Skip to main content

Arcsight Syslog Connector Test - Scapy

This Python script uses Scapy to generate a UDP syslog frame, in Common Event Format (CEF), simulating a McAfee IPS output following detection of a Java heap buffer overflow attack.

#! /usr/bin/env python

# Note  need to be superuser or root access to run as Scapy sends
# packets to the network card driver, an operation that users with ordinary
# access are not permitted to do.

from scapy.all import *

a = IP(dst="192.168.1.2")
u = UDP(dport=514)
pay = "Aug 1 10:00:00 McAfee CEF:0|McAfee|Network Security Manager|Simulated|44800015|HTTP: Java heap buffer overflow detected|8|dvc=192.186.1.170"
packet = a/u/pay
packet.display()

send(packet)


The UDP packet is sent to the Arcsight CEF syslog connector at 192.168.1.2 for onward transmission to the Arcsight ESM. The Wireshark capture is as follows:


Labels:

Comments

Post a Comment

Popular posts from this blog

Digital Bandpass Filter FIR design - Python

The python code generates the Finite Impulse Response (FIR) filter coefficients for a lowpass filter (LPF) at 10 (Hz) cut off using firwin from scipy.  A highpass filter is then created by subtracting the lowpass filter output(s) from the output of an allpass filter. To do this the coefficients of the LPF are multiplied by -1 and 1 added to the centre tap (to create the allpass filter with subtraction). A second LPF is then created with a cutoff at 15 (Hz) and the bandpass filter formed by addition of the LPF and HPF coefficients. The program also generates a test sine wave of a given amplitude and power and to this noise from a Normal distribution is added.  The graph below shows the signal and nois, and the signal (green) after filtering. The input snr is approximately 3dB. The frequency response below shows the passband centered on 12.5 (Hz), the Nyquist frequency is 50 (Hz). from numpy import cos, sin, pi, absolute, arange from numpy.random import normal fr...
Post a Comment
Read more

GNU Radio Waterfall and CW Filter

The following GNU radio application adds a waterfall spectrogram to the previous CW filter program. The plot show 4 CW signals in the audio band (lower sideband) at 7023 kHz. The 700Hz signal is filtered and output to the laptop headphones by the CW bandpass filter. The frequency display is shown after the script which is as follows: #!/usr/bin/env python from gnuradio import gr from gnuradio import audio from lpf_bpf_class import Bandpass from gnuradio.qtgui import qtgui from PyQt4 import QtGui import sys, sip     class cw_filter(gr.top_block):     def __init__(self):         gr.top_block.__init__(self)           sample_rate = 44100         out_rate = 8000         kaiser = Bandpass()         cw_flr = gr.fir_filter_fff(1, kaiser.bpftaps)         decimate = int...
Post a Comment
Read more

Norton Wideband HF pre-amp

The 20m vertical antenna looks good, VSWR < 1.3 : 1 but RX might be a bit deaf. RX details: 1dB antenna cable loss: + 14MHz to 144MHz SBL-1 mixer (straight 6dB loss) :+ IC 202 144MHz receiver (8dB NF). Hence total receive noise figure is at least 15dB. Built a Norton HF preamp (2n5109) to try and improve situation. (Is this necessary given the noise level at 14MHz? see following. Photo below shows the circuit and the measured cbe voltages resulting from a 13.9v supply. First audible results were however not particularly impressive. The dominant noise is the external noise? and this is in excess of any receiver contribution - even at 15dB noise fugure? But I will look into this and quantify the position. OK, this is a simple circuit and the 50 ohm output load is transformed by the broadband auto transformer to the collector load. The actual turns ratio used was 3 to the tap and then 11 to the collector. The turns ratio is then 14/3 or 4.6 which is the voltage transformation. ...
Post a Comment
Read more