View difference between Paste ID: 4kEaB1x5 and SwgnkAhQ
SHOW: | | - or go back to the newest paste.
1-
##########
1+
##############################
2-
# VMWare #
2+
# Intro to Routing/Switching #
3-
##########
3+
##############################
4-
- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
4+
5
http://www.brianlinkletter.com/imunes-on-linux/
6-
- http://www.vmware.com/ap/products/player.html
6+
7
8
sudo apt-get install -y openvswitch-switch xterm wireshark ImageMagick tcl tcllib tk user-mode-linux
9-
- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
9+
10
wget -qO- https://get.docker.com/ | sh
11
12
sudo usermod -aG docker strategicsec
13-
#########################
13+
14-
# Class Virtual Machine #
14+
sudo service docker start
15-
#########################
15+
16
sudo docker run -v /usr/local/bin:/target jpetazzo/nsenter
17
18-
Here is the VMWare virtual machine for the class:
18+
sudo git clone https://github.com/imunes/imunes.git
19
20-
https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
20+
cd imunes
21-
user:      infosecaddicts
21+
22-
pass:      infosecaddicts
22+
sudo make install
23
24
sudo imunes -p
25
26
sudo imunes
27
28-
---------------------------Type This-----------------------------------
28+
29-
cd ~/Desktop/
29+
30
Now build the following topologies referenced here:
31-
mkdir suspiciouspcap/
31+
http://www.technig.com/packet-tracer-ccna-practical-labs/
32
33-
cd suspiciouspcap/
33+
34
35-
wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
35+
36
# Intro to IPv6 #
37-
wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
37+
38
Reference:
39
https://www.linux.com/learn/ipv6-crash-course-linux
40
https://www.digitalocean.com/community/tutorials/how-to-configure-tools-to-use-ipv6-on-a-linux-vps
41
http://www.tomicki.net/ipv6.router.php
42
43
####################
44
# Intro to TCPDump #
45
####################
46
http://www.binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/
47
48
sudo apt-get install tcpdump
49-
for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u
49+
50-
------------------------------------------------------------------------
50+
51
52
Basic sniffing
53
54
sudo tcpdump -n
55
56
57-
---------------------------Type This-----------------------------------
57+
58
sudo tcpdump -v -n
59
60
61
62
Getting the ethernet header (link layer headers)
63-
--------------
63+
64-
---------------------------Type This-----------------------------------
64+
65
sudo tcpdump -vv -n -e
66
67
68
Sniffing a particular interface
69-
---------------------------Type This-----------------------------------
69+
70
In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.
71
sudo tcpdump -D
72
73
74
Filtering packets using expressions
75-
------------------------------------------------
75+
Selecting protocols
76
77-
---------------------------Type This-----------------------------------
77+
78
79-
------------------------------------------------------------------------
79+
80
Particular host or port
81
82-
-------------------------------
82+
83
84-
---------------------------Type This-----------------------------------
84+
85
86-
------------------------------------------------------------------------
86+
87
Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.
88-
Filtering packets using expressions - Selecting protocols
88+
89-
---------------------------------------------------------
89+
90-
---------------------------Type This-----------------------------------
90+
91
92-
------------------------------------------------------------------------
92+
93
94
$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
95-
-----------------------
95+
96
97-
---------------------------Type This-----------------------------------
97+
98
99-
------------------------------------------------------------------------
99+
100
101
$ sudo tcpdump -n -A | grep -e 'POST'
102-
---------------------------Type This-----------------------------------
102+
103
104-
------------------------------------------------------------------------
104+
105
Here is quick example to sniff passwords using egrep
106
107-
---------------------------Type This-----------------------------------
107+
108
tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
109-
------------------------------------------------------------------------
109+
110
111
####################
112
# Advanced TCPDump #
113
####################
114-
---------------------------Type This-----------------------------------
114+
https://danielmiessler.com/study/tcpdump/
115
116-
------------------------------------------------------------------------
116+
-i any : Listen on all interfaces just to see if you’re seeing any traffic.
117
-i eth0 : Listen on the eth0 interface.
118
-D : Show the list of available interfaces
119
-n : Don’t resolve hostnames.
120
-nn : Don’t resolve hostnames or port names.
121-
---------------------------Type This-----------------------------------
121+
-q : Be less verbose (more quiet) with your output.
122
-X : Show the packet’s contents in both hex and ASCII.
123-
------------------------------------------------------------------------
123+
-XX : Same as -X, but also shows the ethernet header.
124
-v, -vv, -vvv : Increase the amount of packet information you get back.
125
-c : Only get x number of packets and then stop.
126
icmp : Only get ICMP packets.
127
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
128
-S : Print absolute sequence numbers.
129
-e : Get the ethernet header as well.
130
-q : Show less protocol information.
131
-E : Decrypt IPSEC traffic by providing an encryption key.
132-
---------------------------Type This-----------------------------------
132+
133
134-
------------------------------------------------------------------------
134+
135
Basic communication // see the basics without many options
136
# tcpdump -nS
137-
---------------------------Type This-----------------------------------
137+
138
Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
139-
------------------------------------------------------------------------
139+
# tcpdump -nnvvS
140
141
A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet
142
# tcpdump -nnvvXS
143
144
Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet
145
# tcpdump -nnvvXSs 1514
146-
---------------------------Type This-----------------------------------
146+
147
Here’s a capture of exactly two (-c2) ICMP packets (a ping and pong) using some of the options described above. Notice how much we see about each packet.
148-
------------------------------------------------------------------------
148+
149
hermes root # tcpdump -nnvXSs 0 -c2 icmp
150
151
152-
---------------------------Type This-----------------------------------
152+
host // look for traffic based on IP address (also works with hostname if you’re not using -n) 
153
# tcpdump host 1.2.3.4
154-
------------------------------------------------------------------------
154+
155
156
src, dst // find traffic from only a source or destination (eliminates one side of a host conversation) 
157
# tcpdump src 2.3.4.5 
158-
---------------------------Type This-----------------------------------
158+
# tcpdump dst 3.4.5.6
159
160
161
net // capture an entire network using CIDR notation 
162-
------------------------------------------------------------------------
162+
# tcpdump net 1.2.3.0/24
163
164
165-
(SMTP).
165+
proto // works for tcp, udp, and icmp. Note that you don’t have to type proto 
166-
---------------------------Type This-----------------------------------
166+
# tcpdump icmp
167
168
169
port // see only traffic to or from a certain port 
170-
------------------------------------------------------------------------
170+
# tcpdump port 3389
171
172
src, dst port // filter based on the source or destination port 
173
# tcpdump src port 1025 # tcpdump dst port 389
174
175
src/dst, port, protocol // combine all three 
176
# tcpdump src port 1025 and tcp 
177
# tcpdump udp and src port 53
178
179-
---------------------------Type This-----------------------------------
179+
180
You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that are above or below a certain size.
181
182
Port Ranges // see traffic to any port in a range 
183
tcpdump portrange 21-23
184
185
Packet Size Filter // only see packets below or above a certain size (in bytes) 
186
tcpdump less 32 
187
tcpdump greater 128
188
[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
189
190
// filtering for size using symbols 
191
tcpdump > 32 
192
tcpdump <= 128
193
194
195
The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.
196
197
Capture all Port 80 Traffic to a File
198
199
# tcpdump -s 1514 port 80 -w capture_file
200
201
Then, at some point in the future, you can then read the traffic back in like so:
202
203
Read Captured Traffic back into tcpdump
204
205
# tcpdump -r capture_file
206
207
Getting Creative
208
209
Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combinations, and if you’ve studied computers at all they’ll be pretty familar to you:
210
211
AND 
212
and or &&
213
OR 
214
or or ||
215
EXCEPT 
216
not or !
217
More Examples
218
219
# TCP traffic from 10.5.2.3 destined for port 3389
220
221
tcpdump -nnvvS src 10.5.2.3 and dst port 3389
222
223
# Traffic originating from the 192.168 network headed for the 10 or 172.16 networks
224
225
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
226-
---------------------------Type This-----------------------------------
226+
227-
cd ~/Desktop/suspiciouspcap/
227+
# Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network
228
229
tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net and not icmp
230
231-
sudo pip install cmd2==0.7.9
231+
# Traffic originating from Mars or Pluto that isn’t to the SSH port
232
233
tcpdump -vv src mars and not dst port 22
234-
python forensicPCAP.py suspicious-time.pcap
234+
235-
------------------------------------------------------------------------
235+
As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.
236
237
Grouping
238-
---------------------------Type This-----------------------------------
238+
239
Also keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters — in this case the “( )” brackets. This same technique can be used to group using other expressions such as host, port, net, etc. Take a look at the command below:
240-
------------------------------------------------------------------------
240+
241
# Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (incorrect)
242
243-
---------------------------Type This-----------------------------------
243+
tcpdump src 10.0.2.4 and (dst port 3389 or 22)
244
245-
------------------------------------------------------------------------
245+
If you tried to run this otherwise very useful command, you’d get an error because of the parenthesis. You can either fix this by escaping the parenthesis (putting a \ before each one), or by putting the entire command within single quotes:
246
247
# Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (correct)
248-
---------------------------Type This-----------------------------------
248+
249
tcpdump ‘src 10.0.2.4 and (dst port 3389 or 22)’
250
251
Advanced
252-
------------------------------------------------------------------------
252+
253
You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.
254
255-
---------------------------Type This-----------------------------------
255+
[ Hint: An anagram for the TCP flags: Unskilled Attackers Pester Real Security Folk ]
256
257
Show me all URGENT (URG) packets…
258
259-
---------------------------Type This-----------------------------------
259+
# tcpdump ‘tcp[13] & 32!=0‘
260
261
Show me all ACKNOWLEDGE (ACK) packets…
262-
---------------------------Type This-----------------------------------
262+
263
# tcpdump ‘tcp[13] & 16!=0‘
264
265
Show me all PUSH (PSH) packets…
266-
------------------------------------------------------------------------
266+
267
# tcpdump ‘tcp[13] & 8!=0‘
268
269
Show me all RESET (RST) packets…
270
271
# tcpdump ‘tcp[13] & 4!=0‘
272-
------------------------------------------------------------------------
272+
273
Show me all SYNCHRONIZE (SYN) packets…
274
275
# tcpdump ‘tcp[13] & 2!=0‘
276-
---------------------------Type This-----------------------------------
276+
277
Show me all FINISH (FIN) packets…
278
279
# tcpdump ‘tcp[13] & 1!=0‘
280-
------------------------------------------------------------------------
280+
281
Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets…
282
283
# tcpdump ‘tcp[13]=18‘
284
285
[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]
286
287-
# Understanding Snort rules #
287+
Keep in mind the reasons these filters work. The filters above find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.
288
289-
Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
289+
As with most powerful tools, however, there are multiple ways to do things. The example below shows another way to capture packets with specific TCP flags set.
290
291-
Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
291+
Capture TCP Flags Using the tcpflags Option…
292
293-
Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
293+
# tcpdump ‘tcp[tcpflags] & & tcp-syn != 0‘
294
295-
Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
295+
Specialized Traffic
296
297-
Field 5: Traffic Direction (->)
297+
Finally, there are a few quick recipes you’ll want to remember for catching specific and specialized traffic, such as IPv6 and malformed/likely-malicious packets.
298
299-
Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
299+
IPv6 traffic
300
301-
Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
301+
# tcpdump ip6
302
303-
Field 8: MSG - what is actually displayed on the analysts machine
303+
Packets with both the RST and SYN flags set (why?)
304
305
# tcpdump ‘tcp[13] = 6’
306-
Let's look at 2 simple rules
306+
307-
----------------------------------------------------------------------------------
307+
Traffic with the ‘Evil Bit’ Set
308-
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \
308+
309-
bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \
309+
# tcpdump ‘ip[6] & 128 != 0‘
310-
content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \
310+
311-
00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \
311+
312-
reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
312+
313
# NGrep #
314-
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \
314+
315-
attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \
315+
http://www.binarytides.com/search-network-traffic-ngrep-tutorial/
316-
depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \
316+
317-
00|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; \
317+
318-
distance:0; within:1; content:”|0b|”; distance:1; within:1; \
318+
319-
byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
319+
320-
46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \
320+
321-
sid:2193; rev:1;)
321+
322-
----------------------------------------------------------------------------------
322+
323
324
In the above command :
325
a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
326-
From your Linux machine ping your Windows machine
326+
327-
---------------------------Type This-----------------------------------
327+
328-
ping 192.168.150.1
328+
329-
-----------------------------------------------------------------------
329+
330
331
$ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
332-
Start wireshark and let's create some simple filters:
332+
333
The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).
334-
Filter 1:
334+
335-
---------------------------Type This-----------------------------------
335+
336-
ip.addr==192.168.150.1
336+
337-
-----------------------------------------------------------------------
337+
338
339-
Filter 2:
339+
340-
---------------------------Type This-----------------------------------
340+
341-
ip.addr==192.168.150.1 && icmp
341+
342-
-----------------------------------------------------------------------
342+
343
$ sudo ngrep -d any port 25
344
This will let you monitor all activity crossing source or destination port 25
345-
Filter 3:
345+
(SMTP). 
346-
---------------------------Type This-----------------------------------
346+
347-
ip.addr==192.168.150.1 && !(tcp.port==22)
347+
348-
-----------------------------------------------------------------------
348+
349-
Now stop your capture and restart it (make sure you keep the filter)
349+
350
351
352
###############
353
# NTop Basics #
354-
Back to your Linux machine:
354+
###############
355-
[ CTRL-C ] - to stop your ping
355+
356-
---------------------------Type This-----------------------------------
356+
https://www.maketecheasier.com/install-configure-ntop/
357-
wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
357+
358
359
360-
gcc -o exploit oc192-dcom.c
360+
361
# PCAP Analysis #
362-
./exploit
362+
363
cd /home/malware/Desktop/Browser\ Forensics
364
 
365-
./exploit -d 192.168.150.1 -t 0
365+
ls | grep pcap
366-
 -----------------------------------------------------------------------
366+
367
perl chaosreader.pl suspicious-time.pcap
368
 
369
firefox index.html
370-
Now go back to WireShark and stop the capture.
370+
371
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
372
 
373
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
374-
###############################################
374+
375-
# Packet Analysis/Network Forensics Challenge #
375+
376-
###############################################
376+
     malware  
377
 
378-
In order to receive your certificate of proficiency you must complete all of the tasks covered in the Packet Analysis/Network Forensics pastebin (http://pastebin.com/SwgnkAhQ).
378+
379
for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u
380-
Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-PA-NF-Challenge.docx)
380+
381
 
382
 
383
 
384
 
385-
IMPORTANT NOTE:
385+
386-
Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and kasheia-at-strategicsec-.-com) by Sunday October 23rd at midnight EST.
386+
387
#############################
388
tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
389
 
390
 
391
tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
392
 
393
 
394
tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
395
 
396
 
397
tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
398
 
399
 
400
tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
401
 
402
tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
403
 
404
tshark -r suspicious-time.pcap -qz ip_hosts,tree
405
 
406
tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
407
 
408
tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
409
 
410
 
411
whois rapidshare.com.eyu32.ru
412
 
413
whois sploitme.com.cn
414
 
415
 
416
tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
417
 
418
tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
419
 
420
tshark -r suspicious-time.pcap -qz http_req,tree
421
 
422
tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
423
 
424
tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
425
 
426
 
427
 
428
######################################
429
# PCAP Analysis with forensicPCAP.py #
430
######################################
431
cd ~/Desktop
432
wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
433
 
434
sudo easy_install cmd2
435
     malware
436
 
437
python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
438
 
439
ForPCAP >>> help
440
 
441
 
442
Prints stats about PCAP
443
ForPCAP >>> stat
444
 
445
 
446
Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
447
ForPCAP >>> dns
448
 
449
ForPCAP >>> show
450
 
451
 
452
Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
453
ForPCAP >>> dstports
454
 
455
ForPCAP >>> show
456
 
457
 
458
Prints the number of ip source and store them.
459
ForPCAP >>> ipsrc
460
 
461
ForPCAP >>> show
462
 
463
 
464
Prints the number of web's requests and store them
465
ForPCAP >>> web
466
 
467
ForPCAP >>> show
468
 
469
Prints the number of mail's requests and store them
470
ForPCAP >>> mail
471
 
472
ForPCAP >>> show
473
474
475
###############
476
# Snort Build #
477
###############
478
http://computer-outlines.over-blog.com/article-nids-snort-barnyard2-apache2-base-with-ubuntu-14-04-lts-123532107.html
479
480
481
###################
482
# Surricata Build #
483
###################
484
https://gist.github.com/cleesmith/3ae872eb46d1ea102667