Post by Spookstah on Dec 1, 2003 23:17:01 GMT 1
Last couple of days i`ve been working on the idea for a Nickname/IP logger like we use on our server but now for all the Windows GO servers.
First i did start examine the packets with a commercial tool but it costs about $995, i couldnt ask you to pay for that so i had to come up with something else
In this tutorial i will explain how to setup a logger with the use of Snort and WinPcap.
What do you need?
Snort: www.thelostparadise.com/GlobalOps/Snort_205_Build98_Installer.exe
WinPcap: www.thelostparadise.com/GlobalOps/WinPcap_3_01_a.exe
Snort batch file: www.thelostparadise.com/GlobalOps/snort.bat
Snort config file: www.thelostparadise.com/GlobalOps/nickname.conf
First install WinPcap and reboot, now install Snort into the standard dir C:\Snort
(If you install Snort into another dir you have to change the info in the snort.bat and nickname.conf)
Copy snort.bat into C:\Snort\bin and nickname.log into C:\Snort\etc
Now make a new dir called "log" (without the "") into C:\Snort
Goto C:\Snort\etc and open nickname.conf with your favorite text editor.
You will see this:
log udp any any -> xxx.xxx.xxx.xxx 27888 (content:"|8B|"; depth:1; byte_jump:1,1; content:"|00 00 00 96|"; distance:0; within:4; content:"|00 00 00|"; distance:1; within:3; logto:"nicknames.log"
The xxx is important (no this isnt p0rn you sick bastards), replace the xxx.xxx.xxx.xxx with your server IP and you are ready to go.
Goto C:\Snort\bin and startup snort.bat and leave it running in the background.
As soon as new players are connecting with the server Snort will write a file called nicknames.log into C:\Snort\log , there it will log all the Nicknames and their IP`s.
If you open nicknames.log it will look like this:
12/01-20:54:51.128431 0:8:E2:C6:38:0 -> 0:90:27:A7:69:5D type:0x800 len:0x3F
80.100.9.2:34105 -> 217.120.248.245:27888 UDP TTL:119 TOS:0x20 ID:48182 IpLen:20 DgmLen:49
Len: 21
8B 0B 00 43 48 42 20 5E 20 69 52 73 60 00 00 00 ...CHB ^ iRs`...
96 10 00 00 00 .....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+
12/01-21:17:29.437895 0:8:E2:C6:38:0 -> 0:90:27:A7:69:5D type:0x800 len:0x45
80.186.38.77:1061 -> 217.120.248.245:27888 UDP TTL:112 TOS:0x20 ID:10964 IpLen:20 DgmLen:55
Len: 27
8B 11 00 5B 50 65 6C 74 69 7A 6B 72 75 5D 44 4B ...[Peltizkru]DK
69 6C 6C 00 00 00 96 10 00 00 00 ill........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+
You should read it like this:
80.100.9.2:34105 -> 217.120.248.245:27888
80.100.9.2 is CHB ^ iRs` his IP and 217.120.248.245 is the server IP
Also the date and time are in it so you know exactly when and who whas in your server, the other info isnt really important.
First i did start examine the packets with a commercial tool but it costs about $995, i couldnt ask you to pay for that so i had to come up with something else
In this tutorial i will explain how to setup a logger with the use of Snort and WinPcap.
What do you need?
Snort: www.thelostparadise.com/GlobalOps/Snort_205_Build98_Installer.exe
WinPcap: www.thelostparadise.com/GlobalOps/WinPcap_3_01_a.exe
Snort batch file: www.thelostparadise.com/GlobalOps/snort.bat
Snort config file: www.thelostparadise.com/GlobalOps/nickname.conf
First install WinPcap and reboot, now install Snort into the standard dir C:\Snort
(If you install Snort into another dir you have to change the info in the snort.bat and nickname.conf)
Copy snort.bat into C:\Snort\bin and nickname.log into C:\Snort\etc
Now make a new dir called "log" (without the "") into C:\Snort
Goto C:\Snort\etc and open nickname.conf with your favorite text editor.
You will see this:
log udp any any -> xxx.xxx.xxx.xxx 27888 (content:"|8B|"; depth:1; byte_jump:1,1; content:"|00 00 00 96|"; distance:0; within:4; content:"|00 00 00|"; distance:1; within:3; logto:"nicknames.log"
The xxx is important (no this isnt p0rn you sick bastards), replace the xxx.xxx.xxx.xxx with your server IP and you are ready to go.
Goto C:\Snort\bin and startup snort.bat and leave it running in the background.
As soon as new players are connecting with the server Snort will write a file called nicknames.log into C:\Snort\log , there it will log all the Nicknames and their IP`s.
If you open nicknames.log it will look like this:
12/01-20:54:51.128431 0:8:E2:C6:38:0 -> 0:90:27:A7:69:5D type:0x800 len:0x3F
80.100.9.2:34105 -> 217.120.248.245:27888 UDP TTL:119 TOS:0x20 ID:48182 IpLen:20 DgmLen:49
Len: 21
8B 0B 00 43 48 42 20 5E 20 69 52 73 60 00 00 00 ...CHB ^ iRs`...
96 10 00 00 00 .....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+
12/01-21:17:29.437895 0:8:E2:C6:38:0 -> 0:90:27:A7:69:5D type:0x800 len:0x45
80.186.38.77:1061 -> 217.120.248.245:27888 UDP TTL:112 TOS:0x20 ID:10964 IpLen:20 DgmLen:55
Len: 27
8B 11 00 5B 50 65 6C 74 69 7A 6B 72 75 5D 44 4B ...[Peltizkru]DK
69 6C 6C 00 00 00 96 10 00 00 00 ill........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+
You should read it like this:
80.100.9.2:34105 -> 217.120.248.245:27888
80.100.9.2 is CHB ^ iRs` his IP and 217.120.248.245 is the server IP
Also the date and time are in it so you know exactly when and who whas in your server, the other info isnt really important.