Suri_Cato
(Suri Cato Yaml (Alfon @seguridadyredes))
March 28, 2020, 8:47am
1
-Remote: Windows 7/10.
-Locar: Ubuntu 18.04
-SSH into VPN
ssh windump@192.168.1.29 -p2223 ‘C:/tmp/WinDump.exe -i1 -s0 -U -w - icmp and not port 2223’ | sed ‘1d’ | stdbuf -oL tcpdump -nn -r - -w - | stdbuf -oL suricata -knone -c /etc/suricata/suricata_no_dataset.yaml -l ./ -r /dev/stdin -l ./win7_su_log
Best regards,
1 Like
vjulien
(Victor Julien)
March 28, 2020, 11:56am
2
So if I understand correctly this captures traffic on Windows using WinDump.exe
, pipes it to a Linux box over ssh which then transforms it to pcap and streams it to Suricata?
Suri_Cato
(Suri Cato Yaml (Alfon @seguridadyredes))
March 28, 2020, 12:05pm
3
Capture on windows (remote) via VPN / SSH and send the captures to the local host. Suricata_IDS runs locally and returns logs to local.
Run local tcpdump and sed to avoid problems with pcap magic mumber.
vjulien
(Victor Julien)
March 28, 2020, 12:07pm
4
Nice!
Perhaps a good idea to add links to how to get/install WinDump.exe
and how to setup ssh and permissions on the Windows side?
Suri_Cato
(Suri Cato Yaml (Alfon @seguridadyredes))
March 28, 2020, 12:11pm
5
Yes, I will prepare it.
For GNU / Linux to GNU/Linux, it is simpler.
vjulien
(Victor Julien)
March 28, 2020, 12:17pm
6
Great, thanks. I think it would be the nicest if you update your original post so it contains all the relevant information.
Suri_Cato
(Suri Cato Yaml (Alfon @seguridadyredes))
March 28, 2020, 12:26pm
7
Thanks to you. I will do so