Gamba gamba

## 00_merge_netflows.md

      
              3 files
            
          
              0 forks
            
          
                0 comments
              
            
              1 star
            
          
                gamba
                / 00_merge_netflows.md
            
            
              Last active
              January 18, 2021 18:13
            
              
                Merging two network flows (vlan tagged and untagged) from a switch mirror port and use them as input for (multiple) IDS.
              
          
    Initial situation


A port on a switch is configured as port mirroring (SPAN) for the purpose of analyzing network traffic.
Due to the characteristics of the switch and its configuration the flow to be analyzed provided by the SPAN port is 802.1q untagged in one direction and tagged in the other.
The data flow coming from the switch should be merged into a single flow (802.1q untagged). It should also not be redirected back to the switch.

Tip


IDS host recieves port mirrored flow on port ens1f0: RX tagged flow + TX untagged.
The interface ens1f0.40 gets only the tagget flow (RX) and untags it.
Bridge br1 joins all three network flows: RX tagged flow + TX untagged + ens1f0.40 (same RX flow but untagged).
ebtables drop all the 802.1q tagged frames on br1.


## split_mbox.awk
BEGIN{chunk=0}
    /^From /{
    msgs++;if(msgs==1000){
        close(("chunk_" chunk ".mbox")i);
        msgs=0;chunk++
      }
    }
    {print > ("chunk_" chunk ".mbox")}

## clone_x509_cerificates.rb
#!/usr/bin/ruby

require 'openssl'

out_path   = "~/"

# Self Signed CA

input_ca = "~/ca_certificate.pem"

## swisslotto_1970-01-10_1979-03-31.csv

          
            Draw
            Numbers
            Complementary #

            
              1979-03-31
              [2, 8, 17, 19, 21, 40]
              1

            
              1979-03-24
              [3, 0, 5, 16, 35, 36]
              37

            
              1979-03-17
              [0, 5, 6, 12, 19, 29]
              39

            
              1979-03-10
              [12, 18, 2, 0, 25, 35]
              38

            
              1979-03-03
              [3, 4, 11, 21, 27, 32]
              37

            
              1979-02-24
              [5, 6, 14, 24, 34, 36]
              26

            
              1979-02-17
              [5, 9, 17, 18, 20, 28]
              29

            
              1979-02-10
              [6, 11, 18, 27, 32, 40]
              13

            
              1979-02-03
              [6, 13, 23, 32, 36, 39]
              9
	BEGIN{chunk=0}
	/^From /{
	msgs++;if(msgs==1000){
	close(("chunk_" chunk ".mbox")i);
	msgs=0;chunk++
	}
	}
	{print > ("chunk_" chunk ".mbox")}
	#!/usr/bin/ruby

	require 'openssl'

	out_path = "~/"

	# Self Signed CA

	input_ca = "~/ca_certificate.pem"
Draw	Numbers	Complementary #
1979-03-31	[2, 8, 17, 19, 21, 40]	1
1979-03-24	[3, 0, 5, 16, 35, 36]	37
1979-03-17	[0, 5, 6, 12, 19, 29]	39
1979-03-10	[12, 18, 2, 0, 25, 35]	38
1979-03-03	[3, 4, 11, 21, 27, 32]	37
1979-02-24	[5, 6, 14, 24, 34, 36]	26
1979-02-17	[5, 9, 17, 18, 20, 28]	29
1979-02-10	[6, 11, 18, 27, 32, 40]	13
1979-02-03	[6, 13, 23, 32, 36, 39]	9