suricata备忘录
Terms,
1 2 3 4 5 6 7 8 | spm: single pattern match mpm: multi pattern matcher bm: boyer moore hs: hyperscan ppt: packet processing thread cidr: classless inter-domain routing, such as a.b.c.d/x tsap: transport service access point scada: supervisory control and data acquisition |
Protocols,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 | opc: ole for process control/Microsoft opcua/tcp/started bytes/ opcda/dcerpc/started bytes/ modbus: /port 502/Schneider rtu: remote terminal unit ascii tcp s7comm: /port 102/*(base + 7) == 0x32/Siemens tpkt: cotp: connection-oriented transport protocol ed: 0x1, expedited data ea: 0x2, expedited data acknowledgement ud: 0x4, user data rj: 0x5, reject dr: 0x8, disconnect request dc: 0xC, disconnect confirm cc: 0xD, connect confirm cr: 0xE, connect request dt: 0xF, data rosctr: remote operating service control bacnet/ip: building automation and control networks/udp/port 47808/ISO standards bvlc: bacnet virtual link control npdu: bacnet network layer apdu: bacnet application layer bbmd: bacnet/ip broadcast management device ethernet-ip: /ODVA cip: common industrial protocol/tcp/port 44818 cip i/o: /udp/port 2222 iec: International Electrotechnical Commission iec60870-5: 101: basic telecontrol tasks 104: network access for iec60870-5-101 iec104: /tcp/port 2404/*base == 0x68/ apdu: application protocol data unit apci: application protocol control information cf1: first control field i-format: information transfer format/cf1 == 0/variable length s-format: numbered supervisory functions/cf1 == 01/fixed length u-format: unnumbered control functions/cf1 == 11/fixed length asdu: application service data unit sq: structure qualifier cot: cause of transmission oa: originator address ioa: information object address siq: single point of information diq: double point information sco: single command dco: double command rco: regulating step command vti: value with transient state indication sva: scaled value coa: common address of asdu 102/电量 103/保护 iec61850: smv: iec61850-9-2 goose: 通用变电站事件 sntp: 时间同步 acsi: abstract service communication interface mms: manufacturing message specification/port 102/ tpkt cotp vmd: virtual manufacturing device gsse: 通用变站状态事件 dnp3: distributed network protocol/port 20000/resembles iec60870-5 FT3 rtu: remote terminal unit ied: intelligent electronic device iccp: inter-control center communications protocol data link layer prm: primary fcb: frame count bit fcv: frame count valid bit dfc: data flow control bit application layer apci: application protocol control information fir: first fragment fin: final fragment con: expect a confirmation fins: /tcp/port 9600/ |
用suricata分析pcap文件,
1 2 | #--runmode single suricata -c /path/to/suricata.yaml -r /path/to/sample.pcap --runmode autofp |
Plc protocol in https://github.com/wireshark/wireshark/tree/master
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | Siemens S7 /epan/dissectors/packet-s7comm.c 西门子PLC支持的通讯协议 MMS(IEC61850) /asn1/mms 输配电通讯协议 GOOSE(IEC61850) /asn1/goose 输配电通讯协议 SV(IEC61850) /asn1/sv 输配电通讯协议 Modbus /epan/dissectors/packet-mbtcp.c 工控标准协议 OPC DA /epan/dissectors/packet-dcom.c 工控标准协议 FF HSE /epan/dissectors/packet-ff.c 基金会现场总线以太网通信协定 IEC 104 /epan/dissectors/packet-iec104.c 输配电通讯协议 Ethernet POWERLINK /epan/dissectors/packet-epl.c 开放式实时以太网通信 OPC UA /plugins/opcua/opcua.c OPC新一代标准 HART-IP /epan/dissectors/packet-hartip.c 高速可寻址远程传感器协议 CoAP /epan/dissectors/packet-coap.c 轻量应用层协议 Omron FINS /epan/dissectors/packet-omron-fins.c 欧姆龙PLC支持的通讯协定 openSAFETY /epan/dissectors/packet-opensafety.c 开源安全应用协议 EGD(Ethernet Global Data) /epan/dissectors/packet-egd.c GE Fanuc为PLC开发的通讯协定 DNP3 /epan/dissectors/packet-dnp.c 分布式网络协议,主要用于电力行业 Sinec H1 /epan/dissectors/packet-h1.c 西门子PLC支持的通讯协议 Profinet /plugins/profinet/ 开放式的工业以太网通讯协定 EtherCAT /plugins/ethercat/ 德国Beckhoff公司推动的开放式实时以太网通讯协定 SERCOS III /epan/dissectors/packet-sercosiii.c 实时以太网通讯协定 RTPS /epan/dissectors/packet-rtps.c 实时流传输协议 TTEthernet /epan/dissectors/packet-tte.c 实时以太网通讯协定 CDT /dissectors/packet-cdt.c 远动规约 EtherNet/IP /epan/dissectors/packet-etherip.c 工业通讯协定(Industrial Protocol),是一种CIP的实现方式,由罗克韦尔自动化公司所设计 CIP /epan/dissectors/packet-cip.c 通用工业协定 CIP Safety /epan/dissectors/packet-cipsafety.c 安全通用工业协定 DeviceNet /epan/dissectors/ packet-devicenet.c 一种CIP的实现方式,由Allen-Bradley公司所设计 BACnet /epan/dissectors/packet-bacnet.c 楼宇自动控制网络数据通讯协议 KNXnet/IP /epan/dissectors/packet-knxnetip.c 住宅和楼宇控制标准 Lontalk /epan/dissectors/packet-lon.c 埃施朗公司的LonWorks技术所使用的通讯协议 CANopen /epan/dissectors/packet-canopen.c 控制局域网通讯协定 SAE J1939 /epan/dissectors/packet-j1939.c 一种CAN的变种,适用在农业车辆及商用车辆 USITT DMX512-A /epan/dissectors/packet-dmx.c 灯光控制数据传输协议 BSSAP/BSAP /epan/dissectors/packet-bssap.c 由Bristol Babcock Inc发展的通讯协定 Gryphon /plugins/gryphon 车用通讯协定 ZigBee /epan/dissectors/packet-zbee.h 开放式的无线通讯协定 |
refer to:
https://reference.opcfoundation.org/v104/Core/docs/Part6/7.1.2/
https://plcscan.org/
https://www.fit.vut.cz/research/publication-file/11570/TR-IEC104.pdf
https://suricata.readthedocs.io/en/suricata-5.0.6/configuration/suricata-yaml.html
bash从字符串中解析出带引号的变量
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | #!/bin/bash #shebang must be bash. print_args() { echo "1st is [$1]" echo "2nd is [$2]" echo "3rd is [$3]" echo "4th is [$4]" echo "5th is [$5]" echo "6th is [$6]" echo "7th is [$7]" echo "8th is [$8]" } VAR1=(1 2 "3 4" 5) print_args "${VAR1[@]}" VAR2="11 22 \"33 44\" 55" #eval "VAR2=($VAR2)" declare -a "VAR2=($(echo $VAR2 | tr '`$<>' '????'))" print_args "${VAR2[@]}" |
拉丁语的格
名词
1 2 3 4 | Nominative: 主格,Genitive: 属格,Dative: 与格,Accusative: 宾格 Ablative: 离格、夺格,Locative: 位格,Vocative: 呼格 -ere = to do = -en, -ern, -eln in German |
https://www.online-latin-dictionary.com/
| singular | plural | ||
|---|---|---|---|
| 1ST DECLENSION | |||
| aqua, -ae, f. water | |||
| nom | aqua | aquae | |
| gen | aquae | aquārum | |
| dat | aquae | aquīs | |
| acc | aquam | aquās | |
| abl | aquā | aquīs | |
| 2ND DECLENSION | |||
| servus, -ī, m. slave | |||
| nom | servus | servī | |
| gen | servī | servōrum | |
| dat | servō | servīs | |
| acc | servum | servōs | |
| abl | servō | servīs | |
| dōnum, -ī, n. gift | |||
| nom | dōnum | dōna | |
| gen | dōnī | dōnōrum | |
| dat | dōnō | dōnīs | |
| acc | dōnum | dōna | |
| abl | dōnō | dōnīs | |
| 3RD DECLENSION | |||
| rēx, rēgis, m. king | |||
| nom | rēx | rēgēs | |
| gen | rēgis | rēgum | |
| dat | rēgī | rēgibus | |
| acc | rēgem | rēgēs | |
| abl | rēge | rēgibus | |
| corpus, corporis, n. body | |||
| nom | corpus | corpora | |
| gen | corporis | corporum | |
| dat | corporī | corporibus | |
| acc | corpus | corpora | |
| abl | corpore | corporibus | |
| 3RD DECLENSION I-STEM | |||
| cīvis, -is, m. citizen | |||
| nom | cīvis | cīvēs | |
| gen | cīvis | cīvium | |
| dat | cīvī | cīvibus | |
| acc | cīvem | cīvēs | |
| abl | cīve | cīvibus | |
| mare, -is, n. sea | |||
| nom | mare | maria | |
| gen | maris | marium | |
| dat | marī | maribus | |
| acc | mare | maria | |
| abl | marī | maribus | |
| 4TH DECLENSION | |||
| frūctus, -ūs, m. fruit | |||
| nom | frūctus | frūctūs | |
| gen | frūctūs | frūctuum | |
| dat | frūctuī | frūctibus | |
| acc | frūctum | frūctūs | |
| abl | frūctū | frūctibus | |
| cornū, -ūs, n. horn | |||
| nom | cornū | cornua | |
| gen | cornūs | cornuum | |
| dat | cornū | cornibus | |
| acc | cornū | cornua | |
| abl | cornū | cornibus | |
| 5TH DECLENSION | |||
| rēs, reī, f. thing | |||
| nom | rēs | rēs | |
| gen | reī | rērum | |
| dat | reī | rēbus | |
| acc | rem | rēs | |
| abl | rē | rēbus | |
| diēs, diēī, m. day | |||
| nom | diēs | diēs | |
| gen | diēī | diērum | |
| dat | diēī | diēbus | |
| acc | diem | diēs | |
| abl | diē | diēbus | |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | go to go went gone ago agere egi actum actus III 做 amo amare avi atum amatus I 爱 audio audire audivi auditum auditus IV 听 capio capere cepi captum captus III 拿,夺取 deleo delere delevi deletum deletus II 毁坏,摧毁 dico dicere dixi dictum dictus III 说 do dare dedi datum datus I 给 duco ducere duxi ductum ductus III 引领,领导 facio facere feci factum factus III 做,制作,使成为 finio finire finivi finitum finitus IV 结束 habeo habere habui habitum habitus II 有 laboro laborare laboravi laboratum laboratus I 劳动 laudo laudare laudavi laudatum laudatus I 表扬 lego legere legi lectum lectus III 读 maneo manere mansi mansum mansus II 留下,逗留 mitto mittere misi missum missus III 派遣,寄,送 moneo monere monui monitum monitus II 劝告 opto optare optavi optatum optatus I 希望 rego regere rexi rectum rectus III 管理 scribo scribere scripsi scriptum scriptus III 写 sentio sentire sensi sensum sensus IV 感觉,感知 venio venire veni ventum ventus IV 来 video videre vidi visum visus II 看见 vinco vincere vici victum victus III 战胜 vivo vivere vixi victum victus III 生活 |
refer to:
https://www.zhihu.com/people/calvinx-28
https://www.thoughtco.com/endings-of-latin-nouns-third-declension-117591
https://www.zhihu.com/question/32303392?sort=created
https://wenku.baidu.com/view/20e6b28ccd7931b765ce0508763231126fdb776d.html
https://www.zhihu.com/question/28861260
StrongSwan配置多个子网
ipsec.conf方式
conn myikesettings
keyexchange=ikev1
left=10.0.0.1
right=10.0.0.2
leftcert=mycert.pem
rightcert=othercert.oem
ike=aesgcm16-prfsha256-modp3072!
esp=aesgcm16-modp3072!
auto=add
conn sa_1
leftsubnet=192.168.1.0/24
rightsubnet=192.168.51.0/24
also=myikesettings
conn sa_2
leftsubnet=192.168.2.0/24
rightsubnet=192.168.52.0/24
also=myikesettings |
1 2 3 4 | ipsec restart ipsec reload ipsec up sa_1 ipsec up sa_2 |
swanctl方式
connections { host-host { ... children { host-host1 { local_ts=10.1.0.0/24 remote_ts=10.2.0.0/24 ... } host-host2 { local_ts=10.1.0.0/24 remote_ts=10.2.0.0/24 ... } } } } |
1 2 3 4 | charon & swanctl --load-all --clear swanctl --initiate --child host-host1 swanctl --initiate --child host-host2 |
refer to:
https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA
overlayfs mount: Stale file handle
The reason is that the content of lowerdir or upperdir is not synchronized with workdir.
Just clean the workdir will be ok.
recover terminal tty
When my terminal is in gui mode using such as ncurses library, if exception occurs, my console may be soiled. Just blindly type command below to recover it.
1 2 | #reset stty sane <press enter key> |
mount squashfs: Operation not permitted
Need recompile Linux kernel with squashfs support.
1 2 3 4 | CONFIG_SQUASHFS Location: -> File systems -> Miscellaneous filesystems (MISC_FILESYSTEMS [=y]) |
Or use user space cmd
1 | squashfuse ./sysrcd.dat sysrcd_dir |
SecureFX连接失败
连接linux主机A失败,返回
i Available Remote Kex Methods = curve25519-sha256,curve25519-sha256@libssh.org,... i Selected Kex Method = |
连接linux主机B成功,返回
i Available Remote Kex Methods = curve25519-sha256@libssh.org,ecdh-sha2-nistp256,... i Selected Kex Method = diffie-hellman-group14-sha1 |
原因是主机A中的OpenSSH升级了,可用以下命令确认
1 | ssh -V |
解决办法为,在/etc/ssh/sshd_config文件尾部加入
1 2 3 | #Ciphers aes128-cbc #MACs hmac-md5,hmac-sha1 KexAlgorithms diffie-hellman-group14-sha1 |
重启sshd
1 | service sshd restart |
refer to:
https://blog.csdn.net/lk_db/article/details/50964912