Note: Although this was created some time back (sorry for sharing this so late), there’re improvements to be made still. Discussions are always welcomed.
When responding to an enterprise network compromise, one big question (and source of pressure) is that network IOCs need to be determined quickly. While this information would usually come from the malwares/tools used in the compromise, the fact that the surfacing of network IOCs and triaging being done in parallel presents a Catch-22 situation: How do we find machines and malware without network IOCs available? How do we get network IOCs without analyzing any machines/malware suspects?
Continue reading Detecting malware beacons using Splunk
Deputy Director? No…the Unix dd command!
The dd command is one of the most versatile and powerful tools you will find in a Linux box, it is an awesome command! Disk wiping is only one of the more common uses for it. There’re some other tricks that I use dd for, but those will have to be left for another post…
You may have noticed that there’s a tip on monitoring the current status of the dd command right at the end of the
$ dd --help
Sending a USR1 signal to a running `dd' process makes it
print I/O statistics to standard error and then resume copying.
$ dd if=/dev/zero of=/dev/null& pid=$!
$ kill -USR1 $pid; sleep 1; kill $pid
18335302+0 records in
18335302+0 records out
9387674624 bytes (9.4 GB) copied, 34.6279 seconds, 271 MB/s
That works as stated, but what if you want to get a continuous status update on the state of the dd command for long tasks such as wiping a hard drive? Well, you use a loop to do that.
As for keeping the loop running for only as long as the dd process is alive and working, I use the -a test to check that the cmdline file for that process id exists. When the process dies, the proc folder is deleted shortly after, and the cmdline file ceases to exist. That will cause the while loop to exit too. No more flooding the screen with useless output!
$ sudo dd if=/dev/zero of=/dev/sdc & pid=$!
$ sudo while [ -a /proc/$pid/cmdline ]; do echo; date; sudo kill -USR1 $pid; sleep 1; done
Thu Sep 6 02:00:12 SGT 2012
63637313+0 records in
63637313+0 records out
32582304256 bytes (33 GB) copied, 6814.37 s, 4.8 MB/s
Thu Sep 6 02:00:14 SGT 2012
63643513+0 records in
63643513+0 records out
32585478656 bytes (33 GB) copied, 6815.34 s, 4.8 MB/s
Thu Sep 6 02:00:15 SGT 2012
63649217+0 records in
63649217+0 records out
32588399104 bytes (33 GB) copied, 6816.46 s, 4.8 MB/s
Thu Sep 6 02:00:16 SGT 2012
63657193+0 records in
63657193+0 records out
32592482816 bytes (33 GB) copied, 6817.42 s, 4.8 MB/s