Extracting IP Addresses in Bash

One very handy function to have in your .bash_profile is a function to extract IP addresses.

ipextract function

I frequently use this function during investigations and though I should share it with everyone.

ipextract () { # example ipextract < filename egrep –only-matching -E ‘(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)’ } Example

I’ll demonstrate how to use the function

Source . . . → Read More: Extracting IP Addresses in Bash

Combine Multiple PCAP Files into a Single File

Problem

You have many smaller pcap files that you would like to combine in to a single file

10.0.0.10_1.pcap 10.0.0.10_2.pcap 10.0.0.10_3.pcap 10.0.0.10_4.pcap 10.0.0.10_5.pcap Solution mergecap -a 10.0.0.10* -w output_file.pcap

Source: https://www.wireshark.org/docs/man-pages/mergecap.html

How to Perform Bulk IP Lookup – Location and Owner

I recently analyzed a pcap file with a large list of destination addresses. In order to quickly determine the owner of those IP addresses I found this one liner.

# cat ips.txt | xargs -I% curl -s http://ipinfo.io/%/org | paste -d”,” ips.txt –

Source: https://ipinfo.io/developers/bulk-lookups

Please check out my Daughter’s Coding Site, CodewithMargo.com

My 7 year old launcher her coding site last year and I think it is a great resources for kids that want to learn how to program in Scratch Jr.

http://codewithmargo.com

Announcement – I was Recently Published in an Ebook

I am pleased to announced that I was recently published in an ebook, “10 Experts on Active Threat Management”

https://www.countertack.com/ebook-experts-on-active-threat-management

threatmanagement #ebooks

Export flow logs to an Amazon S3 Bucket

I found the instructions on Amazon’s website to be useless.

This is what worked for me

Define some variables bucket=my-bucket region=us-east-1 log-group-name=primary-nat prefix=my-prefix taskname=my-task start-epoch=1516255200000 end-epoch=1516860000000 Create the bucket aws s3 mb s3://$bucket –region $region Create the Policy cat <<‘EOF’ > ./policy.json { “Version”: “2012-10-17”, “Statement”: [ { “Action”: “s3:GetBucketAcl”, “Effect”: “Allow”, “Resource”: “arn:aws:s3:::replace-bucket”, “Principal”: . . . → Read More: Export flow logs to an Amazon S3 Bucket

IIS7 SNI Rewrite – Howto

Problem

Windows XP Users with IE8 are unable to connect to your Server Name Indication (SNI) enabled Amazon CloudFront distribution.

Solution

Do not rewrite URLs to CloudFront if the user agent indicates a system that does not support SNI.

Example (IIS 7)

Be sure to have the URL Rewrite module installed

URL Rewrite rule precondition . . . → Read More: IIS7 SNI Rewrite – Howto

iis7 insert rewrite rule web.config

To insert a rewrite rule in to a web.config for deployment purposes you need to modify Web.Release.Config

Example <system.webServer> <rewrite xdt:Transform=”Insert”> <outboundRules> <rule name=”Add Cross Origin Access”> <match serverVariable=”RESPONSE_Access_Control_Allow_Origin” pattern=”.*” /> <conditions> <add input=”{REQUEST_URI}” pattern=”.*\.(ttf|otf|eot|woff|svg)\?*.*$” /> </conditions> <action type=”Rewrite” value=”*”/> </rule> </outboundRules> </rewrite> </system.webServer>

Cloudfront IIS7 CORS Fix

Problem

You keep getting Control Allow Origin errors on fonts that are pulling from your CloudFront CDN

Solution

You need to make changes at CloudFront and your IIS 7 Server

CloudFront Changes

Modify the origin behaviors:

Navigate to the CloudFront Distributions Panel Select your Distribution Click Behaviors Tab Select Behavior from list items Click Edit . . . → Read More: Cloudfront IIS7 CORS Fix