{"id":1920,"date":"2006-12-29T22:45:18","date_gmt":"2006-12-29T13:45:18","guid":{"rendered":"http:\/\/pchero21.com\/?p=1920"},"modified":"2006-12-29T22:45:18","modified_gmt":"2006-12-29T13:45:18","slug":"tbsd-%ec%84%a4%ec%b9%98-%eb%b0%8f-%ec%82%ac%ec%9a%a9%eb%b2%95","status":"publish","type":"post","link":"http:\/\/pchero21.com\/?p=1920","title":{"rendered":"TBSD \uc124\uce58 \ubc0f \uc0ac\uc6a9\ubc95"},"content":{"rendered":"
tbsd\ub77c\ub294 \ub124\ud2b8\uc6cc\ud06c \uc2a4\uce90\ub2dd \uacf5\uaca9\uc744 \ud0d0\uc9c0 \ud558\ub294 \ud234\ub85c, \uac00\ubccd\uace0 \uc131\ub2a5\ub3c4 \uad1c\ucc2e\uc740 \uac83 \uac19\uc544\uc11c \uc544\uc9c1\ub3c4 \uc0ac\uc6a9\uc911\uc785\ub2c8\ub2e4.
\n\uc774\ubc88\uc5d0 \uc774\uac83\uc744 \uc124\uce58, \uc6b4\uc601\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud574 \uc54c\uc544 \ubcf4\uaca0\uc2b5\ub2c8\ub2e4.
\n\uc774 \uae00\uc744 \uc791\uc131\ud558\uc9c0 \uc880 \uc624\ub798\ub418\uc5b4 \ubc84\uc804\uc774 \ub0ae\uac8c \ubcf4\uc5ec\uc9c0\ub098, \ucd5c\uc2e0 \ubc84\uc804\uc5d0\uc11c\ub3c4 \ubb34\ub9ac\uc5c6\uc774 \uc124\uce58\uac00 \uac00\ub2a5\ud560 \uac83\uc73c\ub85c \uc0dd\uac01\ub429\ub2c8\ub2e4.
\n(\ub808\ub4dc\ud587 8.0\uae4c\uc9c0\ub294 \uc124\uce58\ud574 \uc0ac\uc6a9\ud574 \ubcf4\uc558\uc2b5\ub2c8\ub2e4.)<\/p>\n

TBSD\ub780?<\/strong><\/span><\/p>\n

“Threatness Based Scan Detector”(TBSD)\ub294 \ub124\ud2b8\uc6cc\ud06c \uc2a4\uce90\ub2dd \uacf5\uaca9\uc744 \ud0d0\uc9c0\ud558\ub294 \ub3c4\uad6c\ub85c TCP, UDP, ICMP \ud504\ub85c\ud1a0\ucf5c\uc744 \uc9c0\uc6d0\ud55c\ub2e4. \uc138\uc158\ubcc4\ub85c \uc704\ud611\ub3c4\ub97c \uc124\uc815\ud558\uc5ec, \ud2b9\uc815 \ud0c0\uc784 \ud504\ub808\uc784 \ubc94\uc704\ub0b4\uc5d0\uc11c \uc704\ud611\ub3c4 limit \uac12\uc744 \ucd08\uacfc\ud558\ub294 \ube44 \uc815\uc0c1\uc801\uc778 \uc2a4\uce94 \uacf5\uaca9\uc744 \ud0d0\uc9c0\ud55c\ub2e4. \uc2a4\uce94 \uacf5\uaca9\uc5d0 \ub300\ud55c \uc694\uc57d \ubcf4\uace0 \uae30\ub2a5\uacfc, \uacf5\uaca9 \ud0d0\uc9c0\uc2dc \uacf5\uaca9 \ud638\uc2a4\ud2b8\uc5d0 \ub300\ud55c \uc9c0\uc18d\uc801\uc778 \uc138\uc158\uc744 \uae30\ub85d\ud558\ub294 \uae30\ub2a5\uc774 \uc788\uc5b4, \uacf5\uaca9\uc790 \ubaa8\ub2c8\ud130\ub9c1\ub3c4 \ud560 \uc218 \uc788\ub2e4. \uc0ac\uc774\ud2b8 \ud2b9\uc131\uc744 \uc798 \ubc18\uc601\ud560 \uc218 \uc788\ub3c4\ub85d \uc704\ud611\ub3c4 \ud14c\uc774\ube14\uc744 \uc124\uc815\ud558\uc5ec \uc0ac\uc6a9\ud55c\ub2e4\uba74, \uc0c1\ub2f9\ud788 \uc88b\uc740 \ubcf4\uc548 \ub3c4\uad6c\uac00 \ub420 \uac83\uc774\ub2e4
\n\ud604\uc7ac \ub354\uc774\uc0c1\uc758 \ubc84\uc804 \uc5c5\uc740 \uc5c6\ub294 \uac83 \uac19\uace0, \uad00\ub828 \uc0ac\uc774\ud2b8\ub3c4 \uc874\uc7ac\ud558\uc9c0 \uc54a\ub294 \uac83 \uac19\ub2e4.<\/p>\n

tbsd \ub2e4\uc6b4 \ubc1b\uae30<\/strong><\/span><\/p>\n

http:\/\/www.securitymap.net\/ \uc774\ub098 \ucd08\uc2ec \uc790\ub8cc\uc2e4\uc5d0\uc11c \ub2e4\uc6b4 \ubc1b\uc73c\uc2dc\uae30 \ubc14\ub780\ub2e4.
\n\ub2ec\ub9ac \uc0ac\uc774\ud2b8\ub294 \uc6b4\uc601\ub418\uc9c0 \uc54a\ub294 \uac83 \uac19\ub2e4.<\/p>\n

tbsd \uc124\uce58\ud558\uae30<\/strong><\/span><\/p>\n

[root@www util]# rpm -qa|grep libpcap <== libpcap\uc774 \ud544\uc694\ud574\uc11c \ubbf8\ub9ac \uccb4\ud06c\ud568..
\nlibpcap-0.4-39<\/p>\n

libpcap\uc774 \uc124\uce58\ub418\uc5b4 \uc788\uc5b4\ub3c4 \uc0c1\uad00\uc5c6\ub2e4.. tbsd-1.17\uc5d0 libpcap\uc774 \ud568\uaed8 \ubc30\ud3ec\ud558\uace0 \uc788\uc73c\ub2c8..<\/p>\n

[root@www util]# tar xvfz tbsd-1.17.tar.gz
\n[root@www util]# cd tbsd-1.17
\n[root@www tbsd-1.17]# .\/configure
\nconfig tbsd tbsdroot \/usr\/local\/tbsd
\nconfig tbsd tbsduser root
\ntbsd requires libpcap-0.4. To install the package do these:<\/p>\n

zcat libpcap-0.4.tar.Z | tar xf –
\ncd libpcap-0.4
\n.\/configure
\nmake<\/p>\n

libpcap-0.4 \uac00 \ud544\uc694\ud558\ub2e4\uace0 \ud55c\ub2e4.. \uadf8\ub7fc \uc6b0\uc120..
\n[root@www tbsd-1.17]# tar xvfz libpcap-0.4.tar.Z
\n[root@www tbsd-1.17]# cd libpcap-0.4
\n[root@www libpcap-0.4]# .\/configure
\n[root@www libpcap-0.4]# make
\n[root@www libpcap-0.4]# cd ..
\n[root@www tbsd-1.17]# .\/configure <== \ub2e4\uc2dc \ud558\uba74 \uc815\uc0c1\uc801\uc73c\ub85c configure\ud568..
\nconfig tbsd tbsdroot \/usr\/local\/tbsd
\nconfig tbsd tbsduser root
\ncreating Makefile
\ncreating src\/Makefile
\ncreating src\/config.h
\ncreating scripts\/Makefile
\ncreating scripts\/ctltbsd
\ncreating scripts\/report
\ncreating scripts\/scantype
\ncreating scripts\/scansum
\ncreating scripts\/tbsd.daily
\ncreating scripts\/rcalog
\ndone.
\n[root@www tbsd-1.17]# make
\n[root@www tbsd-1.17]# cp src\/tbsd.conf.dist src\/tbsd.conf
\n[root@www tbsd-1.17]# vi src\/tbsd.conf<\/p>\n

trusted_nets: {
\n127.0.0.0\/8
\n211.xx.xxx.xx <== \uc544\ud53c\uc774 \uc785\ub825
\n}<\/p>\n

[root@www tbsd-1.17]# make install <== root\ub85c \uc2e4\ud589\ud574\uc57c \ud568..<\/p>\n

\/usr\/local\/tbsd \uac00 \uc0c8\ub85c\uc6b4 \uc0dd\uc131\ub428..<\/p>\n

[root@www tbsd]# \/usr\/local\/tbsd\/bin\/tbsd <== \uc2e4\ud589(root\ub85c \ud574\uc57c \ud568)<\/p>\n

\/etc\/cron.daily \ub85c \uc774\ub3d9..
\n[root@www cron.daily]# vi tbsd<\/p>\n

\/usr\/local\/tbsd\/bin\/tbsd.daily
\n\uc800\uc7a5\ud6c4 chmod 755 \ub85c \ub9cc\ub4e4\uc5b4\uc900\ub2e4..<\/p>\n

\uadf8\ub7fc \uc774\uc81c\ubd80\ud130 \uc2a4\uce90\ub2dd\uc5d0 \uad00\ud55c \uc815\ubcf4\ub97c root \uba54\uc77c\ub85c \ubc1c\uc1a1\uc744 \ud574 \uc904\uac83\uc774\ub2e4..
\n\ubb34\uc9c0 \uc124\uce58\uac00 \uac04\ub2e8\ud558\ub2e4..
\n\ud558\uc9c0\ub9cc \ud574\ub2f9 \ub85c\uadf8\ub97c \ubd84\uc11d\ud558\ub824\uba74 \uc57d\uac04 \uc2dc\uac04\uc774 \uac78\ub9b4\uac83\uc774\ub2e4.
\n\uc544\ub798\ub97c \ucc38\uace0\ud574 \ud574\ub2f9 \ub85c\uadf8\ub97c \ubd84\uc11d\ud574 \ubcf4\uae30 \ubc14\ub780\ub2e4.<\/p>\n

\ub85c\uadf8\ubd84\uc11d\ud558\uae30<\/strong><\/span><\/p>\n

—————————————————–
\nDaily Netscan Detection Report<\/p>\n

Scan-type Hosts
\n——— —–
\ntcp.mixed 2
\nudp.137 1
\n——————————————————
\nmixed\ub294 \uc2a4\uce94\uc758 \ud2b9\uc9d5\uc744 \uad6c\ubd84\ud560\uc218 \uc5c6\ub294 \uacbd\uc6b0 \ud1b5\uce6d\ud558\uba70, \ud328\ud0b7\ubd84\uc2e4\ub4f1\uc73c\ub85c \uc778\ud55c \ud0d0\uc9c0\uc624\ub958\ub97c \ud63c\ud569\ud615 \uc2a4\uce94\uc73c\ub85c \uc798\ubabb \uc778\uc2dd\ud560\uc218 \uc788\uc74c.
\ntcp\ub97c \ud63c\ud569\ud615 \uc2a4\uce94\uc744 2\uacf3\uc73c\ub85c \uc2a4\uce94
\nudp 137 \ubc88\uc744 1\uacf3\uc5d0\uc11c \uc2a4\uce94\ud588\ub2e4\ub294 \ub73b\uc774\ub2e4..<\/p>\n

————————————————————————
\nAddress Thr-val N-conn Idle Scan-type
\n————— ——- —— —– ———
\n67.41.194.17 1002 12 13414 tcp.mixed
\n24.145.146.51 802 8 21347 udp.137
\n210.53.1.47 700 7 23971 tcp.mixed
\n————————————————————————-
\nThr-val\uc740 \ud574\ub2f9 \uc2a4\uce94\uc758 \uc704\ud5d8\ub3c4\ub97c \ub098\ud0c0\ub0b4\ub294 \uc218\uce58\uc774\uace0, 400\uc774\uc0c1\uc740 \uc2a4\uce94 \uacf5\uaca9\uc73c\ub85c \uac04\uc8fc\ud558\uace0 \uc788\ub2e4.
\nN-conn \uc740 \ud574\ub2f9 \uc774\ubca4\ud2b8\uac00 \uc77c\uc5b4\ub09c \uc218\ub85c \uc2a4\uce94\uc758 \ud69f\uc218\ub85c \ubcf4\uba74 \ub420\uac83\uc774\ub2e4.
\niddle\uc740 \ud574\ub2f9 \ubcf4\uace0\uc11c \uc791\uc131\ub2f9\uc2dc\ub85c \ubd80\ud130 \ucd5c\uc885 \uc2a4\uce94\uc774 \uc774\ub8e8\uc5b4\uc9c4 \uc2dc\uac04\uc758 \ucc28\ub97c \ucd08\ub85c \ud45c\uc2dc\ud55c\uac83\uc774\ub2e4.
\n\uc989 67.41.194.17\uc740 13414\ucd08 \uc774\uc804\uc5d0 \uc774\ub8e8\uc5b4\uc84c\ub2e4\ub294 \ub9d0\uc774\ub2e4.(\ubcf4\uace0\uc11c \uc791\uc131 \uc2dc\uc810\ubd80\ud130)<\/p>\n

—————————————————————————
\nudp.137 thr 802 events 8 idle 21347
\nMar 16 22:06:05 24.145.146.51 > 61.xx.xxx.xxx icmp 40 echo_q 45 v 100
\nMar 16 22:06:05 24.145.146.51 > 211.xxx.xxx.21 icmp 40 echo_q 45 v 100
\nMar 16 22:06:36 24.145.146.51:1943 > 61.xx.xxx.xxx:139 tcp 28 S 109 v 100
\nMar 16 22:06:36 24.145.146.51:1950 > 211.xxx.xxx.21:139 tcp 28 S 109 v 100
\nMar 16 22:06:38 24.145.146.51:137 > 211.xxx.xxx.21:137 udp 58 109 v 200
\nMar 16 22:07:10 24.145.146.51:2099 > 61.xx.xxx.xxx:80 tcp 28 S 109 v 1
\nMar 16 22:07:12 24.145.146.51:137 > 61.xx.xxx.xxx:137 udp 58 109 v 200
\nMar 16 22:07:12 24.145.146.51:2126 > 211.xxx.xxx.21:80 tcp 28 S 109 v 1
\n—————————————————————————-
\nthr\uc740 \uc704\ud5d8\ub3c4\uc774\uace0, events\ub294 \uc2a4\uce94 \ud69f\uc218\uc774\ub2e4..
\n\uac01\uac01\uc758 \uc774\ubca4\ud2b8\ub294
\n\uc2dc\uac04, \ucd9c\ubc1c\uc9c0 IP \uc8fc\uc18c, \ucd9c\ubc1c\uc9c0 \ud3ec\ud2b8\ubc88\ud638, \ubaa9\uc801\uc9c0 IP \uc8fc\uc18c, \ubaa9\uc801\uc9c0 \ud3ec\ud2b8\ubc88\ud638, \ud504\ub85c\ud1a0\ucf5c, \ud328\ud0b7 \ud06c\uae30, tcp \ud50c\ub798\uadf8, TTL \uadf8\ub9ac\uace0 \uc704\ud5d8\ub3c4(threatness) \ub97c \ub098\ud0c0\ub0b8\ub2e4..<\/p>\n

tcp.mixed.R\uc740 \uc811\uc18d \ud504\ub85c\ud1a0\ucf5c\uc774 tcp\uc774\uace0 \ub3c4\ucc29\uc9c0 \ud3ec\ud2b8\uc758
\n\ud2b9\uc9d5\uc774 \ud63c\ud569\ud615(mixed)\uc774\uba70, \ucd08\uae30 \ud328\ud0b7\uc758 flag\uac00 SYN\uc774 \uc788\ub294 \ub300\uc2e0 \uc2a4\ud154\uc2a4\uc2a4\uce94
\n(stealth scan)\uc758 \ud55c\uac00\uc9c0 \uc720\ud615\uc778 RSET\uc784\uc744 \ub73b\ud55c\ub2e4.<\/p>\n

\ucc38\uace0)
\n\ucd9c\ubc1c\uc9c0 \ud3ec\ud2b8\ubc88\ud638\uac00 1,024\ubcf4\ub2e4 \uc791\uc740 \uc608\uc57d(reserved) \ud3ec\ud2b8\ub85c \uc2a4\uce94\uacf5\uaca9\uc2dc \ucd9c\ubc1c\uc9c0 \ud3ec\ud2b8\ub85c\ub294 \uc790\uc8fc \uc0ac\uc6a9\ud558\uc9c0 \uc54a\ub294\ub2e4.
\n\ub3c4\ucc29\uc9c0 \ud638\uc2a4\ud2b8\uc758 IP \uc8fc\uc18c\uac00 \ubd88\uaddc\uce59\uc801\uc73c\ub85c \ubcc0\ud558\uba70 \ub3c4\ucc29\uc9c0 \ud3ec\ud2b8\ubc88\ud638 \uc5ed\uc2dc 1,024\ubcf4\ub2e4 \ucee4\uc11c \uc2a4\uce94 \uacf5\uaca9\uc5d0 \uc790\uc8fc \uc0ac\uc6a9\ud558\uc9c0 \uc54a\ub294 \ube44\ud6a8\uc728\uc801\uc778 \ud3ec\ud2b8\ub4e4\uc774\ub2e4.<\/p>\n

TTL \uc740 Time To Live\uc758 \uc57d\uc5b4\ub85c \uba87 \ub2e8\uacc4\uae4c\uc9c0\uc758 \ub77c\uc6b0\ud130\ub97c \uac70\uce60\ub54c\uae4c\uc9c0 \ud328\ud0b7\uc774 \uc190\uc2e4\ub418\uc9c0 \uc54a\uace0 \uc804\ub2ec\ub418\ub3c4\ub85d \ud560 \uac83\uc778\uc9c0\uc5d0 \ub300\ud55c \uc124\uc815\uc774\ub2e4. \ub77c\uc6b0\ud130\ub294 \ud328\ud0b7\uc744 \ud1b5\uacfc\uc2dc\ud0ac\ub54c\ub9c8\ub2e4 TTL \uac12\uc744 \ud558\ub098\uc529 \uac10\uc18c\uc2dc\ud0a4\uba70 \uacb0\uad6d TTL\uc774 0\uc774 \ub418\uba74 \ub354\uc774\uc0c1 \ub77c\uc6b0\ud130\ub97c \ud1b5\uacfc\ud558\uc9c0 \ubabb\ud558\ub294 \uac83\uc774\ub2e4.
\n\uc989, TTL\uc774 0 \uc774\ub77c\uba74 \uac19\uc740 \ub124\ud2b8\uc6cc\ud06c \uc548\uc5d0\uc11c\ub9cc \ud328\ud0b7\uc774 \ud750\ub97c \uac83\uc774\uba70 1 \uc774\uc0c1\uc774\uc5b4\uc57c \ub2e4\ub978 \ub124\ud2b8\uc6cc\ud06c\ub85c \uc804\ub2ec\ub420 \uc218 \uc788\uc73c\uba70 \uba40\ud2f0\uce90\uc2a4\ud2b8\uc5d0\uc11c\ub294 \ubcf4\ud1b5 32\uc774\ub77c\uba74 \uac19\uc740 \uc18c\uc18d \uae30\uad00\ub0b4\uc758 \ub124\ud2b8\uc6cc\ud06c\uc5d0, 255\ub77c\uba74 \ubcf4\ud1b5 \uc804\uc138\uacc4 \ub124\ud2b8\uc6cc\ud06c\ub97c \ub73b\ud55c\ub2e4.<\/span><\/p>\n

——————————————————————————
\nMar 17 13:45:02 ipstat ip 11659 113 11659 113 1047876302 18
\n211.xxx.xxx.21 4293 47 4643 48
\n61.xx.xxx.xxx 3079 22 740 12
\n220.76.147.55 996 10 1114 10
\n211.49.150.27 572 5 557 5
\n192.168.82.1 468 9 0 0
\n192.149.252.22 412 2 166 2
\n203.248.240.141 384 3 247 3
\n165.243.5.15 345 4 363 4
\n210.94.6.106 288 4 480 4
\n210.180.98.91 169 1 71 1
\n202.30.50.50 153 1 71 1
\n210.117.65.100 138 1 83 1
\n218.145.70.1 136 2 248 2
\n211.216.50.150 127 1 71 1
\n198.133.199.110 99 1 82 1
\n255.255.255.255 0 0 2208 8
\n192.168.82.255 0 0 468 9
\n224.0.1.24 0 0 47 1
\n———————————————————————————<\/p>\n

\uc774\uac83\uc740 \ub124\ud2b8\uc6cc\ud06c \uc0ac\uc6a9\ub7c9\uc744 \ubd84\uc11d\ud55c \uac83\uc73c\ub85c \ubcf4\uace0\uc11c \ud615\ud0dc\ub85c \uba54\uc77c\ub85c \ubc30\ub2ec\uc774 \ub418\uc9c0\ub294 \uc54a\ub294\ub2e4..(5\ubd84 \uac04\uaca9\uc73c\ub85c \uccb4\ud06c\ud568)
\ntbsd\uac00 \uc124\uce58\ub41c \ub514\ub809\ud1a0\ub9ac(\/usr\/local\/tbsd\/log)\ub85c \uac00\uba74 ipslog \ud30c\uc77c\uc774 \uc788\ub294\ub370.. \uc774\ud30c\uc77c\uc744 \ub0b4\uc6a9\uc911 \ub9e8 \ub05d\ubd80\ubd84\uc774\ub2e4.<\/p>\n

\ub9e8 \uccab\uc904\uc740 \uc885\ud569\ud1b5\uacc4\uc774\ub2e4. 3\uc6d4 17\uc77c 13\uc2dc 45\ubd84, \ud1b5\uacc4\uc885\ub958(ipstat ip), \ub300\uc0c1 \ud638\uc2a4\ud2b8\uc758 \ucd1d \uc1a1\uc2e0\ub7c9(11659), \uc1a1\uc2e0 \ud328\ud0b7\uc218(113), \ub300\uc0c1 \ud638\uc2a4\ud2b8\uc758 \ucd1d \uc218\uc2e0\ub7c9(11659), \uc218\uc2e0 \ud328\ud0b7\uc218(113),
\n\ubaa8\ub4e0 \ud638\uc2a4\ud2b8\ub4e4\uc758 \ud1b5\uc2e0\ub7c9(1047876302), \ud638\uc2a4\ud2b8 \uc218(18)\ub97c \ucc28\ub840\ub85c \ud45c\uae30\ud55c \uac83\uc774\ub2e4.
\n\ub450\ubc88\uc9f8 \uc904\ubd80\ud130\ub294 ip\uc8fc\uc18c, \uc1a1\uc2e0\ub7c9, \uc1a1\uc2e0\ud328\ud0b7\uc218, \uc218\uc2e0\ub7c9, \uc218\uc2e0\ud328\ud0b7\uc218\uc774\ub2e4.<\/p>\n

\uc774 \ub85c\uadf8\uc5d0\uc11c\ub294 \uac11\uc790\uae30 \uc218\uc2e0\ub7c9\uc774\ub098 \uc218\uc2e0 \ud328\ud0b7\uc774 \ub298\uc5b4\ub098\uba74 \ub85c\uadf8\ub97c \ucca0\uc800\ud788 \ubd84\uc11d\ud560 \ud544\uc694\uac00 \uc788\ub2e4.<\/p>\n

$ sed -n ‘\/Oct 11 07:00:00\/,$p’ ipslog.0 | head -15 <== \uc624\uc804 7:00 \uc758 \uc138\ubd80 \uae30\ub85d\uc911 \ucc98\uc74c 15\uc904\uc744 \ucd9c\ub825
\n$ zcat ipslog.1.gz | grep ipstat | sed -n 73,82p <== 10\uc6d4 10\uc77c\uc790 \uc0ac\uc6a9\ub7c9 \uae30\ub85d
\n$ cat tbsdlog|grep “210.xx.xx.xxx:”|more <== 210.xx.xx.xxx \ud638\uc2a4\ud2b8\uc758 \uc811\uc18d \ub85c\uadf8\ub97c \ucd9c\ub825<\/p>\n

tcpdump\ub85c \ubd84\uc11d\ud558\uae30(\uacf5\uaca9\uc774 \uc758\uc2ec\ub420\ub54c) <\/strong><\/span><\/p>\n

\/usr\/local\/tbsd\/spool \uc758 \ud654\uc77c\uc744 \uc0b4\ud3b4\ubcf4\uba74.. \uc54c\uc218 \uc788\ub2e4.
\ntbsd\ub294 \uc2a4\uce94 \uacf5\uaca9\uc744 \ud0d0\uc9c0\ud558\uba74 \uc2a4\uce94 \uacf5\uaca9 \ud638\uc2a4\ud2b8\uc640\uc758 \ud1b5\uc2e0 \ub0b4\uc6a9\uc744 \uae30\ub85d\uc744 \ud558\uace0 \uc788\ub2e4.
\n\ud558\uc9c0\ub9cc spool\uc5d0 \uc788\ub294 \ub0b4\uc6a9\uc744 \ubcf4\uae30 \uc704\ud574\uc11c\ub294 \uc6b0\uc120\uc801\uc73c\ub85c tcpdump\ub97c \uc124\uce58\ub97c \ud574\uc57c \ud55c\ub2e4..
\nhttp:\/\/www.tcpdump.org\/ \uc774\ub098 rpmfind.net\uc5d0\uc11c \ub2e4\uc6b4 \ubc1b\uc544\uc11c \uc124\uce58\ub97c \ud55c\ub2e4..
\n\uc5ec\uae30\uc11c\ub294 rpmfind\uc5d0\uc11c rpm\uc73c\ub85c \ub2e4\uc6b4 \ubc1b\uc544\uc11c \uc124\uce58\ub97c \ud588\ub2e4..<\/p>\n

[root@dream rpm]# rpm -Uvh tcpdump-3.6.3-3.i386.rpm
\nA\u00d8\u00ban A\u00df… ########################################### [100%]
\n1:tcpdump ########################################### [100%]<\/p>\n

Tcpdump \ub294 \uc8fc\uc5b4\uc9c4 \uc870\uac74\uc2dd\uc744 \ub9cc\uc871\ud558\ub294 \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4\ub97c \uac70\uce58\ub294 \ud328\ud0b7\ub4e4\uc758 \ud5e4\ub354\ub4e4 \uc744 \ucd9c\ub825\ud574 \uc8fc\ub294 \ud504\ub85c\uadf8\ub7a8\uc774\ub2e4. \ud504\ub85c\uadf8\ub7a8\uc758 \ud2b9\uc131\uc0c1, \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4\ub97c \uc544\uc8fc \uc2ec\ub3c4 \uc788\uac8c \uc0ac\uc6a9\ud558\uae30 \ub54c\ubb38\uc5d0, \uc2e4\ud589\ud558\ub294 \uc0ac\ub78c\uc740 \ubc18\ub4dc\uc2dc \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4\uc5d0 \ub300\ud55c \uc77d\uae30 \uad8c \ud55c\uc774 \uc788\uc5b4\uc57c\ub9cc \ud55c\ub2e4.<\/p>\n

[root@dream spool]# rpm -qlf \/usr\/sbin\/tcpdump
\n\/usr\/sbin\/tcpdump
\n\/usr\/sbin\/tcpslice
\n\/usr\/share\/doc\/tcpdump-3.6.3
\n\/usr\/share\/doc\/tcpdump-3.6.3\/CHANGES
\n\/usr\/share\/doc\/tcpdump-3.6.3\/README
\n\/usr\/share\/man\/man8\/tcpdump.8.gz
\n\/usr\/share\/man\/man8\/tcpslice.8.gz<\/p>\n

[root@dream spool]# tcpdump -r pd.1047437815
\n14:15:50.730790 211.50.250.2.683 > dream.sunrpc: S 32803703:32803703(0) win 8760 (DF)
\n14:15:50.730842 dream.sunrpc > 211.50.250.2.683: R 0:0(0) ack 32803704 win 0 (DF)
\n18:41:24.344199 www.cespm.gob.mx.3283 > 61.xx.xxx.xxx.sunrpc: S 247457297:247457297(0) win 32120 (DF)
\n18:41:24.346211 61.xx.xxx.xxx.3287 > www.cespm.gob.mx.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
\n18:41:24.346833 www.cespm.gob.mx.3284 > dream.sunrpc: S 248290167:248290167(0) win 32120 (DF)
\n18:41:24.346883 dream.sunrpc > www.cespm.gob.mx.3284: R 0:0(0) ack 248290168 win 0 (DF)
\n18:41:27.318942 www.cespm.gob.mx.3283 > 61.xx.xxx.xxx.sunrpc: S 247457297:247457297(0) win 32120 (DF)
\n18:41:29.859526 61.xx.xxx.xxx.3287 > www.cespm.gob.mx.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
\n18:41:44.282512 61.xx.xxx.xxx.3287 > www.cespm.gob.mx.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
\n18:42:09.532545 61.xx.xxx.xxx.3287 > www.cespm.gob.mx.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
\n18:42:43.786816 61.xx.xxx.xxx.3287 > www.cespm.gob.mx.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
\n00:10:10.924369 mailer.ccnmag.com.60053 > dream.sunrpc: S 3831927552:3831927552(0) win 5840 (DF)
\n00:10:10.924408 dream.sunrpc > mailer.ccnmag.com.60053: R 0:0(0) ack 3831927553 win 0 (DF)<\/p>\n

tcpdump \uc124\uce58\ud6c4 \uac00\uc7a5 \ucd5c\uadfc\uc758 spool\uc758 \ud30c\uc77c\uc744 \uc77d\uc5b4\ub4e4\uc778 \uac83\uc774\ub2e4..
\ntbsd\uc5d0 \uc788\ub294 \uc608\uc81c\ud30c\uc77c\uc5d0 \uc788\ub294 \uba85\ub839\uc5b4\ub294<\/p>\n

$ tcpdump -Anr pd.970930874 host xx.xxx.209.70<\/p>\n

\uc2e4\ud589\uc2dc \ub418\uc9c0 \uc54a\uc558\ub2e4. -A \uc635\uc158\uc744 \uc778\uc2dd\ud558\uc9c0 \ubabb\ud588\ub2e4.
\n\uc989 host ip\ub85c \uac80\uc0c9\uc744 \ud574 \ubcf4\ub824\uba74..<\/p>\n

$ tcpdump -nr pd.970930874 host xx.xxx.209.70<\/p>\n

\uc774\ucc98\ub7fc \ud574\uc57c \ub418\uc5c8\ub2e4..<\/p>\n

tcpdump \uc758 \uc635\uc158\ub4e4..
\n========================================
\n-a : Network & Broadcast \uc8fc\uc18c\ub4e4\uc744 \uc774\ub984\ub4e4\ub85c \ubc14\uafbc\ub2e4.
\n-c Number : \uc81c\uc2dc\ub41c \uc218\uc758 \ud328\ud0b7\uc744 \ubc1b\uc740 \ud6c4 \uc885\ub8cc\ud55c\ub2e4.
\n-d : comile\ub41c packet-matching code\ub97c \uc0ac\ub78c\uc774 \uc77d\uc744 \uc218 \uc788\ub3c4\ub85d \ubc14\uafb8\uc5b4 \ud45c\uc900 \ucd9c\ub825\uc73c\ub85c \ucd9c\ub825\ud558\uace0, \uc885\ub8cc\ud55c\ub2e4.
\n-dd : packet-matching code\ub97c C program\uc758 \uc77c\ubd80\ub85c \ucd9c\ub825\ud55c\ub2e4.
\n-ddd : packet-matching code\ub97c \uc22b\uc790\ub85c \ucd9c\ub825\ud55c\ub2e4.
\n-e : \ucd9c\ub825\ub418\ub294 \uac01\uac01\uc758 \ud589\uc5d0 \ub300\ud574\uc11c link-level \ud5e4\ub354\ub97c \ucd9c\ub825\ud55c\ub2e4.
\n-f : \uc678\ubd80\uc758 internet address\ub97c \uac00\uae09\uc801 \uc2ec\ubcfc\ub85c \ucd9c\ub825\ud55c\ub2e4(Sun\uc758 yp server\uc640\uc758 \uc0ac\uc6a9\uc740 \uac00\uae09\uc801 \ud53c\ud558\uc790).
\n-F file : filter \ud45c\ud604\uc758 \uc785\ub825\uc73c\ub85c \ud30c\uc77c\uc744 \ubc1b\uc544\ub4e4\uc778\ub2e4. \ucee4\ub9e8\ub4dc\ub77c\uc778\uc5d0 \uc8fc\uc5b4\uc9c4 \ucd94\uac00\uc758 \ud45c\ud604\ub4e4\uc740 \ubaa8\ub450 \ubb34\uc2dc\ub41c\ub2e4.
\n-i device : \uc5b4\ub290 \uc778\ud130\ud398\uc774\uc2a4\ub97c \uacbd\uc720\ud558\ub294 \ud328\ud0b7\ub4e4\uc744 \uc7a1\uc744\uc9c0 \uc9c0\uc815\ud55c\ub2e4. \uc9c0\uc800\ub418\uc9c0 \uc54a\uc73c\uba74 \uc2dc\uc2a4\ud15c\uc758 \uc778\ud130\ud398\uc774\uc2a4 \ub9ac\uc2a4\ud2b8\ub97c \ub4a4\uc838\uc11c \uac00\uc7a5 \ub0ae\uc740 \ubc88\ud638\ub97c \uac00\uc9c4 \uc778\ud130\ud398\uc774\uc2a4\ub97c \uc120\ud0dd\ud55c\ub2e4(\uc774 \ub54c loopback\uc740 \uc81c\uc678\ub41c\ub2e4).
\n-l : \ud45c\uc900 \ucd9c\ub825\uc73c\ub85c \ub098\uac00\ub294 \ub370\uc774\ud130\ub4e4\uc744 line buffering\ud55c\ub2e4. \ub2e4\ub978 \ud504\ub85c\uadf8\ub7a8\uc5d0\uc11c tcpdump\ub85c\ubd80\ud130 \ub370\uc774\ud130\ub97c \ubc1b\uace0\uc790 \ud560 \ub54c, \uc720\uc6a9\ud558\ub2e4.
\n-n : \ubaa8\ub4e0 \uc8fc\uc18c\ub4e4\uc744 \ubc88\uc5ed\ud558\uc9c0 \uc54a\ub294\ub2e4(port,host address \ub4f1\ub4f1)
\n-N : \ud638\uc2a4\ud2b8 \uc774\ub984\uc744 \ucd9c\ub825\ud560 \ub54c, \ub3c4\uba54\uc778\uc744 \ucc0d\uc9c0 \uc54a\ub294\ub2e4.
\n-O : packet-matching code optimizer\ub97c \uc2e4\ud589\ud558\uc9c0 \uc54a\ub294\ub2e4. \uc774 \uc635\uc158\uc740 optimizer\uc5d0 \uc788\ub294 \ubc84\uadf8\ub97c \ucc3e\uc744 \ub54c\ub098 \uc4f0\uc778\ub2e4.
\n-p : \uc778\ud130\ud398\uc774\uc2a4\ub97c promiscuous mode\ub85c \ub450\uc9c0 \uc54a\ub294\ub2e4.
\n-q : \ud504\ub85c\ud1a0\ucf5c\uc5d0 \ub300\ud55c \uc815\ubcf4\ub97c \ub35c \ucd9c\ub825\ud55c\ub2e4. \ub530\ub77c\uc11c \ucd9c\ub825\ub418\ub294 \ub77c\uc778\uc774 \uc880 \ub354 \uc9e7\uc544\uc9c4\ub2e4.
\n-r file : \ud328\ud0b7\ub4e4\uc744 ‘-w’\uc635\uc158\uc73c\ub85c \ub9cc\ub4e4\uc5b4\uc9c4 \ud30c\uc77c\ub85c \ubd80\ud130 \uc77d\uc5b4 \ub4e4\uc778\ub2e4. \ud30c\uc77c\uc5d0 “-” \uac00 \uc0ac\uc6a9\ub418\uba74 \ud45c\uc900 \uc785\ub825\uc744 \ud1b5\ud574\uc11c \ubc1b\uc544\ub4e4\uc778\ub2e4.<\/p>\n

-s length: \ud328\ud0b7\ub4e4\ub85c\ubd80\ud130 \ucd94\ucd9c\ud558\ub294 \uc0d8\ud50c\uc744 default\uac12\uc778 68Byte\uc678\uc758 \uac12\uc73c\ub85c \uc124\uc815\ud560 \ub54c \uc0ac\uc6a9\ud55c\ub2e4(SunOS\uc758 NIT\uc5d0\uc11c\ub294 \ucd5c\uc18c\uac00 96Byte\uc774\ub2e4). 68Byte\ub294 IP,ICMP, TCP, UDP\ub4f1\uc5d0 \uc801\uc808\ud55c \uac12\uc774\uc9c0\ub9cc Name Server\ub098 NFS \ud328\ud0b7\ub4e4\uc758 \uacbd\uc6b0\uc5d0\ub294 \ud504\ub85c\ud1a0\ucf5c\uc758 \uc815\ubcf4\ub4e4\uc744 Truncation\ud560 \uc6b0\ub824\uac00 \uc788\ub2e4. \uc774 \uc635\uc158\uc744 \uc218\uc815\ud560 \ub54c\ub294 \uc2e0\uc911\ud574\uc57c\ub9cc \ud55c\ub2e4. \uc774\uc720\ub294 \uc0d8\ud50c \uc0ac\uc774\uc988\ub97c \ud06c\uac8c \uc7a1\uc73c\uba74 \uace7 \ud328\ud0b7 \ud558\ub098\ud558\ub098\ub97c \ucc98\ub9ac\ud558\ub294\ub370 \uc2dc\uac04\uc774 \ub354 \uac78\ub9b4 \ubfd0\ub9cc\uc544\ub2c8\ub77c \ud328\ud0b7 \ubc84\ud37c\uc758 \uc0ac\uc774\uc988\ub3c4 \uc790\uc5f0\ud788 \uc791\uc544\uc9c0\uac8c \ub418\uc5b4 \uc190\uc2e4\ub418\ub294 \ud328\ud0b7\ub4e4\uc774 \ubc1c\uc0dd\ud560 \uc218 \uc788\uae30 \ub54c\ubb38\uc774\ub2e4. \ub610, \uc791\uac8c \uc7a1\uc73c\uba74 \uadf8\ub9cc\ud07c\uc758 \uc815\ubcf4\ub97c \uc783\uac8c\ub418\ub294 \uac83\uc774\ub2e4. \ub530\ub77c\uc11c \uac00\uae09\uc801 \ucea1\ucdb0\ud558\uace0\uc790 \ud558\ub294 \ud504\ub85c\ud1a0\ucf5c\uc758 \ud5e4\ub354 \uc0ac\uc774\uc988\uc5d0 \uac00\uae5d\uac8c \uc7a1\uc544\uc8fc\uc5b4\uc57c \ud55c\ub2e4.<\/p>\n

-T type : \uc870\uac74\uc2dd\uc5d0 \uc758\ud574 \uc120\ud0dd\ub41c \ud328\ud0b7\ub4e4\uc744 \uba85\uc2dc\ub41c \ud615\uc2dd\uc73c\ub85c \ud45c\uc2dc\ud55c\ub2e4. type\uc5d0\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \uac83\ub4e4\uc774 \uc62c \uc218 \uc788\ub2e4. rpc(Remote Procedure Call), rtp(Real-Time Applications protocol), rtcp(Real-Time Application control protocal), vat(Visual Audio Tool), wb(distributed White Board)<\/p>\n

-S : TCP sequence\ubc88\ud638\ub97c \uc0c1\ub300\uc801\uc778 \ubc88\ud638\uac00 \uc544\ub2cc \uc808\ub300\uc801\uc778 \ubc88\ud638\ub85c \ucd9c\ub825\ud55c\ub2e4.
\n-t : \ucd9c\ub825\ub418\ub294 \uac01\uac01\uc758 \ub77c\uc778\uc5d0 \uc2dc\uac04\uc744 \ucd9c\ub825\ud558\uc9c0 \uc54a\ub294\ub2e4.
\n-tt : \ucd9c\ub825\ub418\ub294 \uac01\uac01\uc758 \ub77c\uc778\uc5d0 \ud615\uc2dd\uc774 \uc5c6\ub294 \uc2dc\uac04\ub4e4\uc744 \ucd9c\ub825\ud55c\ub2e4.
\n-v : \uc880 \ub354 \ub9ce\uc740 \uc815\ubcf4\ub4e4\uc744 \ucd9c\ub825\ud55c\ub2e4.
\n-vv : ‘-v’\ubcf4\ub2e4 \uc880 \ub354 \ub9ce\uc740 \uc815\ubcf4\ub4e4\uc744 \ucd9c\ub825\ud55c\ub2e4.
\n-w : \ucea1\ucdb0\ud55c \ud328\ud0b7\ub4e4\uc744 \ubd84\uc11d\ud574\uc11c \ucd9c\ub825\ud558\ub294 \ub300\uc2e0\uc5d0 \uadf8\ub300\ub85c \ud30c\uc77c\uc5d0 \uc800\uc7a5\ud55c\ub2e4.
\n-x : \uac01\uac01\uc758 \ud328\ud0b7\uc744 \ud5e5\uc0ac\ucf54\ub4dc\ub85c \ucd9c\ub825\ud55c\ub2e4.
\n===========================================<\/span><\/p>\n

tcpdump \uc2e4\ud589 \uc608..<\/p>\n

tcpdump \uc2e4\ud589\uc2dc\uc5d0\ub294 \uaf2d \ucf58\uc194\uc0c1\uc5d0\uc11c \ud55c\ub2e4.. \uc6d0\uaca9\uc5d0\uc11c \uc2e4\ud589\ud558\uba74.. \ubb34\ud55c \ub8e8\ud504\ucc98\ub7fc \uacc4\uc18d \ucd9c\ub825\ud55c\ub2e4..<\/p>\n

# tcpdump -t <== \uc6d0\uaca9\uc774\ub098 \uc678\ubd80\uc5d0 \uc5b4\ub5a0\ud55c \uc811\uadfc\ub9cc \uc774\ub8e8\uc5b4\uc838\ub450 \uc5c4\uccad\ub09c \uc591\uc758 \ub370\uc774\ud0c0\ub97c \ucd9c\ub825\ud574 \uc900\ub2e4..<\/p>\n

\ud328\ud0b7\uc758 \ubc1c\uc2e0\uc9c0\uac00apple\uc774\uace0 \uc218\uc2e0\uc9c0\ub294 banana\uac00 \uc544\ub2cc \ud328\ud0b7\uc744 \ucd9c\ub825\ud55c\ub2e4.
\n# tcpdump src host apple and not dst host banana <== \ud638\uc2a4\ud2b8\uba85 \ub300\uc2e0\uc5d0 \uc544\uc774\ud53c\ub85c \uc785\ub825\ud574\ub450 \ub428..<\/p>\n

(tcp \ud504\ub85c\ud1a0\ucf5c \ud1b5\uc2e0\uc5d0\uc11c 123.45.67.89\uac00 \uc218\uc2e0\uc9c0\ub098 \ubc1c\uc2e0\uc9c0\uac00 \uc544\ub2cc \ubaa8\ub4e0 SYN , FIN \ud328\ud0b7\uc744 \ucd9c\ub825\ud55c\ub2e4)
\n# tcpdump ‘tcp[13] & 3 != 0 and not net 123.45.67.89’<\/p>\n

tcpdump\ub97c \uc124\uce58\ub97c \ud558\uba74.. \/etc\/passwd\uc5d0 pcap\uc774\ub77c\ub294 \uc720\uc800\uac00 \ucd94\uac00\uac00 \ub41c\ub2e4..
\n\uc0c1\ud0dc\ub97c \ud655\uc778\ud574 \ubcf4\ub824\uba74.. \uc544\ub798\uc758 \uba85\ub839\uc5b4\ub97c \uc785\ub825\ud558\uba74 \ub41c\ub2e4..<\/p>\n

# rpm -q –scripts tcpdump<\/p>\n

preinstall scriptlet (through \/bin\/sh):
\n\/usr\/sbin\/groupadd -g 77 pcap 2> \/dev\/null || :
\n\/usr\/sbin\/useradd -u 77 -g 77
\n-s \/sbin\/nologin -M -r -d \/var\/arpwatch pcap 2> \/dev\/null || ( \/usr\/bin\/chsh pcap \/sbin\/nologin 2> \/dev\/null || : )<\/p>\n

tcpdump\uc758 \ud328\ud0b7\uc744 \ubd84\uc11d\ud558\ub824\uba74.. \uc544\ub798\uc758 \uc8fc\uc18c\ub97c \ucc38\uc870\ud574 \ubcf4\uae30 \ubc14\ub780\ub2e4..
\nhttp:\/\/www.whiterabbitpress.com\/lg\/issue86\/vinayak.html<\/span><\/div>\n","protected":false},"excerpt":{"rendered":"

tbsd\ub77c\ub294 \ub124\ud2b8\uc6cc\ud06c \uc2a4\uce90\ub2dd \uacf5\uaca9\uc744 \ud0d0\uc9c0 \ud558\ub294 \ud234\ub85c, \uac00\ubccd\uace0 \uc131\ub2a5\ub3c4 \uad1c\ucc2e\uc740 \uac83 \uac19\uc544\uc11c \uc544\uc9c1\ub3c4 \uc0ac\uc6a9\uc911\uc785\ub2c8\ub2e4. \uc774\ubc88\uc5d0 \uc774\uac83\uc744 \uc124\uce58, \uc6b4\uc601\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud574 \uc54c\uc544 \ubcf4\uaca0\uc2b5\ub2c8\ub2e4. \uc774 \uae00\uc744 \uc791\uc131\ud558\uc9c0 \uc880 \uc624\ub798\ub418\uc5b4 \ubc84\uc804\uc774 \ub0ae\uac8c \ubcf4\uc5ec\uc9c0\ub098, \ucd5c\uc2e0 \ubc84\uc804\uc5d0\uc11c\ub3c4 \ubb34\ub9ac\uc5c6\uc774 \uc124\uce58\uac00 \uac00\ub2a5\ud560 \uac83\uc73c\ub85c \uc0dd\uac01\ub429\ub2c8\ub2e4. (\ub808\ub4dc\ud587 8.0\uae4c\uc9c0\ub294 \uc124\uce58\ud574 … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[63],"tags":[],"_links":{"self":[{"href":"http:\/\/pchero21.com\/index.php?rest_route=\/wp\/v2\/posts\/1920"}],"collection":[{"href":"http:\/\/pchero21.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/pchero21.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/pchero21.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/pchero21.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1920"}],"version-history":[{"count":0,"href":"http:\/\/pchero21.com\/index.php?rest_route=\/wp\/v2\/posts\/1920\/revisions"}],"wp:attachment":[{"href":"http:\/\/pchero21.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1920"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/pchero21.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1920"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/pchero21.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1920"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}