Microsoft Patch Tuesday June 2010 Pre-Release

Published: 2010-06-03
Last Updated: 2010-06-03 23:26:27 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Microsoft announced today they will be releasing a total of 10 bulletins addressing 34 vulnerabilities rated important (7) to critical (3) that could allow for remote code execution. Six bulletins affecting all Windows versions (2 critical and 4 important), two affecting Microsoft office XP, 2003 and 2007 (2 important), one affects Windows and Office (important) and one affects Internet Explorer (critical). More details available here.

Two other publicly known security issues will be addressed this month:

Vulnerability in Microsoft SharePoint - Security Advisory 983438

Vulnerability in Internet Explorer - Security Advisory 980088

[1] Microsoft Security Response Center Blog

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

0 comment(s)

Top 10 Things you may not know about tcpdump

Published: 2010-06-03
Last Updated: 2010-06-03 14:57:45 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

"tcpdump" is one of those utilities we take for granted. Ask in any networking class, and more or less everybody has used it before and knows how to use it. tcpdump was first written in 1987 as a research project. Since then, the library behind it (libpcap) and the tool itself have been ported to more or less any operating system out there and have been incorporated into too many tools to count (Bill Stearn tried [1]).

What is often overlooked: tcpdump is still actively developed. Right now, the latest version is 4.1.1 with libpcap version 1.1.1 [2]. Many operating systems use version 4.0 now by default.

So what changed? What are the things you may not know about tcpdump? Here are some of the favorite items I ran into and please fill free to submit more.

  1. snaplength: it is no longer 68 bytes! New versions of tcpdump (>= 4.0) default to a snaplength of 64k. No more need to use -s 0 (but it doesn't hurt).
  2. IPv6 support: the ip[] filter works for all versions of IP BUT IPv6. Also, tcpdump will happily treat packets as IPv4 if the first 4 bits are anything but '6'. If you want to filter for IPv6, use 'ip6'.
  3. The -E option will decrypt IPSEC traffic. You need to know the shared secret or secret key of course and not all algorithms are supported.
  4. -Z username will drop root privileges and run tcpdump as "username" after it started. (many versions now do this by default using a "pcap" user).
  5. portrange: a macro that can be used to filter a range of ports (e.g. portrange 0-1023).
  6. less/greater: filter packets by length.
  7. new versions of tcpdump will print more then one line if the '-v' switch is used (breaks a lot of old shell scripts that use grep and such to filter)
  8. there are now a number of macros for common offsets. For example tcp[tcpflags] is equivalent to tcp[13].
  9. the "proto" macro will only match the next header field in the IPv6 header, which may not be the transport layer protocol that you expect from IPv4.
  10. the -C option can be used to rotate files after they reach a number of mbytes (don't confuse with lower case -c).

Know any more "hidden and forgotten features"?  Let us know....


[1] http://www.stearns.org/doc/pcap-apps.html
[2] http://www.tcpdump.org

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: tcpdump
5 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives