~~ my
snort
Snort 用户手册
-c config-file
Use the rules located in file config-file.
-C Print the character data from the packet payload only (no hex).
-d Dump the application layer data when displaying packets in ver‐
bose or packet logging mode.
-e Display/log the link layer packet headers.
-i interface
Sniff packets on interface.
-n packet-count
Process packet-count packets and exit.
-X Dump the raw packet data starting at the link layer. This
switch overrides the ‘-d’ switch.
-v Be verbose. Prints packets out to the console.
-l log-dir
Set the output logging directory to log-dir. All plain
-b Log packets in a tcpdump(1) formatted file. (binary mode)
-r tcpdump-file
Read the tcpdump-formatted file tcpdump-file.
-K logging-mode
Select a packet logging mode. The default is pcap. log‐
ging-mode. Valid logging modes include pcap, ascii, and
none. Pcap logs packets through the pcap library into
pcap (tcpdump) format. Ascii logs packets in the old
"directories and files" format with packet printouts in
each file. None Turns off packet logging.
-h home-net
Set the "home network" to home-net. The format of this address variable is a network
prefix plus a CIDR block, such as 192.168.1.0/24. Once this variable is set, all decoded
packet logging will be done relative to the home network address space. This is useful
because of the way that Snort formats its ASCII log data. With this value set to the
local network, all decoded output will be logged into decode directories with the address
of the foreign computer as the directory name, which is very useful during traffic analy‐
sis.
eg:
sudo snort -de -K ascii -l ./log/ -h 10.214.9.0/24
sudo snort -dvr packet.log icmp 从日志文件中提取ICMP包
snort使用一种简单、轻量级的规则描述语言,灵活而强大,参考其他文章。
lsof
lsof abc.txt 显示开启文件abc.txt的进程
lsof -i :22 知道22端口现在运行什么程序
lsof -c proc_name 显示进程proc_name现在打开的文件
lsof -p 12 看进程号为12的进程打开了哪些文件
lsof -g gid 显示归属gid的进程情况
lsof +d /usr/local/ 显示目录下被进程开启的文件
lsof +D /usr/local/ 同上,但是会搜索目录下的目录,时间较长
lsof -d 4 显示使用fd为4的进程
lsof -r [t] 控制lsof不断重复执行,缺省是15s刷新
lsof -s 列出打开文件的大小,如果没有大小,则留下空白
lsof -u username 以UID,列出打开的文件
语法: lsof -i[46] [protocol][@hostname|hostaddr][:service|port]
46 –> IPv4 or IPv6
protocol –> TCP or UDP
hostname –> Internet host name
hostaddr –> IPv4位置
service –> /etc/service中的 service name (可以不止一个)
port –> 端口号(可以不止一个)
例子: TCP:25 - TCP and port 25
@1.2.3.4 - Internet IPv4 host address 1.2.3.4
tcp@ohaha.ks.edu.tw:ftp - TCP protocol hosthaha.ks.edu.tw service name:ftp
lsof -n 不将IP转换为hostname,预设是不加上-n参数
例子: lsof -i tcp@ohaha.ks.edu.tw:ftp -n
netstat
-t、-u、-w 和-x 分别表示TCP、UDP、RAW和UNIX套接字连接
-i 显示网络接口
-p, –programs display PID/Program name for sockets
-c, –continuous continuous listing
-e, –extend display other/more information
eg:
tcpdump -ta
显示活动或被动以及等待接入的tcp套接字
tcpdump
-e 显示mac物理地址
-S 显示绝对ACK序列号,不加-S默认会输出相对于初始序列号的相对偏移量
eg: tcpdump dst net not 192.168.123.0/24
tcpdump dst net not 192.168.123.0/24 and dst port not ( www or 25 or 110 or 5000 or domain ) and src port ! ( 4011 or 4010 or 4009 )
tcpdump ether src 00:50:04:BA:9B
ip icmp arp rarp 和 tcp、udp、icmp这些选项等都要放到第一个参数的位置,用来过滤数据报的类型
tcpdump udp and src host 192.168.0.1
iptables
eg:
在10.214.9.191机器上nat映射 bbs 服务和 FTP 服务
iptables -t nat -A PREROUTING -p tcp -d 10.214.9.191 –dport 8823 -j DNAT –to 10.13.21.88:23
iptables -t nat -A POSTROUTING -p tcp -d 10.13.21.88 –dport 23 -j SNAT –to 10.214.9.191
#注意:要成功映射FTP服务,需要加载ip_nat_ftp和ip_conntrack_ftp内核模块
#modprobe ip_nat_ftp
iptables -t nat -A PREROUTING -p tcp -d 10.214.9.191 –dport 8821 -j DNAT –to 10.214.9.113:21
iptables -t nat -A POSTROUTING -p tcp -d 10.214.9.113 –dport 21 -j SNAT –to 10.214.9.191
iptables -nvL list all rules
other ref:
实例:http://blog.csdn.net/yeqihong/archive/2007/02/06/1503596.aspx
http://blog.csdn.net/Lamour/archive/2007/05/31/1632464.aspx
ip/route
# 以下两个等价
ip route add 10.0.0.0/8 dev eth0
route add -net 10.0.0.0 netmask 255.0.0.0 dev eth0
# 以下两个等价
ip route add 10.0.0.0/8 via $gateway
route add -net 10.0.0.0 netmask 255.0.0.0 gw $gateway
# 以下是否重复$gateway 和 dev eth0 ???
ip route add 10.0.0.0/8 via $gateway dev eth0
route add -net 10.0.0.0 netmask 255.0.0.0 gw $gateway dev eth0
route -n 的输出标志位: