Decoding the SANS Christmas packet challenge using only NSM-Console

In my never-ending quest to find justification for writing NSM-Console, I hereby present the following tutorial on how to decode the SANS Christmas packet challenge using nothing but NSM-Console:

I’m going to be using NSM-Console version 0.4-DEVEL, which adds the features that allow this analysis to be performed without external tools. You can get the development version here. Alright, let’s get this party started:

First things first, the fellows at SANS point you to the first packet in the xmas_Starter.pcap file, so let’s load up NSM-Console with the packet capture

./nsm ~/xmas_Starter.pcap

Next, let’s do a printout of all the packets in this dump (since it’s a small file, there shouldn’t be too many)

Continue reading →

NSM-Console version 0.3 release

Yep, I’ve just been cranking out code lately, so I am proud to present the 0.3 release of nsm-console!

You can download NSM-Console here:

http://navi.eight7.org/~hinmanm/files/nsm-console-0.3.tar.gz

This release was focused a bit more on usability, features and bugfixes rather than the addition of new modules, however, there were still a couple that were added. Since this release has some pretty big changes, let’s start by going over some of the notable ones:

Continue reading →

Screencast: An introduction to NSM-Console

Well, I’ve been working on this for the last week or so, trying to get it all working the way I wanted, and after around 15 takes, I finally have a screencast for anyone interested in the idea behind and usage of nsm-console.

The version of nsm-console used in the screencast is the 0.3-DEVEL version. UPDATE: Version 0.3 is now out!

The video is in .mov format and is 12 minutes and 40 seconds, it is around 17MB. Don’t forget to right-click and “Download As”!

• mirror 1 [thanks enhanced]
• mirror 1 w/ssl [thanks again enhanced]
• mirror 2 [my server]

I’m hoping to have a flash version created soon, I’ll update this entry when I do.

If you have any questions, comments or criticisms, feel free to leave a comment below or email me.

I also updated the “about me” page if you absolutely must know what I look like.

Oh, one more thing, ignore the fact that I say “so” around 30 times in this one video, this is my first screencast, gimme a break.

NSM Console projected module list

Here’s a list of all the planned modules and completed (struck-out) modules for nsm-console: (if a module is struck out, it’s because I’ve finished making a module for it, it isn’t necessarily in the tarball for download)

• aimsnarf
• ngrep (gif/jpg/pdf/exe/pe/ne/elf/3pg/torrent)
• tcpxtract
• tcpflow
• chaosreader
• bro-IDS
• snort
• tcpdstat
• capinfos
• tshark
• argus
• ragator
• racount
• rahosts
• hash (md5 & sha256)
• ra
• honeysnap
• p0f
• pads
• fl0p
• iploc
  
• foremost – thanks shadowbq!
• flowgrep
• tcptrace
• tcpick
• flowtime
• flowtag
• harimau
• clamscan
  

Think of any other useful modules? Leave me a comment and let me know!

P.S. I’m also brainstorming for some pcap/real-time network visualization tools, stay tuned!

NSM Console – A framework for running things

Well, I’ve been hard at work for the last couple of days working on a (hopefully) useful tool for aiding in NSM file analysis (for pcap files, live analysis doesn’t work).

Behold! I present NSM-Console! (read more about it here, watch a screencast here)

Download the framework here.
Keep in mind this framework only includes 3 modules (mostly used just for testing)

NSM-Console in a small (< 500 1000 1500 lines) framework for running nsm modules. Essentially, it’s a framework for running things (but we don’t call it that because it sounds like it wasn’t any work ). Here’s the breakdown: Continue reading →