Sunday, October 2, 2016

EDITCAP - wireshark bundled CLI tool

Useful tool to chunk a large unwieldy packet capture file. Comes bundled with Wireshark.

"c:/program files (x86)/wireshark/editcap.exe" -c 20000 dropped_packets_capture.pcapng split.pcapng



TSHARK - wireshark bundled CLI tool

Useful command line tool bundled with wireshark. Less resource intensive than GUI based Wireshark, with many parameters for quick custom made captures.

List local computer interfaces with  tshark -d

 Quick capture directed to screen  tshark -i 8




Quick capture direct to a file tshark -i 8 -w c:\users\richard\allpkts.pcapng


 Monitor ping statistics Sevice Respons Times  tshark -i 8 -qz icmp,srt



Filter a packet capture file for a particular ip address and create a smaller packet capture file
 "c:/program files (x86)/wireshark/tshark.exe" -r dropped_packets_capture.pcapng - Y "ip.addr==192.168.72.177" -w filtered.pcapng



Full tshark command description here
https://www.wireshark.org/docs/man-pages/tshark.html


Monday, August 15, 2016

Palo Alto

Palo Alto Fundamentals






PA Licensing. Based on yearly subscriptions

  1. Threat Protection:      IPS,Anti-Virus, Anti Spyware
  2. URL Filtering:             Web categorisation filtering
  3. Virtual System:           Multiple Virtual Firewall Contexts
  4. Software Support:      Required for Cisco TAC like support
  5. Wildfire  :                    Crowdsourced Security Intelligence
  6. Global Protect:           Consistent Global User Policy Enforcement  




Ground Up Configuration Steps

      1)    Enable WAN access for any management services that are not available out of the              management Interface. (this is the default/out of box policy) e.g. NTP or DNS

Device -> Services -> Services Features
      2)    Activate Licenses
Device Mangement -> Licences and Support
      3)    Configure Zones
Network -> Zones -> Add

      4)    Configure Virtual Router
Network -> Virtual Routers -> Add

      5)    Configure Interfaces
                  assign to Zone, Virtual Router  and add IP address

      6)    Create a Management Profile
Network -> Interface Management 
      7)    Apply Management Profile to interface under advanced tab


 

Tuesday, March 15, 2016

Changing Severity of Cisco Syslog Messages


Steps to Modify severity of syslog messages.


This can be achieved with the Cisco’s Embedded Syslog Manager



Example:

Access list log messages are written by default with level 6 severity – informational

There was a requirement to increase the severity of these messages level 3. This was achieved with the use of a tcl script and cisco’s embedded syslog manager


TCL SCRIPT


# severityincr.tcl  Increases the severity level of a syslog message.

#                   Requires two arguments, first the mnemonic and

#                   second the new severity level.

#                   E.g., STATECHANGE 3

if { [string length $::orig_msg] == 0} {

   return ""

}


if { [info exists ::cli_args] } {

    set args [split $::cli_args]

    if { [ string compare -nocase [lindex $args 0] $::mnemonic ] == 0 } {

        set ::severity [lindex $args 1]

        set sev_index [ string first [lindex $args 0] $::orig_msg ]

        if {  $sev_index >= 2 } {

           incr sev_index -2

           return [string replace $::orig_msg $sev_index $sev_index [lindex $args 1]]

        }

    }

}


return $::orig_msg


TCL script was copied to router flash to enable local access


Copy tftp disk0:10.100.100.1 severityincr.tcl



Logging filter was applied to router


Logging buffer filtered

Logging host 192.168.x.x filtered

Logging filter disk0:severityincr.tcl args IPACCESSLOGP 3



Log message following change!