I have configured bro on my system successfully. OS is centos 7. I have to monotor multimedia traffic e.g. youtube and some social site like facebook. I started bro for some miniutes while using facebook and youtube but their is no information about youtube in http log file nithir facebook. As for I think that this is a protocol problem as facebook use https rather than http but I do not know why youtube.
I have followed following steps after setting correct interface.
[BroControl] > install
Then
[BroControl] > start
But I have not found any youtube or facebook info in http.log. How to get traffic info of such websites?
The problem is that you are expecting SSL encrypted traffic to be magically decrypted and appear in your http.log. If you look again, you will find that YouTube also runs over HTTPS.
Unless you are doing something to intercept and act as a man-in-the-middle for the SSL/TLS connections, you cannot expect to be able to see the content. If you can't see it, Bro can't see it either. :)
If you want to verify that you are properly configured, you would be best served looking at the conn.log to verify that the connections are occurring. Once you do that, search for the UID values in the other logs and I strongly suspect that you will see that you are finding SSL certificate data.
Several things come to mind
1) What are the contents of /usr/local/bro/etc/node.cfg? Make sure it is the interface you expect traffic to cross via a span or tap.
2) Run tcpdump -i <interface> where interface comes from question 1.
3) Run /usr/local/bro/bin/broctl diag to see if there are any issues.
4) Run /usr/local/bro/bin/broctl status to verify everything is running.
If the interface is wrong, the solution may be that easy.
Related
I have an app controlling my AVR on a local network and I'm trying to embed some of the functionality into another app written by myself. I've started up WireShark and started controlling the volume, which shows up as:
GET /ctrl-int/1/setproperty?dmcp.device-volume=-15.750000 HTTP/1.1
I'm not totally up on this type of http control but i'd like to know if this is enough data to be able to send the same request via a browser or terminal etc.
cheers
Without knowing the avr you can't realy tell. But you should be able to send the command via
avr-ip/ctrl-int/1/setproperty?dmcp.device-volume=-15.750000
in the browser or from you app. The ip should be in the wireshark logs as well.
If that works it was enough information.
I want to send a message to everyone(broadcast) in my subnet(LAN) so as to prevent them using Internet due to repair work that's going to happen. How do i do that ? I can't use "wall" because no one is logged on some server.
I want to send a packet that opens a new Tab in web browser and displays message that stop using Internet during a certain duration.
http://en.wikipedia.org/wiki/ARP_spoofing
You might be interested in something like this. I am not sure if this will work in your LAN environment, but typically it should mess up with the entire LAN :D
you can use sockets to send a message to everyone connected in LAN, you can use java and when you want send a message to all clients, every client will see a msgbox with the information you want display....
net send command will be helpful in windows machines. Im not sure about linux.
Plz refer the following link for more Info.
http://www.cezeo.com/tips-and-tricks/net-send-command/
This is a solution shared by my senior( Hope it helps anyone who views this post). What we can do is to do DNS spoofing and redirect everyone's request to a server where you can show the required message.
Getting this error message in the browser:
Attention!!!
The transfer attempted appeared to contain a data leak!
URL=http://test-login.becreview.com/domain/User_Edit.aspx?UserID=b5d77644-b10e-44e0-a007-3b9a5e0f4fff
I've seen this before but I'm not sure what causes it. It doesn't look like a browser error or an asp.net error. Could it be some sort of proxy error? What causes it?
That domain is internal so you won't be able to go to it. Also the page has almost no styling. An h1 for "Attention!!!" and the other two lines are wrapped in p tags if that helps any.
For anyone else investigating this message, it appears to be a Fortinet firewall's default network data-leak prevention message.
It doesn't look like an ASP.NET error that I've ever seen.
If you think it might be a proxy message you should reconfigure your browser so it does not use a proxy server, or try to access the same URL from a machine that has direct access to the web server (and doesn't use the same proxy).
This is generated from an inline IPS sensor (usually an appliance or a VM) that is also configured to scan traffic for sensitive data (CC info, SSNs etc). Generally speaking, the end user cannot detect or bypass this proxy as it is deployed to be transparent. It is likely also inspecting all SSL traffic. In simple terms, it is performing a MITM attack because your organizational policy has specified that all traffic to and from your network be inspected.
The question is pretty straightforward. I want to know if there are ways of discovering the HTTP requests my browser sends while I navigate. For instance, what happens when I click on a certain link which sends a PUT method? I mean, I wish I could determine the exact HTTP request that my browser sends to that website. Further, I want to, later, reproduce that request on Curl. Basically, I want to inspect requests my browser sends so I can automate that task later through the Curl command (command, not library).
Thanks in advance!
Fernando.
Fiddler does exactly what you want. It sets up a proxy that can monitor http communication from your browser.
http://www.fiddler2.com/fiddler2/
You would want the Firebug extesion for Firefox. It can show a lot of what is happening, and you can add more options by installing more extensions.
On the other hand, you can use wireshark to capture the traffic to and from your computer.
Then you can use filters to save the relevant packets (pcap is often the format for storing the packets).
Later, you can replay the packets using tools like tcpreplay.
You could try it out with backtrack linux (live cd/usb).
And nowadays there should be some new tools for windows also. :)
EO2 and JohnnyC are correct. Fiddler, WireShark, FireBug (FireFox addon), etc. are what you are going to look for. You can use them free of charge.
WireShark will capture all incoming and outgoing traffic on your box. You can listen on any port, filter data etc.
FireBug will capture outgoing and incoming data streams, the raw data (XML, JSON, images etc.) for each request.
Fiddler is great for tracking web data in a seperate application if you do not use FireFox.
I want to know that when browser sends a request do the server sends back the contents explicitly? And how would i confirm it?
There are several toolbars in Firefox that show exactly what are coming and going when making an HTTP request.
For firefox i use the following plugins:
Firebug
Web Developer
You could also install a utility called WireShark. It will "sniff" all the network traffic on your computer and show you at a packet level how it all works.
Browser plugins such as firebug (for firefox) let you see exactly what the server is returning; that's quite instructive and recommended! You'll see a bunch of headers followed by the response body in any of several formats (could be chunked, etc, etc).
In a Windows environment you can use Fiddler.
Fiddler includes a fair amount of documentation and is easy to use.