If you would like to be notified of when Don Parker releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.
Scripting will impact your job as a computer security professional at almost every juncture. Just what can PERL do for you though? Well for one it can certainly parse through the output of a security appliance quickly and efficiently.
Of scripting and you
Life as a computer security professional really is rather good isn’t it. I mean after all we get to work at something we love doing, and actually get paid for it! It doesn’t get much better then that. Being in the middle of all that high tech equipment and making sure that is all functioning smoothly is still quite a chore though. If you are lucky enough to only take care of security related matters at your company then life is even better. Being a system administrator is a difficult job, that is a fact. That said, it is not one that I would enjoy doing for a living.
During the course of your work day, all the computers around you are doing their tasks whilst you go about yours. What do all those computers have in common? Well typically they are all running automated tasks. Whether it be the Active Directory controller taking care of the myriad of tasks that it oversees, or your router, and firewall controlling access to your network. We can see that they all perform automated tasking. It would be far too time intensive to sit next to these devices and manually do their work. That is the beauty of automation.
Scripting
To automate certain tasks on computers, you really do need to learn how to script. What I mean by that is to learn one of the scripting languages. The two most popular and powerful I would say are PERL and Python. These two scripting languages are both interpreted vice compiled. What I mean by that is, you need to have the appropriate interpreter installed on your computer so that your program can be “interpreted” and then executed.
Within the confines of this article we will be looking at PERL and how to use it to in an effort to help ease your life by leveraging the power of the PERL scripting language. The example shown will be but one small instance of what can be done with PERL, and the script will be small in size for ease of learning. Should you not have PERL installed on your computer then simply surf over to ActiveState and download the MSI package. Once installed you are good to go. Installation is a breeze as it is an MSI. The beauty of PERL is that it can also be used on other operating systems as well, as long as you have the PERL libraries installed.
What I have done is create a small file that contains the partial output of an “alert.ids” file from Snort. We will simply pick something in that file to pull out. In the instance used here we will be looking for all examples of the IP address 192.168.1.102 occurring in the input file called “articlefile”. Much like I mentioned above, this is but a simplistic example of what can be done with PERL. That said though, it may be a small example but it is also a useful one. You may, at some point in the future, want to parse through some logs to see how often a certain IP address shows up. The script that I have pasted below will do that quite well, as long as you modify the relative paths to the input file to match your own file paths.
Behold the PERL script!
Pasted below is the fully functional PERL script that I wrote up to illustrate how handy PERL can be.
#!/usr/bin/perl -w
$pattern = “(192.168.1.102)”;
open(INPUT, ‘c:\articlefile’) ||die “can’t open the file called article_file: $1”;
open(OUTPUT, ‘>c:\articleoutput’) ||die “can’t write to the file called script_output: $1”;
while(<INPUT>) {
if ($_ =~(m/$pattern/)) {
print OUTPUT “$_\n”;
}
}
close(INPUT);
close(OUTPUT);
Now I also pasted the test input file seen below I created called “articlefile” so that you can see exactly what is parsed out by the PERL script above.
[**] [1:2351:8] NETBIOS DCERPC ISystemActivator path overflow attempt little endian [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
01/28-08:49:36.011482 192.168.1.102:1040 -> 192.168.1.101:135
TCP TTL:64 TOS:0x0 ID:31304 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xFFBD6980 Ack: 0x1071DF86 Win: 0x5B4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 3937142 27317
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11808][Xref =>
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0352][Xref =>
http://www.securityfocus.com/bid/8205]
[**] [1:2351:8] NETBIOS DCERPC ISystemActivator path overflow attempt little endian [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
01/28-08:49:36.011482 192.168.1.103:1040 -> 192.168.1.101:135 #changed ip address here
TCP TTL:64 TOS:0x0 ID:31304 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xFFBD6980 Ack: 0x1071DF86 Win: 0x5B4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 3937142 27317
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11808][Xref =>
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0352][Xref =>
http://www.securityfocus.com/bid/8205]
Alright then! Now all we have to do is invoke the PERL script called “scripting_example.pl” and we should have ourselves an output file called “articleoutput”. By the way, if you want to cut and paste the script that I have included above, simply do just that, cut and paste it into notepad. Once done call it “scripting_example.pl”. You can call it anything you like, but bear in mind that you would have to modify that file name in the script itself on line five. Line five is where the open (INPUT…… line is at. Lastly, you will need to cut and paste the input file that I also included above. The one which shows the Snort “alert.ids” file output.
Now that you have successfully cut and pasted this script onto your computer’s C drive ie: “c:\” you are ready to invoke via the DOS prompt.
Figure 1
Much as you can see in the screenshot above, you have typed in the name of the PERL script with the appended “.pl” at the end so that the PERL interpreter knows what it is. Once done the prompt is returned to you. The whole process takes half a second or so. Now that it is done you need to confirm that it worked by checking to see if there is a file called “articleoutput” there. Let’s take a look.
Figure 2
Excellent then! Our script did indeed work as it pulled out the line containing the IP address that we were looking for ie: 192.168.1.102. This IP address is what we had in our scalar called $pattern. You could, if you so wanted, input more patterns to look for at the same time, and that would only require minor adjustments to the script itself. When it comes to Regex’s, PERL is pretty much king. There is an entire book devoted to building Regex patterns using PERL. Believe me, an entire book devoted to building Regex’s is not overdone. Building Regex’s can often be a life altering experience!
Wrapup
Well, we can see that with only a few lines of PERL we can build ourselves a small script that would take the tedious work out of finding something by hand, or for that matter, using a tool like grep. PERL is eminently suited for these types of tasks and a whole lot more. There is also a great deal of ready made modules that you can also use to simplify your scripting tasks. In a future article we will look into one of these modules.
One such example is the io:module that PERL has. It is very handy to have this module handle most of the socket creation on your behalf. Much like the tool netcat, you can use PERL to generate some arbitrary input to test something out. In a future article I will cover how to modify an existing PERL script to your uses. Well that is it for now folks, I hope you enjoyed this very brief introduction to PERL scripting. Till next time!
If you would like to be notified of when Don Parker releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.
