Profiling client internet connections
Some more fun with p0f and Splunk...Now with profiling of client internet connections!
Setup of the p0f and logging is the same as in the OS Profiling post.
The Splunk search string has been extended to extract the source's internet link as a field too (go for the portion in bold for the field extracting commands):
| file /home/path/to/p0f.log | rex field=_raw "> (?<srcip>[^:]+):(?<srcport>[^ ]+) – (?<srcos>.+?) \(" | rex field=_raw "-> (?<dstip>[^:]+):(?<dstport>[^ ]+) " | rex field=_raw "link: (?<srclink>.*)\)$" | regex srclink!="(unspecified|unknown)" | top limit=0 srclink
The fields that I extract with this:
- srcip -> source IP
- srcport -> source TCP port
- srcos -> source's OS (woot!)
- dstip -> destination IP (which is my machine's)
- dstport -> the destination port which the TCP connection was initiated to
- srclink -> the internet link of the source machine
After filtering out the "unspecified" and "unknown" links, the list of the detected links are as follows:
"ethernet/modem" points to mostly cable connections. There're some interesting entries in the list though, like vtun, pppoe, Google/AOL, IPv6/IPIP (early adopters? haha). Don't have any idea on what's IPSec/GRE, or vLAN here in this context though.
Just for the heck of it, here's the chart for this table, generated from the reports link in Splunk.
I like the charts, because they allow some interaction with the charts for simple datasets, but I digress 
Doing geolocation lookups in command line
Did you know that it's possible to do your own geoip lookups from the linux command line?
You need to install the geoip-bin package in Ubuntu/Debian's APT system:
sudo apt-get install geoip-bin
Then after which, lookups can be done as simply as:
$ geoiplookup 8.8.8.8 GeoIP Country Edition: US, United States
Note that the lookups are based on the GeoLite Country database. For more detailed geoip lookups you will need to buy the better databases.
Converting IDNs in Ubuntu
With the start of Internationalized domain names (IDNs) it sparked my interest since it requires conversion to punycode in order to continue working with existing DNS systems/applications, which work with ASCII.
Taking a search through Ubuntu's APT system, to see whether any IDN related tools are available...
$ apt-cache search punycode libidn11 - GNU Libidn library, implementation of IETF IDN specifications libidn11-dev - Development files for GNU Libidn, an IDN library idn - Command line and Emacs interface to GNU Libidn libidn11-java - Java port of the GNU Libidn library, an IDN implementation libidna-punycode-perl - encodes Unicode string in Punycode
There's the idn package! Which allows encoding of IDNs in punycode in the command line...
Doing an install...
$ sudo apt-get install idn -y
And trying it out!
$ idn правительство.рф libidn 1.15 Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Simon Josefsson. GNU Libidn comes with NO WARRANTY, to the extent permitted by law. You may redistribute copies of GNU Libidn under the terms of the GNU Lesser General Public License. For more information about these matters, see the file named COPYING.LIB. xn--80aealotwbjpid2k.xn--p1ai
And resolving the domain...
$ nslookup xn--80aealotwbjpid2k.xn--p1ai Non-authoritative answer: Name: xn--80aealotwbjpid2k.xn--p1ai Address: 95.173.135.62
Note that resolving the domain directly results in rubbish!
$ nslookup правительство.рф Non-authoritative answer: Name: \208\191\209\128\208\176\208\178\208\184\209\130\208\181\208\187\209\140\209\129\209\130\208\178\208\190.\209\128\209\132 Address: 67.215.65.132
So, basically from this we understand that applications will need to use the punycode encoded version of the IDN, NOT the original IDN, when resolving. And there're tools out there already can do that for us.
Since Ubuntu has these packages, Debian would also have the corresponding packages available too.