TCPDump Composer

Use simple pythonic syntax to compose TCPDump expressions

Examples



Ping requests coming from blacklisted ip spaces

    net1 = Expr(NET_SRC, '217.4.0.0/18')
    net2 = Expr(NET_SRC, '203.0.0.0/24')
    proto = Expr(ICMP) and not Expr(ICMP.ECHO) and not Expr(ICMP.ECHO_REPLY)

    final = proto and (net1 or net2)


    Compile(final)

All outbound SSH, RDP, TELNET, or FTP initiations coming from suspected compromised host, HTTP POST requests to suspicious networkors from suspected compromised host, and all inbound traffic from not-well-known source port to compromised host

    host = '10.0.5.13'
    propogation_ports = Expr(PORT, 20) or Expr(PORT, 21)  or Expr(PORT, 3389)
    propogation = Expr(HOST_SRC, host) and propogation_ports

    net1 = Expr(NET_DST, '217.4.0.0/18')
    net2 = Expr(NET_DST, '203.0.0.0/16')
    http_post = Expr(HOST_SRC, host) and (net1 or net2) and Expr(HTTP.POST)

    approved_ports = Expr(PORT, 21) or Expr(PORT, 53) or Expr(PORT, 135) or Expr(PORT, 443)
    inbound = Expr(HOST_DST, host) and not approved_ports

    final = propogation or http_post or inbound


    Compile(final)

All DNS traffic not bound for internal DNS server on UDP and all inbound UDP traffic to suspected compromised host on known suspicious ports

    host = '10.0.1.23'

    # indicator 1 - exfil via DNS
    dns_proto = Expr(TCP)
    dns_server = Expr(HOST_DST, '10.1.100.5')
    dns_approved = dns_server and dns_proto

    bad_dns = Expr(HOST_SRC, host) and Expr(PORT_DST, 53) and not dns_approved


    # indicator 2 - UDP traffic
    port1 = Expr(PORT_DST, 54321)	# known suspicious port1
    port2 = Expr(PORT_DST, 30003)	# known suspicious port2

    bad_udp = Expr(HOST_DST, host) and Expr(UDP) and (port1 or port2)


    Compile(bad_dns or bad_udp)

All non-SSH, TELNET, RDP, and ICMP traffic coming from 10.0.1.1

    src_host_1 = Expr(HOST_SRC, '10.0.1.1')
    ports = Expr(PORT, 22) and Expr(PORT, 20) and Expr(PORT, 3389)

    final_expr = src_host_1 and not (ports and Expr(ICMP))


    Compile(final_expr)