Results 1 to 10 of 10

Thread: Proper regex syntax for ngrep to locate MX requests?

  1. #1
    Just burned his ISO
    Join Date
    Apr 2009
    Posts
    18

    Default Proper regex syntax for ngrep to locate MX requests?

    greetings to all...

    first post, so i'm a bit limited in which forum i can post in right now, sorry for not dropping this in the "general it" forum.

    the issue is this;
    i have a client that keeps getting blacklisted by various domains. he's done the simple stuff, blocking 25/tcp from the perimeter fw, etc. but the problem persists. he and i agree that this is most likely originating outside of his network (remote users, specifically) but we need to prove it with a nice pie-chart, etc... for the execs.

    so i suggested that we connect a sniffer to a span on the core switch of his userspace and log any [MX] requests. his mail server is obviously in the DMZ and he doesn't have anything else originating from those subnets that should muddy the logs.

    my first thought was tcpdump but i'm beginning to lean more towards ngrep now (and am definitely open to thoughts/constructive criticism on that) and i'm trying to set ngrep to watch for MX requests via regex.

    i admit i haven't really dealt with regular expressions much and i'm beginning to feel over my head here. i've tried multiple variations on lines like:

    Code:
    #ngrep -q -t -i 'mx' tcp port smtp -O /path/to/log.lpc
    but i'm definitely doing something wrong. at this point i need another pair of (informed) eyes to correct me. i didn't find anything on-target in the forum search so i thought i would ask...

    thanks for checking me.
    peace
    ~b

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    I will leave this here because if I move it to general IT you wont be able to respond. In the future though please keep posting related to backtrack.

  3. #3
    Just burned his ISO
    Join Date
    Apr 2009
    Posts
    18

    Default gotcha..

    righto.

    i figured the 'general it' would be the best place to ask about the usage of a tool that is included in backtrack, but wasn't really sure about the newbie area.... thanks for leaving it.

    ~b

  4. #4
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Scrap that lol I'm tripping !!! The only other thing I could suggest is that you specify the adapter you are using

    Code:
    ngrep -qtid xthX tcp port smtp -O /path/to/log.lpc

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Try looking in your DNS traffic not your smtp traffic (Assuming you mean mx record lookups <shrug>).
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  6. #6
    Just burned his ISO
    Join Date
    Apr 2009
    Posts
    18

    Default right!

    thorin is absolutely correct and i was a fat-finger that typed before engaging my brain. my bad. thanks for pointing that out.

    i'll lose the -i and give that a go, thanks for the heads up, Dr_GrEeN

    ~b

  7. #7
    Just burned his ISO
    Join Date
    Apr 2009
    Posts
    18

    Default

    Quote Originally Posted by Dr_GrEeN View Post
    Scrap that lol I'm tripping !!! The only other thing I could suggest is that you specify the adapter you are using

    Code:
    ngrep -qtid xthX tcp port smtp -O /path/to/log.lpc
    yeh... i wasn't really sure how being case-sensitive would screw me, but when you ask for help, try the help offered, right?


    i've tried specifying the adapter before, didn't really help either but thanx for the update.

    peace
    ~b

  8. #8
    Just burned his ISO
    Join Date
    Apr 2009
    Posts
    18

    Default

    ok, so i am totally not understanding something here. from the manpages and online searches that i've done, this should work...but it isn't. I have no doubt that i've just totally misunderstood something about how to search for regular expressions using ngrep or whatever but it's making me feel like a complete idiot at this point.

    before i post my code though, i'd like to say that since i have posting rights to 'general it' now, we can move this discussion if you prefer (although i'm thinking i should fit the 'newbie' title at this point ).

    i didn't start a new thread as to avoid cross-posting but whatever you guys think is best.

    i've expanded a bit from just ngrep here (and am attempting on a couple of different systems), in my search for being able to record and store only MX requests. here is what i am doing (emphasis added):

    Code:
    # tshark -t ad -n -s 1520 -i eth0 port 53 -w ./tcpdump_results.lpc &
    [20] 26011
    # Running as user "root" and group "root". This could be dangerous.
    Capturing on eth0
    
    # dig <site> -t MX
    ; <<>> DiG 9.5.0-P2 <<>><site>-t MX
    <...truncated...>
    ;; QUESTION SECTION:
    ;<site>.              IN    MX
    <...truncated...>
     
    # ls -al ./tcpdump_results.lpc 
    -rw-r--r-- 1 root root 224 2009-04-16 13:53 ./tcpdump_results.lpc
    
    # ngrep -q -t -i 'MX' -I ./tcpdump_results.lpc 
    input: ./tcpdump_results.lpc
    match: MX
    
    # tcpdump -n -r ./tcpdump_results.lpc |grep MX
    reading from file ./tcpdump_results.lpc, link-type EN10MB (Ethernet)
    13:53:12.739833 IP x.x.x.x.41765 > x.x.x.x.53: 46912+ MX? <site>. (32) 
    for whatever reason i just can't figure out how to get ngrep to see the MX request.

    i'll gladly accept whatever derisive brow-beating comes with the breadcrumb that helps me untangle this.

    i appreciate the interest...
    peace
    ~b

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Is tshark capturing both TCP and UDP?

    Do you need to quote(') the string in ngrep? (I thought that was only necessary if there were special characters, spaces, etc. Though I have no idea if that's causing your problem .. dropping them is a simple thing to try.)
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #10
    Just burned his ISO
    Join Date
    Apr 2009
    Posts
    18

    Default

    ok, here is the part where i explain exactly how i have been an idiot.

    First, here is the correct syntax:

    Code:
    ngrep -q -t MX -I <lpc file>
    or, i could specify the "-i" switch to be case-insensitive, or I could use live capture as my source, etc..

    i tested this by ngrep'ing an lpc file for 'google' right after i had pinged it and sure enough, i got correct feedback. so i dug (digged?) an MX record and tried again... but instead of ngrep'ing for the criteria of "MX", i sniffed for the domain name that I had queried. sure enough, again I got the correct feedback.

    apparently, the term "MX" does not appear at the network layer at all. i had used the correct ngrep query already and gotten the correct feedback...nothing.

    this strikes me as odd, i would have thought that "MX" would show after the query, but I guess you learn something every day.



    so, i'll just use tcpdump or tshark to look at the capture and pipe a grep for MX instead.
    seems a bit 'hackish' but it'll get the job done.

    thanks to all for trying to help me out, i appreciate it.
    peace!
    ~b

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •