux1 snort: +-----------------------[suppression]------------------------------------------
Nov 16 12:52:19 linux1 snort: | none
Nov 16 12:52:19 linux1 snort: +------------------------------------------------------------------------------
Nov 16 12:52:19 linux1 snort: Rule application order: ->activation->dynamic->alert->pass->log
Nov 16 12:52:19 linux1 snort: Log directory = /var/log/snort
Nov 16 12:52:19 linux1 snort: Snort initialization completed successfully (pid=24950)

19:52:24

#apt-cache search base

gtkam-gimp - gtkam gimp plugin
gtkfontsel - A gtk+ based font selection utility
gtkgo - Skinable version of the game "Go"
gtkhtml - HTML rendering/editing library - bonobo component binary.
gtkhtml3.0 - HTML rendering/editing library - bonobo component binary
gtkhtml3.2 - HTML rendering/editing library - bonobo component binary
gtkodbcconfig0 - GTK-based ODBC configuration library
gtkpod - manage songs and playlists on an Apple iPod
gtksee - GTK-based clone of ACDSee (an image viewer)
gtktalog - Disk catalog
...
jhcore - Jay's House Core, an enhanced core database for lambdamoo
jigit - tools for working with jigdo files
jitterbug - A cgi-bin tool for problem reporting and tracking
jlatex209-base - basic NTT JLaTeX 2.09 macro files
jmpost - Japanized MetaPost, a system for drawing pictures
jpilot-backup - Backup plugin for J-Pilot
jsboard - A web-based news/discussion system
jtex-base - basic NTT JTeX library files
jtex-bin - NTT Japanese TeX binary files
juice - playlist editor / player frontend

/dev/pts/5

19:59:42

#vi /usr/share/acidlab/acid_graph_common.php

прошло 56 минут

/dev/pts/17

20:56:35

#apt-cache search BASE

gtkam-gimp - gtkam gimp plugin
gtkfontsel - A gtk+ based font selection utility
gtkgo - Skinable version of the game "Go"
gtkhtml - HTML rendering/editing library - bonobo component binary.
gtkhtml3.0 - HTML rendering/editing library - bonobo component binary
gtkhtml3.2 - HTML rendering/editing library - bonobo component binary
gtkodbcconfig0 - GTK-based ODBC configuration library
gtkpod - manage songs and playlists on an Apple iPod
gtksee - GTK-based clone of ACDSee (an image viewer)
gtktalog - Disk catalog
...
jhcore - Jay's House Core, an enhanced core database for lambdamoo
jigit - tools for working with jigdo files
jitterbug - A cgi-bin tool for problem reporting and tracking
jlatex209-base - basic NTT JLaTeX 2.09 macro files
jmpost - Japanized MetaPost, a system for drawing pictures
jpilot-backup - Backup plugin for J-Pilot
jsboard - A web-based news/discussion system
jtex-base - basic NTT JTeX library files
jtex-bin - NTT Japanese TeX binary files
juice - playlist editor / player frontend

20:56:52

#apt-cache search php gd

fisg - Fast IRC Statistics Generator
gdancer - visualization plug-in for xmms
lg-issue86 - Issue 86 of the Linux Gazette.
libphp-phplot - The graphic library for PHP
php3 - server-side, HTML-embedded scripting language (apache 1.3 module)
php3-cgi - server-side, HTML-embedded scripting language (CGI binary)
php3-cgi-gd - GD (graphic creation) module for PHP3 (use with php3-cgi)
php3-gd - GD (graphic creation) module for PHP3 (use with php3)
php4-gd - GD module for php4

прошло 22 минуты

21:19:02

#apt-get install php4-g

php4-gd    php4-gd2   php4-gpib

21:19:02

#apt-get install php4-gd

Чтение списков пакетов... Готово
Построение дерева зависимостей... Готово
Уже установлена самая новая версия php4-gd.
обновлено 0, установлено 0 новых пакетов, для удаления отмечено 0 пакетов, и 6 пакетов не обновлено.

21:19:32

#mv /home/user/Desktop/base-1.2.6 /usr/share/locale/

Display all 114 possibilities? (y or n)

21:19:32

#mv /home/user/Desktop/base-1.2.6 /usr/share/

Display all 204 possibilities? (y or n)

21:19:32

#mv /home/user/Desktop/base-1.2.6 /usr/local/share/

/dev/pts/19

21:20:51

#nmap 192.168.15.2

              mangle table.
   DNAT
       This target is only valid in the nat table, in the PREROUTING  and  OUTPUT
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-11-16 14:26 ESTains.
       It specifies that the destination address of the packet should be modified
Interesting ports on linux2.linux.nt (192.168.15.2):on will also be mangled), and
       rules should cease being examined.  It takes one type of option:
(The 1657 ports scanned but not shown below are in state: closed)
       --to-destination ipaddr[-ipaddr][:port-port]
PORT     STATE SERVICEn specify a single new destination IP address, an inclusive
...
              Remove all ECN bits from the TCP header.  Of course, it can only be
              used in conjunction with -p tcp.
   LOG
       Turn on kernel logging of matching packets.  When this option is set for a
       rule, the Linux kernel will print some information on all matching packets
       (like most IP header fields) via the kernel log (where it can be read with
       dmesg  or  syslogd(8)).   This  is  a  "non-terminating target", i.e. rule
       traversal continues at the next rule.  So if you want to LOG  the  packets
       you  refuse, use two separate rules with the same matching criteria, first
       using target LOG then DROP (or REJECT).

/dev/pts/17

21:22:29

#d /usr/local/share/

bash: d: command not found

21:22:31

#cd /usr/local/share/

21:22:41

#ln -s base-1.2.6 base

21:22:46

#cp /etc/apache2//conf.d/{apache,base}.conf

21:23:25

#vi /etc/apache2//conf.d/base.conf

2c2
< Alias /acidlab	/usr/share/acidlab
---
> Alias /base	/usr/local/share/base
4c4
< <DirectoryMatch /usr/share/acidlab/>
---
> <DirectoryMatch /usr/local/share/base/>

21:24:01

#/etc/init.d/apache2 restart

Forcing reload of web server: Apache2.

21:24:09

#ls base

admin               base_db_setup.php       base_graph_main.php   base_qry_alert.php     base_stat_class.php   base_stat_time.php   images     sql
base_ag_common.php  base_denied.php         base_hdr1.php         base_qry_common.php    base_stat_common.php  base_stat_uaddr.php  includes   styles
base_ag_main.php    base_footer.php         base_hdr2.php         base_qry_form.php      base_stat_ipaddr.php  base_user.php        index.php
base_common.php     base_graph_common.php   base_main.php         base_qry_main.php      base_stat_iplink.php  contrib              languages
base_conf.php.dist  base_graph_display.php  base_maintenance.php  base_qry_sqlcalls.php  base_stat_ports.php   docs                 scripts
base_db_common.php  base_graph_form.php     base_payload.php      base_stat_alerts.php   base_stat_sensor.php  help                 setup

21:25:35

#cd base

21:25:42

#cp base_co

base_common.php     base_conf.php.dist

21:25:42

#cp base_co

base_common.php     base_conf.php.dist

21:25:42

#cp base_conf.php{.dist,}

21:25:51

#vi base_conf.php

27c27
< $BASE_Language = 'english';
---
> $BASE_Language = 'russian';
90,91c90,91
< $alert_user     = 'snort';
< $alert_password = 'mypassword';
---
> $alert_user     = 'root';
> $alert_password = 'rootpass';
98,99c98,99
< $archive_user     = 'snort';
< $archive_password = 'mypassword';
---
> $archive_user     = 'root';
> $archive_password = 'rootpass';

/dev/pts/19

21:26:35

#nmap 192.168.15.2

              mangle table.
   DNAT
       This target is only valid in the nat table, in the PREROUTING  and  OUTPUT
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-11-16 14:36 ESTains.
       It specifies that the destination address of the packet should be modified
Interesting ports on linux2.linux.nt (192.168.15.2):on will also be mangled), and
       rules should cease being examined.  It takes one type of option:
(The 1657 ports scanned but not shown below are in state: closed)
       --to-destination ipaddr[-ipaddr][:port-port]
PORT     STATE SERVICEn specify a single new destination IP address, an inclusive
...
              Remove all ECN bits from the TCP header.  Of course, it can only be
              used in conjunction with -p tcp.
   LOG
       Turn on kernel logging of matching packets.  When this option is set for a
       rule, the Linux kernel will print some information on all matching packets
       (like most IP header fields) via the kernel log (where it can be read with
       dmesg  or  syslogd(8)).   This  is  a  "non-terminating target", i.e. rule
       traversal continues at the next rule.  So if you want to LOG  the  packets
       you  refuse, use two separate rules with the same matching criteria, first
       using target LOG then DROP (or REJECT).

/dev/pts/17

21:27:29

#apt-cache search adodb

libphp-adodb - The 'adodb' database abstraction layer for php

21:29:08

#apt-get install libphp-adodb

Чтение списков пакетов... Готово
Построение дерева зависимостей... Готово
Уже установлена самая новая версия libphp-adodb.
обновлено 0, установлено 0 новых пакетов, для удаления отмечено 0 пакетов, и 6 пакетов не обновлено.

21:29:16

#dpkg -L libphp-adodb

/usr/share/adodb/toexport.inc.php
/usr/share/adodb/tohtml.inc.php
/usr/share/adodb/xmlschema.dtd
/usr/share/adodb/perf
/usr/share/adodb/perf/perf-db2.inc.php
/usr/share/adodb/perf/perf-informix.inc.php
/usr/share/adodb/perf/perf-mssql.inc.php
/usr/share/adodb/perf/perf-mysql.inc.php
/usr/share/adodb/perf/perf-oci8.inc.php
/usr/share/adodb/perf/perf-postgres.inc.php
...
/usr/share/doc/libphp-adodb/tute.htm
/usr/share/doc/libphp-adodb/adodb-sess.txt
/usr/share/doc/libphp-adodb/pear
/usr/share/doc/libphp-adodb/pear/readme.Auth.txt
/usr/share/doc/libphp-adodb/pear/Auth
/usr/share/doc/libphp-adodb/pear/Auth/Container
/usr/share/doc/libphp-adodb/pear/Auth/Container/ADOdb.php.gz
/usr/share/doc/libphp-adodb/README.Debian
/usr/share/doc/libphp-adodb/copyright
/usr/share/doc/libphp-adodb/changelog.Debian.gz

21:29:24

#vi base_conf.php

21:29:49

#dpkg -L libphp-adodb | less

21:29:59

#vi base_conf.php

65c65
< $DBlib_path = '';
---
> $DBlib_path = '/usr/share/adodb';

21:32:12

#apt-cache search pear image

bins - Generate static HTML photo albums using XML and EXIF tags
endeavour2 - file and disk management suite
geomview - interactive geometry viewing program
konq-plugins - plugins for Konqueror, the KDE file/web/doc browser
php-mail-mime - PHP PEAR module for creating and decoding MIME messages
squid-prefetch - Simple page-prefetch for Squid web proxy
tuxpaint - A paint program for young children
tuxpaint-data - Data files for Tux Paint, a paint program for children
tuxpaint-stamps-default - Stamp files for Tux Paint, a paint program for children
zope-plonearticle - plone document that can incorporate images and attachments
zoph - Web based digital image presentation and management system
libxaw7 - X Athena widget set library
xbase-clients - miscellaneous X clients

21:32:24

#apt-cache search php pear

diogenes - web content management system
fibusql - Web based double-entry accounting
php-auth - PHP PEAR modules for creating an authentication system
php-date - PHP PEAR module for Date and Time Zone Classes
php-file - PHP Pear modules for common file and directory routines
php-html-template-it - PEAR HTML Template IT
php-mail-mime - PHP PEAR module for creating and decoding MIME messages
php4-apd - PHP code execution profiler and debugger
php4-pear-log - Log module for PEAR
zoph - Web based digital image presentation and management system
php4-pear - PEAR - PHP Extension and Application Repository

21:32:52

#apt-get install php4-pear

PROTO255 TTL:0 TOS:0x0 ID:24018 IpLen:20 DgmLen:159 DF
[**] [122:1:0] (portscan) TCP Portscan [**]
11/16-14:36:44.525835 192.168.15.1 -> 192.168.15.2
PROTO255 TTL:0 TOS:0x0 ID:25676 IpLen:20 DgmLen:159 DF
[**] [122:1:0] (portscan) TCP Portscan [**]
11/16-14:38:42.883789 192.168.15.2 -> 192.168.15.1
PROTO255 TTL:0 TOS:0x4 ID:24783 IpLen:20 DgmLen:162 DF
[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
11/16-14:39:04.868962 192.168.15.2:58499 -> 192.168.15.1:80
TCP TTL:64 TOS:0x0 ID:44319 IpLen:20 DgmLen:84 DF
...
  php4-cli
Настойчиво рекомендуемые пакеты:
  php4-dev
НОВЫЕ пакеты, которые будут установлены:
  php4-cli php4-pear
обновлено 0, установлено 2 новых пакетов, для удаления отмечено 0 пакетов, и 6 пакетов не обновлено.
Необходимо скачать 1859kБ архивов.
После распаковки объем занятого дискового пространства возрастёт на 4981kB.
Хотите продолжить? [Д/н]
Получено:1 http://security.debian.org stable/updates/main php4-cli 4:4.3.10-18 [1609kB]

/dev/pts/19

21:36:45

#nmap 192.168.15.2

              mangle table.
   DNAT
       This target is only valid in the nat table, in the PREROUTING  and  OUTPUT
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-11-16 14:36 ESTains.
       It specifies that the destination address of the packet should be modified
Interesting ports on linux2.linux.nt (192.168.15.2):on will also be mangled), and
       rules should cease being examined.  It takes one type of option:
(The 1657 ports scanned but not shown below are in state: closed)
       --to-destination ipaddr[-ipaddr][:port-port]
PORT     STATE SERVICEn specify a single new destination IP address, an inclusive
...
              Remove all ECN bits from the TCP header.  Of course, it can only be
              used in conjunction with -p tcp.
   LOG
       Turn on kernel logging of matching packets.  When this option is set for a
       rule, the Linux kernel will print some information on all matching packets
       (like most IP header fields) via the kernel log (where it can be read with
       dmesg  or  syslogd(8)).   This  is  a  "non-terminating target", i.e. rule
       traversal continues at the next rule.  So if you want to LOG  the  packets
       you  refuse, use two separate rules with the same matching criteria, first
       using target LOG then DROP (or REJECT).

21:36:48

#nmap 192.168.15.2

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-11-16 14:36 EST
Interesting ports on linux2.linux.nt (192.168.15.2):
(The 1657 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
113/tcp  open  auth
798/tcp  open  unknown
1241/tcp open  nessus
MAC Address: 00:04:76:A1:F2:5A (3 Com)
Nmap finished: 1 IP address (1 host up) scanned in 1.415 seconds

21:36:50

#vi /etc/snort/

21:36:50

#vi /etc/snort/snort.conf

655,660c655,660
< # include $RULE_PATH/web-attacks.rules
< # include $RULE_PATH/backdoor.rules
< # include $RULE_PATH/shellcode.rules
< # include $RULE_PATH/policy.rules
< # include $RULE_PATH/porn.rules
< # include $RULE_PATH/info.rules
---
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/backdoor.rules
> include $RULE_PATH/shellcode.rules
> include $RULE_PATH/policy.rules
> include $RULE_PATH/porn.rules
> include $RULE_PATH/info.rules
662,665c662,665
< # include $RULE_PATH/virus.rules
< # include $RULE_PATH/chat.rules
< # include $RULE_PATH/multimedia.rules
< # include $RULE_PATH/p2p.rules
---
> include $RULE_PATH/virus.rules
> include $RULE_PATH/chat.rules
> include $RULE_PATH/multimedia.rules
> include $RULE_PATH/p2p.rules

21:38:15

#/etc/init.d/snort restart

              mangle table.
Stopping Network Intrusion Detection System: snort(eth0).
       This target is only valid in the nat table, in the PREROUTING  and  OUTPUT
Starting Network Intrusion Detection System: snort(eth0)No /etc/snort/snort.eth0.conf, defaulting to snort.conf
       It specifies that the destination address of the packet should be modified
.      (and  all  future  packets  in  this connection will also be mangled), and
       rules should cease being examined.  It takes one type of option:
       --to-destination ipaddr[-ipaddr][:port-port]
              which can specify a single new destination IP address, an inclusive
              range  of IP addresses, and optionally, a port range (which is only
...
              Remove all ECN bits from the TCP header.  Of course, it can only be
              used in conjunction with -p tcp.
   LOG
       Turn on kernel logging of matching packets.  When this option is set for a
       rule, the Linux kernel will print some information on all matching packets
       (like most IP header fields) via the kernel log (where it can be read with
       dmesg  or  syslogd(8)).   This  is  a  "non-terminating target", i.e. rule
       traversal continues at the next rule.  So if you want to LOG  the  packets
       you  refuse, use two separate rules with the same matching criteria, first
       using target LOG then DROP (or REJECT).

21:38:22

#tail /var/log/syslog

Nov 16 14:38:25 linux1 snort: | gen-id=1      sig-id=5322       type=Limit     tracking=src count=1   seconds=60
Nov 16 14:38:25 linux1 snort: | gen-id=1      sig-id=7760       type=Limit     tracking=src count=1   seconds=600
Nov 16 14:38:25 linux1 snort: | gen-id=1      sig-id=7739       type=Limit     tracking=src count=1   seconds=300
Nov 16 14:38:25 linux1 snort: | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60
Nov 16 14:38:25 linux1 snort: | gen-id=1      sig-id=6290       type=Limit     tracking=src count=1   seconds=300
Nov 16 14:38:25 linux1 snort: +-----------------------[suppression]------------------------------------------
Nov 16 14:38:25 linux1 snort: | none
Nov 16 14:38:25 linux1 snort: +------------------------------------------------------------------------------
Nov 16 14:38:25 linux1 snort: Rule application order: ->activation->dynamic->alert->pass->log
Nov 16 14:38:25 linux1 snort: Log directory = /var/log/snort

21:38:26

#ls /var/log/snort/

alert        tcpdump.log.1163696993  tcpdump.log.1163697407  tcpdump.log.1163699537
snort.stats  tcpdump.log.1163697182  tcpdump.log.1163697488  tcpdump.log.1163705902

21:38:35

#less /var/log/snort/snort.stats

21:38:51

#snort

snort       snort-stat

21:38:51

#ls /var/log/snort/

              mangle table.
alertAT      tcpdump.log.1163696993  tcpdump.log.1163697407  tcpdump.log.1163699537
       This target is only valid in the nat table, in the PREROUTING  and  OUTPUT
snort.stats  tcpdump.log.1163697182  tcpdump.log.1163697488  tcpdump.log.1163705902
       It specifies that the destination address of the packet should be modified
       (and  all  future  packets  in  this connection will also be mangled), and
       rules should cease being examined.  It takes one type of option:
       --to-destination ipaddr[-ipaddr][:port-port]
              which can specify a single new destination IP address, an inclusive
              range  of IP addresses, and optionally, a port range (which is only
...
              Remove all ECN bits from the TCP header.  Of course, it can only be
              used in conjunction with -p tcp.
   LOG
       Turn on kernel logging of matching packets.  When this option is set for a
       rule, the Linux kernel will print some information on all matching packets
       (like most IP header fields) via the kernel log (where it can be read with
       dmesg  or  syslogd(8)).   This  is  a  "non-terminating target", i.e. rule
       traversal continues at the next rule.  So if you want to LOG  the  packets
       you  refuse, use two separate rules with the same matching criteria, first
       using target LOG then DROP (or REJECT).

21:38:58

#tail -f /var/log/snort/

tail: ошибка чтения `/var/log/snort/': Is a directory
tail: /var/log/snort/: невозможно следить за концом файла такого типа; вывод продолжается для нового файла
tail: больше нет файлов

/dev/pts/17

21:38:59

#/etc/init.d/apache2 restart

Forcing reload of web server: Apache2.

/dev/pts/19

21:39:01

#tail -f /var/log/snort/alert

[**] [106:4:1] (spp_rpc_decode) Incomplete RPC segment [**]
11/16-14:39:38.685165 192.168.15.2:58862 -> 192.168.15.1:111
TCP TTL:64 TOS:0x0 ID:38156 IpLen:20 DgmLen:200 DF
***AP*** Seq: 0xDC99C8E  Ack: 0xE67CCB7  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 10553735 19147651
[**] [106:4:1] (spp_rpc_decode) Incomplete RPC segment [**]
11/16-14:39:38.687707 192.168.15.2:58862 -> 192.168.15.1:111
TCP TTL:64 TOS:0x0 ID:38157 IpLen:20 DgmLen:91 DF
***AP*** Seq: 0xDC99D22  Ack: 0xE67CCB8  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 10553735 19147651
[**] [122:1:0] (portscan) TCP Portscan [**]
11/16-14:39:38.735613 192.168.15.2 -> 192.168.15.1
PROTO255 TTL:0 TOS:0x0 ID:39787 IpLen:20 DgmLen:162 DF
[**] [119:18:1] (http_inspect) WEBROOT DIRECTORY TRAVERSAL [**]
11/16-14:39:39.703655 192.168.15.2:58887 -> 192.168.15.1:80
TCP TTL:64 TOS:0x0 ID:39314 IpLen:20 DgmLen:346 DF
***AP*** Seq: 0xDA0907B  Ack: 0xDC10E2A  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 10553837 19147750

/dev/pts/6

21:41:39

#less /var/log/snort/alert

/dev/pts/19

21:44:03

#nmap 192.168.15.2

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-11-16 14:44 EST
Interesting ports on linux2.linux.nt (192.168.15.2):
(The 1657 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
113/tcp  open  auth
798/tcp  open  unknown
1241/tcp open  nessus
MAC Address: 00:04:76:A1:F2:5A (3 Com)
Nmap finished: 1 IP address (1 host up) scanned in 2.116 seconds

21:44:13

#nmap 192.168.15.2

              mangle table.
   DNAT
       This target is only valid in the nat table, in the PREROUTING  and  OUTPUT
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-11-16 14:44 ESTains.
       It specifies that the destination address of the packet should be modified
Interesting ports on linux2.linux.nt (192.168.15.2):on will also be mangled), and
       rules should cease being examined.  It takes one type of option:
(The 1657 ports scanned but not shown below are in state: closed)
       --to-destination ipaddr[-ipaddr][:port-port]
PORT     STATE SERVICEn specify a single new destination IP address, an inclusive
...
              Remove all ECN bits from the TCP header.  Of course, it can only be
              used in conjunction with -p tcp.
   LOG
       Turn on kernel logging of matching packets.  When this option is set for a
       rule, the Linux kernel will print some information on all matching packets
       (like most IP header fields) via the kernel log (where it can be read with
       dmesg  or  syslogd(8)).   This  is  a  "non-terminating target", i.e. rule
       traversal continues at the next rule.  So if you want to LOG  the  packets
       you  refuse, use two separate rules with the same matching criteria, first
       using target LOG then DROP (or REJECT).

/dev/pts/17

21:44:32

#less /usr/local/base/base_graph_main.php

/dev/pts/19

21:44:42

#nmap 192.168.15.2

              mangle table.
   DNAT
       This target is only valid in the nat table, in the PREROUTING  and  OUTPUT
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-11-16 14:44 ESTains.
       It specifies that the destination address of the packet should be modified
Interesting ports on linux2.linux.nt (192.168.15.2):on will also be mangled), and
       rules should cease being examined.  It takes one type of option:
(The 1657 ports scanned but not shown below are in state: closed)
       --to-destination ipaddr[-ipaddr][:port-port]
PORT     STATE SERVICEn specify a single new destination IP address, an inclusive
...
              Remove all ECN bits from the TCP header.  Of course, it can only be
              used in conjunction with -p tcp.
   LOG
       Turn on kernel logging of matching packets.  When this option is set for a
       rule, the Linux kernel will print some information on all matching packets
       (like most IP header fields) via the kernel log (where it can be read with
       dmesg  or  syslogd(8)).   This  is  a  "non-terminating target", i.e. rule
       traversal continues at the next rule.  So if you want to LOG  the  packets
       you  refuse, use two separate rules with the same matching criteria, first
       using target LOG then DROP (or REJECT).

/dev/pts/17

21:44:55

#less /usr/local/share/base/base_graph_main.php

/dev/pts/19

21:44:58

#nmap 192.168.15.2

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-11-16 14:44 EST
Interesting ports on linux2.linux.nt (192.168.15.2):
(The 1657 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
113/tcp  open  auth
798/tcp  open  unknown
1241/tcp open  nessus
MAC Address: 00:04:76:A1:F2:5A (3 Com)
Nmap finished: 1 IP address (1 host up) scanned in 1.952 seconds

21:45:00

#nmap 192.168.15.2

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-11-16 14:45 EST
Interesting ports on linux2.linux.nt (192.168.15.2):
(The 1657 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
113/tcp  open  auth
798/tcp  open  unknown
1241/tcp open  nessus
MAC Address: 00:04:76:A1:F2:5A (3 Com)
Nmap finished: 1 IP address (1 host up) scanned in 1.865 seconds

21:45:03

#nmap 192.168.15.2

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-11-16 14:45 EST
Interesting ports on linux2.linux.nt (192.168.15.2):
(The 1657 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
113/tcp  open  auth
798/tcp  open  unknown
1241/tcp open  nessus
MAC Address: 00:04:76:A1:F2:5A (3 Com)
Nmap finished: 1 IP address (1 host up) scanned in 1.430 seconds

/dev/pts/17

21:45:25

#grep -i pear /usr/local/share/base/*

/usr/local/share/base/base_graph_common.php:           "<P>Check your Pear::Image_Graph installation!".
/usr/local/share/base/base_graph_common.php:            "at <A HREF=\"http://pear.veggerby.dk/\">http://pear.veggerby.dk/</A>.  Without this ".

21:45:34

#vi /usr/local/share/base/base_graph_common.php

21:46:05

#dpkg -L php4-pear | grep -i image.*graph

21:46:19

#dpkg -L php4-pear | less

21:46:31

#apt-cache search image php

aeromail - Web-based e-mail client
gallery - a web-based photo album written in php
gimp-texturize - generates large textures from a small sample
kgamma - Gamma correction KControl module
php-fpdf - PHP class to generate PDF files
php-imlib - PHP Imlib2 Extension
php-mail-mime - PHP PEAR module for creating and decoding MIME messages
php3-cgi-magick - ImageMagick module for PHP3 (use with php3-cgi)
php3-magick - ImageMagick module for PHP3 (use with php3)
php4-imagick - ImageMagick module for php4
phpgroupware-img - phpGroupWare image editor module
webhttrack - Copy websites to your computer, httrack with a Web interface
zoph - Web based digital image presentation and management system

Статистика

Время первой команды журнала 19:18:18 2006-11-16

Время последней команды журнала 21:46:31 2006-11-16

Количество командных строк в журнале 101

Процент команд с ненулевым кодом завершения, % 2.97

Процент синтаксически неверно набранных команд, % 0.99

Суммарное время работы с терминалом ^*, час 1.52

Количество командных строк в единицу времени, команда/мин 1.11

Частота использования команд

`less`	16	\|===============\| 15.24%
`vi`	15	\|==============\| 14.29%
`tail`	13	\|============\| 12.38%
`nmap`	10	\|=========\| 9.52%
`apt-cache`	8	\|=======\| 7.62%
`ls`	7	\|======\| 6.67%
`apt-get`	5	\|====\| 4.76%
`grep`	5	\|====\| 4.76%
`dpkg`	4	\|===\| 3.81%
`zless`	4	\|===\| 3.81%
`cp`	4	\|===\| 3.81%
`mv`	3	\|==\| 2.86%
`/etc/init.d/snort`	2	\|=\| 1.90%
`/etc/init.d/apache2`	2	\|=\| 1.90%
`cd`	2	\|=\| 1.90%
`ps`	1	\|\| 0.95%
`snort`	1	\|\| 0.95%
`/etc/init.d/`	1	\|\| 0.95%
`ln`	1	\|\| 0.95%
`d`	1	\|\| 0.95%

____
*) Интервалы неактивности длительностью 30 минут и более не учитываются

Справка

Для того чтобы использовать LiLaLo, не нужно знать ничего особенного: всё происходит само собой. Однако, чтобы ведение и последующее использование журналов было как можно более эффективным, желательно иметь в виду следующее:

В журнал автоматически попадают все команды, данные в любом терминале системы.
Для того чтобы убедиться, что журнал на текущем терминале ведётся, и команды записываются, дайте команду w. В поле WHAT, соответствующем текущему терминалу, должна быть указана программа script.
Команды, при наборе которых были допущены синтаксические ошибки, выводятся перечёркнутым текстом:
$ l s-l

bash: l: command not found
Если код завершения команды равен нулю, команда была выполнена без ошибок. Команды, код завершения которых отличен от нуля, выделяются цветом.
$ test 5 -lt 4
Обратите внимание на то, что код завершения команды может быть отличен от нуля не только в тех случаях, когда команда была выполнена с ошибкой. Многие команды используют код завершения, например, для того чтобы показать результаты проверки

Команды, ход выполнения которых был прерван пользователем, выделяются цветом.

$ find / -name abc

find: /home/devi-orig/.gnome2: Keine Berechtigung find: /home/devi-orig/.gnome2_private: Keine Berechtigung find: /home/devi-orig/.nautilus/metafiles: Keine Berechtigung find: /home/devi-orig/.metacity: Keine Berechtigung find: /home/devi-orig/.inkscape: Keine Berechtigung ^C

Команды, выполненные с привилегиями суперпользователя, выделяются слева красной чертой.
# id

uid=0(root) gid=0(root) Gruppen=0(root)
Изменения, внесённые в текстовый файл с помощью редактора, запоминаются и показываются в журнале в формате ed. Строки, начинающиеся символом "<", удалены, а строки, начинающиеся символом ">" -- добавлены.
$ vi ~/.bashrc

2a3,5 > if [ -f /usr/local/etc/bash_completion ]; then > . /usr/local/etc/bash_completion > fi
Для того чтобы изменить файл в соответствии с показанными в диффшоте изменениями, можно воспользоваться командой patch. Нужно скопировать изменения, запустить программу patch, указав в качестве её аргумента файл, к которому применяются изменения, и всавить скопированный текст:
$ patch ~/.bashrc
В данном случае изменения применяются к файлу ~/.bashrc
Для того чтобы получить краткую справочную информацию о команде, нужно подвести к ней мышь. Во всплывающей подсказке появится краткое описание команды.

Если справочная информация о команде есть, команда выделяется голубым фоном, например: vi. Если справочная информация отсутствует, команда выделяется розовым фоном, например: notepad.exe. Справочная информация может отсутствовать в том случае, если (1) команда введена неверно; (2) если распознавание команды LiLaLo выполнено неверно; (3) если информация о команде неизвестна LiLaLo. Последнее возможно для редких команд.
Большие, в особенности многострочные, всплывающие подсказки лучше всего показываются браузерами KDE Konqueror, Apple Safari и Microsoft Internet Explorer. В браузерах Mozilla и Firefox они отображаются не полностью, а вместо перевода строки выводится специальный символ.
Время ввода команды, показанное в журнале, соответствует времени начала ввода командной строки, которое равно тому моменту, когда на терминале появилось приглашение интерпретатора
Имя терминала, на котором была введена команда, показано в специальном блоке. Этот блок показывается только в том случае, если терминал текущей команды отличается от терминала предыдущей.
Вывод не интересующих вас в настоящий момент элементов журнала, таких как время, имя терминала и других, можно отключить. Для этого нужно воспользоваться формой управления журналом вверху страницы.
Небольшие комментарии к командам можно вставлять прямо из командной строки. Комментарий вводится прямо в командную строку, после символов #^ или #v. Символы ^ и v показывают направление выбора команды, к которой относится комментарий: ^ - к предыдущей, v - к следующей. Например, если в командной строке было введено:
```
$ whoami
```
```
user
```
```
$ #^ Интересно, кто я?
```
в журнале это будет выглядеть так:
```
$ whoami
```
```
user
```
Интересно, кто я?

Если комментарий содержит несколько строк, его можно вставить в журнал следующим образом:

$ whoami

user

$ cat > /dev/null #^ Интересно, кто я?

Программа whoami выводит имя пользователя, под которым 
мы зарегистрировались в системе.
-
Она не может ответить на вопрос о нашем назначении 
в этом мире.

В журнале это будет выглядеть так:

$ whoami

user

Интересно, кто я?

Программа whoami выводит имя пользователя, под которым
мы зарегистрировались в системе.

Она не может ответить на вопрос о нашем назначении
в этом мире.

Для разделения нескольких абзацев между собой используйте символ "-", один в строке.

Комментарии, не относящиеся непосредственно ни к какой из команд, добавляются точно таким же способом, только вместо симолов #^ или #v нужно использовать символы #=

Содержимое файла может быть показано в журнале. Для этого его нужно вывести с помощью программы cat. Если вывод команды отметить симоволами #!, содержимое файла будет показано в журнале в специально отведённой для этого секции.

Для того чтобы вставить скриншот интересующего вас окна в журнал, нужно воспользоваться командой l3shot. После того как команда вызвана, нужно с помощью мыши выбрать окно, которое должно быть в журнале.

Команды в журнале расположены в хронологическом порядке. Если две команды давались одна за другой, но на разных терминалах, в журнале они будут рядом, даже если они не имеют друг к другу никакого отношения.
```
1
    2
3   
    4
```
Группы команд, выполненных на разных терминалах, разделяются специальной линией. Под этой линией в правом углу показано имя терминала, на котором выполнялись команды. Для того чтобы посмотреть команды только одного сенса, нужно щёкнуть по этому названию.

О программе

LiLaLo (L3) расшифровывается как Live Lab Log.
Программа разработана для повышения эффективности обучения Unix/Linux-системам.
(c) Игорь Чубин, 2004-2008

$Id$