yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Page 13 of 24

List of valid domain names for load testing DNS

August 14, 2010 / /

I am currently running a bunch of tests on DNS resolver software called Unbound to see what it is worth and for that needed a list of valid domain names in different but controllable TLDs. The only resource to download such list I could find was 3 million records file from Nominum Sample query data file for use with resperf . Only that it contains all kinds of record types : A, PTR, AAAA and I want list of domain names where I can modify query type but also that it will be of a specific TLD sample.
Say all domains in .ASIA only TLD . To compile such list I took a word list , added to each word specific extensions and then run against some DNS server. Then I filtered the answers to include only existing resolvable domains that return at least 1 answer to query ANY. So far I did it for extensions : .ASIA .COM .CA .BIZ .EDU .EU .FR .INFO .MIL .NET .ORG .RU and it brought 831903 valid domains.
You can download the final list of those domains here : Domain list 831903 domains

Restart SNMP daemon on Checkpoint

August 14, 2010 / /

While not being anything noticeable by itself, the problem was that all monitored snmp values were normal but cpu showed 100% on the Open server with 7 CPUs , it
did remind me that you should always record the current state before doing the changes.
As I said it was an openserver that client monitors with snmp and suddenly it alerted on CPU 100% and as this server has 7 CPUs it was clear that snmp daemon feels bad.
Also the solution was obvious – restart the snmp daemon on the Checkpoint server.
So going this was I found all the instances of snmp running :

ps ax | grep snmp
1061 ? S 0:08 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd -a -c /etc/snmp/snmpd.users.conf 161
1066 ? S 0:00 /usr/sbin/cpsnmpagentx
5808 ? S 0:00 /opt/CPshrd-R65/bin/cpsnmpd -p 260
18973 ttyp1 S 0:00 grep snmp

Then sent kill signal to each one of them , all went ok. But then my ssh session got abruptly disconnected for unrelated reason, so I didn’t have the list of commands and their options seen above and therefore couldn’t restart them. I do have the privilege of access to the heap of other Checkpoint machines so I just enterd one of them and copied snmp daemon commands from there, but if had no such alternative the time consuming search on the Google/cpug.org would have been granted.
Conclusion – before altering some state take note of the current one and record it somewhere (Notepad rules here).

Query non-standard port of SNMP

August 11, 2010 / /

Sometimes the simple things are the ones to perplex you the most . Today I needed to add an SNMP monitoring of the Radware Linkproof listening on the port 7777 .Not a big deal, I thought. But before doing it in the monitoring system I just wanted to be sure and tried to query the Linkproof using snmpwalk . To much of my surprise in its help there was no mention how to do it . Searching the Google brought me –p <port> that didn’t work though. The solution is actually quite simple – just immediately after the
IP of the device put :<port> e.g.

root@darkstar# snmpwalk -v 2c -c notpublic 12.120.186.8:7777

Keep your IPS updated

August 10, 2010 / /

The IPS protection should be up-to-date, no arguing here. But should it also be automatic ?
Well, here Checkpoint thought that not and put no provision for auto updates for the R70.x series. The only way to update IPS protection is either click on Online Update and do it real-time or check "Check for new updates while the SmartDashboard is active", that in turn will not update anything but get you prompted that new updates are available.
In R71 they changed their mind and added configurable scheduled updates menu.
Anyway ,should you want to check what is the latest IPS version available without running the actual update process the link follows:
Defense Updates by Product

Break free from the GUI dependency – checking Fortigate logs on the cli.

July 15, 2010 / / 1 Comment

[showmyads]Fortinet are doing a lot to keep us away from the command line. And that’s ok in 95% of the cases. But sooner or later you come to meet the 5% of the bad and the ugly when you have no access to the GUI at all. Can you imagine the terror of such situation ? Fear no more – forewarned is forearmed. Just grab the Fortigate CLI Reference PDF (all in all 754 pages) , learn it by heart then return to my blog . A year has passed quickly, ah ?
Now you are ready for the introduction. One late evening [ and I am sure all security/networking equipment long ago conspired with clients against us to cause troubles at abnormal/non-working hours only] one of the clients asked if I can check something. "No, not something critical but STILL can you check it NOW ..? " , of course ,why not ?
To check something I needed access to the Fortigate logs. All good and well if it were not for the excruciatingly slow connection (in your case it may be blocked GUI management ports, out of band console access, high Fortigate CPU utilization) that made the GUI unusable. As I had not slightest inclination to turn late evening into early morning I did SSH to the machine, run #show log and #get log commands … and got logging configuration settings on the firewall. But where are the logs?
Here:

FGT-ugly # execute log display

Hurray ! I got lots of lines running on the terminal, only that it was traffic log and I wanted Event log, and moreover it showed only first 100 lines out of 3400 and I wanted it all. So let’s do it by steps.
Step 1 – know what is served
Run this first to see what you will be presented and what not:

FGT-ugly # execute log filter dump
category: traffic // each type of log is called category , see later
device: memory // from where logs are to be read
roll: 0 // archived version
start-line: 1 // on which line of the logs to start presenting
view-lines: 700 // how many lines to show

Step 2 – I want Event logs now !

FGT-ugly# execute log filter category //this way you can see all available logs
Available categories:
10: application control
9: dlp
6: content
5: spam
4: ids
3: webfilter
2: virus
1: event
0: traffic
FGT-ugly# execute log filter category 1 // switch to Event log

Left is how many lines to show at once .

FGT-ugly # execute log filter view-lines

number 5 – 1000 /// Aha, so we can see maximum 1000 lines per go. Not a problem actually cause every time you hit # execute log display starting line is increased for the next time by the number of lines shown.
To conclude it all I enabled logging in Putty through which I connected to the firewall and run

FGT-ugly# execute log display
3011 logs found.
1000 logs returned.
1: 2010-07-13 19:10:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=4 msg=”Performance statistics”
2: 2010-07-1319:05:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=7 msg=”Performance statistics”
3: 2010-07-1319:01:28 log_id=0104032001 type=event subtype=admin vd=root pri=information user=”admin” ui=https(21.14.127.14) action=login status=success reason=none profile=”super_admin” msg=”Administrator admin logged in successfully from https(21.14.127.14)”
4: 2010-07-1319:00:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=5 msg=”Performance statistics”
5: 2010-07-1318:55:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=8 msg=”Performance statistics”
6: 2010-07-1318:54:09 log_id=0104032003 type=event subtype=admin vd=root pri=information user=”admin” ui=https(21.14.127.14) action=logout status=success reason=timeout msg=”Administrator admin timed out on https

Reference of all log messages known to Fortigate firmware 4 :
FortiGate_Log_Message_Reference

MAC finder script

July 2, 2010 / / 2 Comments

While I don’t like going down to Layer 2 , recently I had to do it – I didn’t know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn’t the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn’t look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on CIsco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
Here:
mac-database.txt – file containing MAC-vendor translation in format <MAC 6 hex digits as a sequence> <VENDOR>, I used standards.ieee.org/regauth/oui/oui.txt as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution http://nmap.org/svn/nmap-mac-prefixes
Download script (to make sure formatting is preserved, an important thing for Python)
http://yurisk.info/scripts/mac-finder.py
Script AND mac database from nmap project – http://yurisk.info/scripts/mac.tar.gz

#!/usr/bin/python
#This script accepts MAC addresses from the command line and
#prints vendor for each mac address
# Author:Yuri, yurisk@yurisk.info,06.2010
import sys
import re
#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
def dotreplace(matchobj):
         if matchobj.group(0) == '.':
                return ''
         elif  matchobj.group(0) == ':':
                return ''
#open file with MAC addresses and vendors database,it has form xxxx <Vendor>
macs=open('mac-database.txt','r')
macs_lines=macs.readlines()
#Read from stdinput
data = sys.stdin.readlines()
for ppp in data:
       popa=re.search('.*([a-f0-9]{4}\.[a-f0-9]{4}\.[a-f0-9]{4}).*',ppp,re.IGNORECASE)
       if popa:
             newpopa=re.sub('\.', dotreplace,popa.group(1))[0:6]
             newpopa_re=re.compile(newpopa,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopa_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]
       popalinux = re.search('.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popalinux:
             newpopalinux=re.sub(':',dotreplace,popalinux.group(1))[0:6]
             newpopalinux_re=re.compile(newpopalinux,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopalinux_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

       popadash = re.search('.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popadash:
             newpopadash=re.sub('-',dotreplace,popadash.group(1))[0:6]
             newpopadash_re=re.compile(newpopadash,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopadash_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]# ./mac-finder.py
<now I copy paste output from arp -a in BSD>
$ arp -a
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet]
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet]
<Hit CTRL+D to signal the end of input>
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.

Visio stencils for Cisco, Juniper, Fortinet, Checkpoint, Avaya

June 26, 2010 / / 7 Comments

Some links to download Microsoft Visio stencils of the most popular vendors.
Juniper
Cisco
Avaya
BlueCoat
Fortinet
Dell
Checkpoint happen not to have official stencils set, only Nokia appliances stuff can be found. So someone volunteered and using icons/press releases/PowerPoint presentations done by the Checkpoint turned it into the Visio stencils:
fireverse.org
If nothing else helps here you can find the rest:
nag.ru/projects/visio

« Older posts Newer posts »

© 2016 yurisk.info

Theme by Anders NorenUp ↑