If you’ve got a bad memory (like me) you might some day find yourself searching for a way to configure an interface on your Ubuntu 9.04 system to use as a sniffer interface. Here is how you do it:

1) Edit the interfaces file:

you@ubuntu:~$ sudo vim /etc/network/interfaces
[sudo] password for you: enter your password

2) Go to the last line of your interfaces file and add the following:

iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

3) Save and exit the file:

:wq

4) Bring your newly configured interface up:

you@ubuntu:~$ sudo ifup eth1


5) Check your interface and look for PROMISC:

you@ubuntu:~$ sudo ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0c:29:bb:3a:cc
inet6 addr: fe80::20c:29ff:febb:3acc/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:31011 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4973602 (4.9 MB) TX bytes:796 (796.0 B)
Interrupt:16 Base address:0x2080

Now start snort, tcpdump, or whatever you want to use to start sniffing traffic using your newly configured promiscuous interface.

If you use the SANS Investigative Forensic Toolkit (SIFT) Workstation for your forensic analysis you can easily add log2timeline to your VMware guest image. In order to get these files using the wget, yum, and cpan methods you must ensure that your SIFT workstation has its interface set to ‘bridged’ or ‘NAT’ mode so that it can get out to the Internet.

Steps to Install log2timeline on SIFT

1. Download the log2timeline archive to your SIFT workstation
[root@SIFTWorkstation ~]# wget http://log2timeline.net/files/log2timeline_0.33b.tgz

2. Extract the archive
[root@SIFTWorkstation ~]# tar zxvf log2timeline_0.33b.tgz

3. Change to the log2timeline directory
[root@SIFTWorkstation ~]# cd log2timeline

4. Install some of the dependancies using yum
[root@SIFTWorkstation ~]# yum install perl-DateTime perl-Net-Pcap perl-Archive-Zip perl-HTML-Scrubber perl-Image-ExifTool perl-Glib

5. Install the NetPacket::Ethernet module
[root@SIFTWorkstation ~]# perl -MCAPNPLUS -e 'install NetPacket::Ethernet'

6. Install the ExtUtils::Depends and ExtUtils::PkgConfig modules
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install ExtUtils::Depends'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install ExtUtils::PkgConfig'

7. Install the Glib, Cairo, Pango, and Gtk2 modules
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Glib'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Cairo'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Pango'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Gtk2'

8. Compile log2timeline
[root@SIFTWorkstation log2timeline]# perl Makefile.PL && make && make install

9. Execute the log2timeline script using the ‘-f list’ flag to test the installation
[root@SIFTWorkstation log2timeline]# log2timeline -f list


That’s it. If the log2timeline -f list command displayed all available log file formats you should be good to go. In my experience, if a particular module is missing you will receive an error when running this file (in a different place depending on what is missing).

Now you should probably take a snapshot of your SIFT image so that you don’t revert back and lose your log2timeline application. If you would like more information on log2timeline there is a great article here: http://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/ and the log2timeline project page can be found here: http://log2timeline.net/.

A colleague of mine sent me a cool little command to create, a “quick and dirty vpn over ssh”:

It’s a quick and dirty vpn over ssh and only requires that ssh and pppd are installed on each end (generally true for Lunix and *BSD)

pppd updetach noauth passive pty “ssh -x -P 123.45.2.55 -l root sudo pppd nodetach notty noauth proxyarp” 192.168.0.65:192.168.0.66 && route add -net 192.168.0.64/26 dev ppp0

Although this has been around for a while it does allow for an ad-hoc virtual private network without the need to install any special VPN software.