Snort rules content for src and dsr address - snort

If I want to alert the traffic with the snort rule alert:
Ethernet II, Src: Xircom_c5:7c:38 (00:10:a4:c5:7c:38), Dst: 3comCorp_a8:61:24 (00:60:08:a8:61:24)
Try to use:
alert tcp any any -> any any (content:"|00 60 08 a8 61 24|"; content:"|00 10 a4 c5 7c 38|"; nocase; msg:"Alert")
It looks not working.....


Snort does not work at MAC address level, it works with TCP, UDP, ICMP and IP protocols.
Your rule is a tcp rule and therefore will have a minimum 20 byte header, possibly up to 60 bytes depending on options.
Since snort content rules only match in the payload, this means that each of your content terms content:"|00 60 08 a8 61 24|" and content:"|00 10 a4 c5 7c 38|" will only match after the initial header (20 - 60 bytes).

Related

When exporting a Certificate and Private Key from p12 in Keychain the Private Key is missing in 2023

I am generating a Pass Push Key for Apple (For the purposes of doing passes)
I Requested a Certificate from a Certificate Authority went to the dev portal and added the file that was created to Keychain.
I then exported it by searching in Keychain under Login and My Credentials, I selected both keys and exported it as P12.
When I exported it, it was missing the private key as shown below.
There are multiple tutorial on how to do this (https://code.google.com/archive/p/apns-sharp/wikis/HowToCreatePKCS12Certificate.wiki), (aps_developer_identity.cer to p12 without having to export from Key Chain?) and they all seem to fail with the same problem.
I have rebooted the entire machine, after importing the certificate, and I have created 5 different ones with there same problem
Was there an update in 2023
Bag Attributes
friendlyName: Pass Type ID: pass.generic.vaultie.io
localKeyID: F0 55 5E C3 AF 1F 69 F9 86 81 BC B5 9E AC 22 DA 26 81 03 F3
subject=/UID=pass.generic.vaultie.io/CN=Pass Type ID: pass.generic.vaultie.io/OU=6G63YAX437/O=Vaultie Inc./C=US
issuer=/CN=Apple Worldwide Developer Relations Certification Authority/OU=G4/O=Apple Inc./C=US
-----BEGIN CERTIFICATE-----
MIIGGTCCBQGgAwIBAgIQNxpLh........
-----END CERTIFICATE-----
Bag Attributes
friendlyName: With-KeyPair
localKeyID: F0 55 5E C3 AF 1F 69 F9 86 81 BC B5 9E AC 22 DA 26 81 03 F3
Key Attributes: <No Attributes>

HAProxy health check, particularly in mode tcp

I've looked at this previous question HAProxy health check and see that the HAProxy directives have changed significantly in this area. The "monitor" directive seems to be the modern way to do this.
I want to have a proxy running in tcp mode, that's capable of reporting its availability to clients.
I can have a separate listener in http mode, that gives a 200OK response:
frontend main
# See "bind" documentation at https://docs.haproxy.org/2.6/configuration.html#4.2-bind
# The proxy will listen on all interfaces for connections to the specified port.
# Connections MUST use the Proxy Protocol (v1 or v2).
# The proxy can ialso Listen on ipv4 and ipv6.
bind :::5000 accept-proxy
bind *:5000 accept-proxy
mode tcp
# Detailed connection logging
log global
option tcplog
# Only certain hosts (sending MTAs) can use this proxy, enforced via ACL
acl valid_client_mta_hosts src 127.0.0.1 172.31.25.101
tcp-request connection reject if !valid_client_mta_hosts
use_backend out
frontend health_check
mode http
bind :::5001
bind *:5001
monitor-uri /haproxy_test
log global # comment this out to omit healthchecks from the logs
however that seems to admit the possibility that 5001 might be up, but there's a problem with 5000.
Is there a way to enable monitoring directly of the mode tcp frontend with recent directives?

Here's a possible workaround:
Use a client that can add the proxy header, to ping the tcp front-end.
Make a request toward the proxy health service.
The source and dest of the request can be the "loopback" address.
./happie 35.90.110.253:5000 127.0.0.1:0 127.0.0.1:5001
Sending header version 2
00000000 0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a 21 11 00 0c |.......QUIT.!...|
00000010 7f 00 00 01 7f 00 00 01 00 00 13 89 |............|
HTTP/1.1 200 OK
content-length: 58
cache-control: no-cache
content-type: text/html
<html><body><h1>200 OK</h1>
Service ready.
</body></html>

You can use track for health checks on different ports.
Example code
backend be_static
# more config options
server static_stor host:5000 track be_static_check_stor/static_check more_server_params
# check backend
backend be_static_check_stor
# more config options
server static_check host:5001 check more_server_params

Send raw Ethernet frame with custom data after EtherType using nping

I am using nping to send raw a Ethernet frame. I want to send a frame with custom data starting after the EtherType. However, nping puts the custom data in the middle of the packet. For example, here's my command:
nping --dest-mac <my mac> --ether-type 0xd2d2 -e eth0 --send-eth --data 00010028 192.168.2.10
and here's what I see on the receiver:
0x0000: 8cfd f000 cb16 9410 3eb8 483d d2d2 4500
0x0010: 0020 f412 0000 4001 0169 c0a8 0207 c0a8
0x0020: 020a 0800 9a72 5d61 0003 0001 0028 0000
0x0030: 0000 0000 0000 0000 0000 0000
In the third line I want the 6th and 7th half words, 0001 0028 to come after 0xd2d2

The custom data nping put is an IP header.
I'm not familiar with nping, but I guess the 192.168.2.10 you put at the end of your command is doing wrong. It's encoded at 16th and 17th half words (destination IP address) as c0a8 020a. Probably nping added the IP header because you specified 192.168.2.10.
Try the command without 192.168.2.10, or <my mac> instead of 192.168.2.10.

Decipher APDU for OpenPGP smart card applet

I'm implementing data deciphering into my Java application using javax.smartcardio APIs. I'm using Yubikey NEO smart card element. I managed to:
Select OpenPGP applet CW=9000.
Present the right PIN to the applet CW=9000.
Encrypt data using matching certificate using Bouncy Castle
The encrypted message is OK (or at lest usable). I successfully deciphered ASCII armored version of it it using gpg tool and the Yubikey.
I'm not able to replicate the same thing with Java.
My encrypted data length is 313 bytes
I'm sending two APDUs (Yubikey does not seem to support extended ones)
The result is CW=6f00
The key is 2048 bit long - I tried truncating the data to 256 bytes as mentioned in GPG source code but without any success.
The APDUs I'm using:
10 2a 80 86 ca 00 85 ..data.. d1 99 00 (208 bytes) cw=9000
00 2a 80 86 70 0f e9 ..data.. 71 85 00 (118 bytes) cw=6700

Freeswitch and webRTC: media rejected with 488

I can register from my webclient to my freeswitch. But, when I try to make call the call gets rejected with 488 not acceptable here. From freeswitch console log im getting.
2014-07-22 22:03:59.673585 [DEBUG] switch_core_state_machine.c:53 sofia/internal/alice#192.168.146.133 Standard REPORTING, cause: INCOMPATIBLE_DESTINATION
I added
< action application="export" data="rtp_secure_media=true" />
with my extension; but no luck.
below is the SDP of my INVITE
v=0
o=Mozilla-SIPUA-31.0 26508 1 IN IP4 0.0.0.0
s=Doubango Telecom - firefox
t=0 0
a=ice-ufrag:13497e25
a=ice-pwd:515d61f08d909117e022674f3dce748e
a=fingerprint:sha-256 2E:CF:7E:8F:EC:1A:F4:B1:D3:CF:39:C3:8A:A0:D0:53:B3:46:00:D0:93:46:53:29:AB:B7:03:83:39:FB:23:32
m=audio 55760 UDP/TLS/RTP/SAVPF 109 0 8 101
c=IN IP4 184.69.59.132
a=rtpmap:109 opus/48000/2
a=ptime:20
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
a=extmap:1 urn:ietf:params:rtp-hdrext:ssrc-audio-level
a=setup:actpass
a=candidate:0 1 UDP 2128609535 172.16.1.188 55760 typ host
a=candidate:1 1 UDP 1692467199 184.69.59.132 55760 typ srflx raddr 172.16.1.188 rport 55760
a=candidate:5 1 UDP 2128543999 192.168.56.1 55761 typ host
a=candidate:10 1 UDP 2128478463 192.168.232.1 55762 typ host
a=candidate:15 1 UDP 2128412927 192.168.146.1 55763 typ host
a=candidate:0 2 UDP 2128609534 172.16.1.188 55764 typ host
a=candidate:1 2 UDP 1692467198 184.69.59.132 55764 typ srflx raddr 172.16.1.188 rport 55764
a=candidate:5 2 UDP 2128543998 192.168.56.1 55765 typ host
a=candidate:10 2 UDP 2128478462 192.168.232.1 55766 typ host
a=candidate:15 2 UDP 2128412926 192.168.146.1 55767 typ host
a=rtcp-mux
Below is my codec lists from freeswitch. I dont have opus installed, but I do have G711 ulaw and alaw
show codecs
type,name,ikey
codec,ADPCM (IMA),mod_voipcodecs
codec,AMR,mod_amr
codec,G.711 alaw,CORE_PCM_MODULE
codec,G.711 ulaw,CORE_PCM_MODULE
codec,G.722,mod_voipcodecs
codec,G.723.1 6.3k,mod_g723_1
codec,G.726 16k,mod_voipcodecs
codec,G.726 16k (AAL2),mod_voipcodecs
codec,G.726 24k,mod_voipcodecs
codec,G.726 24k (AAL2),mod_voipcodecs
codec,G.726 32k,mod_voipcodecs
codec,G.726 32k (AAL2),mod_voipcodecs
codec,G.726 40k,mod_voipcodecs
codec,G.726 40k (AAL2),mod_voipcodecs
codec,G.729,mod_g729
codec,GSM,mod_voipcodecs
codec,H.261 Video (passthru),mod_h26x
codec,H.263 Video (passthru),mod_h26x
codec,H.263+ Video (passthru),mod_h26x
codec,H.263++ Video (passthru),mod_h26x
codec,H.264 Video (passthru),mod_h26x
codec,LPC-10,mod_voipcodecs
codec,PROXY PASS-THROUGH,CORE_PCM_MODULE
codec,PROXY VIDEO PASS-THROUGH,CORE_PCM_MODULE
codec,Polycom(R) G722.1/G722.1C,mod_siren
codec,RAW Signed Linear (16 bit),CORE_PCM_MODULE
codec,Speex,mod_speex
codec,iLBC,mod_ilbc
What can be the issue?

Based on the logs it could also be a compatibilty issue with the m line that has all the transport protocols listed together.
UDP/TLS/RTP/SAVPF. This can be subject to compatibility issues as mentioned in these threads. Maybe you could try to restrict it to the simpler form and try it if possible.
https://code.google.com/p/webrtc/issues/detail?id=2796
http://lists.freeswitch.org/pipermail/freeswitch-users/2013-July/097617.html

Most often a 488 rejection is caused by codec mismatch. Please check the FS and the WebRTC settings. Usually WebRTC uses Opus so you need to make sure that selected in the FS Config [if possible].
A PCAP of the Issue or screen shots of the INVITE and the 488 can help narrow down the problem further.