Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Patch Tuesday June 2010 Pre-Release

Published: 2010-06-03
Last Updated: 2010-06-03 23:26:27 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Microsoft announced today they will be releasing a total of 10 bulletins addressing 34 vulnerabilities rated important (7) to critical (3) that could allow for remote code execution. Six bulletins affecting all Windows versions (2 critical and 4 important), two affecting Microsoft office XP, 2003 and 2007 (2 important), one affects Windows and Office (important) and one affects Internet Explorer (critical). More details available here.

Two other publicly known security issues will be addressed this month:

Vulnerability in Microsoft SharePoint - Security Advisory 983438

Vulnerability in Internet Explorer - Security Advisory 980088

[1] Microsoft Security Response Center Blog

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

0 comment(s)

Top 10 Things you may not know about tcpdump

Published: 2010-06-03
Last Updated: 2010-06-03 14:57:45 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

"tcpdump" is one of those utilities we take for granted. Ask in any networking class, and more or less everybody has used it before and knows how to use it. tcpdump was first written in 1987 as a research project. Since then, the library behind it (libpcap) and the tool itself have been ported to more or less any operating system out there and have been incorporated into too many tools to count (Bill Stearn tried [1]).

What is often overlooked: tcpdump is still actively developed. Right now, the latest version is 4.1.1 with libpcap version 1.1.1 [2]. Many operating systems use version 4.0 now by default.

So what changed? What are the things you may not know about tcpdump? Here are some of the favorite items I ran into and please fill free to submit more.

  1. snaplength: it is no longer 68 bytes! New versions of tcpdump (>= 4.0) default to a snaplength of 64k. No more need to use -s 0 (but it doesn't hurt).
  2. IPv6 support: the ip[] filter works for all versions of IP BUT IPv6. Also, tcpdump will happily treat packets as IPv4 if the first 4 bits are anything but '6'. If you want to filter for IPv6, use 'ip6'.
  3. The -E option will decrypt IPSEC traffic. You need to know the shared secret or secret key of course and not all algorithms are supported.
  4. -Z username will drop root privileges and run tcpdump as "username" after it started. (many versions now do this by default using a "pcap" user).
  5. portrange: a macro that can be used to filter a range of ports (e.g. portrange 0-1023).
  6. less/greater: filter packets by length.
  7. new versions of tcpdump will print more then one line if the '-v' switch is used (breaks a lot of old shell scripts that use grep and such to filter)
  8. there are now a number of macros for common offsets. For example tcp[tcpflags] is equivalent to tcp[13].
  9. the "proto" macro will only match the next header field in the IPv6 header, which may not be the transport layer protocol that you expect from IPv4.
  10. the -C option can be used to rotate files after they reach a number of mbytes (don't confuse with lower case -c).

Know any more "hidden and forgotten features"?  Let us know....


[1] http://www.stearns.org/doc/pcap-apps.html
[2] http://www.tcpdump.org

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: tcpdump
4 comment(s)
Diary Archives