This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trigger an executable file once wireshark finds a “keyword” on live capture

0

Hi,

I'm setting up a trap for hackers on my server, by putting an attractive file named: "source-code.zip" (as an example) so only hackers can see. (If the hacker is using a PHP shell trap or something)

Once the hacker trys to open or access the "source-code.zip" file, I need wireshark to trigger an executable file that will shut down the network card on my server to prevent any other theft, just in case.

How can I do this using wireshark or tcpdump ? is it possible ? for example using a filter where if any packet (TCP/UDP/ETC..) contains the word "source-code.zip" it should trigger an executable.

Of course the file name "source-code.zip" will be changed to someting more unique and complex.

I need your help guys, is it possible to trigger files using filters on wireshark ? It also should not slow my network or CPU usage..

Thank you. (and sorry if my english is bad)

asked 21 Mar '12, 09:11

reacen's gravatar image

reacen
6113
accept rate: 0%

Please help with anything.. ? I need this so bad.

(22 Mar '12, 11:56) reacen

3 Answers:

5

Yes, you can do this through Wireshark Lua, but as the other answers indicate, there are better ways to accomplish your goal.

If you really wanted to use Wireshark, you could create a tap/listener that runs a specified program (using os.execute, which runs a shell command, or io.popen, which starts a program in a separate process...you probably want the latter) upon detecting a packet of interest.

Here's an example Lua script (based on this answer) that opens iTunes whenever UDP packets, containing XML, arrive at port 2000. The script is put in ~/.wireshark/plugins/itunes_tap.lua. (Note that the script automatically loads in tshark)

-- use display-filter syntax here
local _filter = '(udp.port == 2000) && xml'

– command to be executed for each packet
local _cmd = 'open /Applications/iTunes.app'
local _run = io.popen


local function make_tap(filter)
local tap = Listener.new(nil, filter)


function tap.packet()
    _run(_cmd)
end

return tap



end


– If not running from Wireshark, enable the tap immediately, then
– abort, or else we'll get an error below for trying to do GUI
– stuff from the command line.
if not gui_enabled() then
make_tap(_filter)
return
end


local function make_win()
local tap = nil
local win = TextWindow.new("Watcher")


local function remove_tap()
if tap then tap:remove() end
    tap = nil
end

win:set("Press Start to begin watching")
win:set_atclose(remove_tap)

win:add_button("Start", function()
    if tap then
        report_failure("Already started")
        return
    end

    win:set("Watching for:\\n" .. _filter)
    tap = make_tap(_filter)
end)

win:add_button("Stop", function()
    if not tap then
        report_failure("Not started")
        return
    end

    remove_tap()
    win:set("Press Start to begin watching")
end)

return win



end


register_menu("Lua/Test", make_win, MENU_TOOLS_UNSORTED or 8)

answered 22 Mar ‘12, 17:23

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

I LOVE YOU you so much, you just saved my life ! C:\Program Files\Wireshark>tshark -X lua_script:c:\test.lua work’s great with the wireshark filter too. I didn’t know about lua ! Thank you very much sir !

(22 Mar ‘12, 17:53) reacen

1

No, Wireshark does not have any facility to trigger an executable based on filters. Also, you have no guarantee that the file name would be contained in a single packet. It could, for example, be spread over two TCP segments in two different IP packets.

I'm not clear on what you're trying to do, but it doesn't seem like Wireshark is the right tool.

If you're actually trying to attract a hacker for whatever reason, then build a real honey pot that is not a production server, so that it isn't a problem if it gets destroyed. A virtual machine would be an excellent choice. You could use a snapshot to restore the machine if it was compromised in an attack.

If this is a production server that you're really trying to protect, use the tried and tested tools that are available for that purpose, instead of trying to cobble together your own system. Make sure the server has a host-based firewall, or is behind a network firewall, or both. Deploy an intrusion detection system, like Snort. Make sure that the server is properly and frequently backed up and can be restored if it does get compromised. If you can't afford commercial protective software, there are free programs available.

No matter how cleverly you name your file, you have absolutely no assurance that a hacker will go after this file first, so it will not serve as a reliable early warning of an attack.

answered 22 Mar '12, 12:51

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

0

Wireshark does not have a built-in capability to launch arbitrary external programs (if it did, it could be abused by hackers attacking a system on which they knew wireshark to run). I doubt seriously the effectiveness of your honeypot. If your server's security is critical, and you anticipate it to be compromised so easily, I would very strongly recommend a different approach to network security. Moreover, Wireshark comes with it's own list of problems, not the least of which is the known out of memory memory problem that would certainly cripple your security setup.
Wireshark is really intended for manual analysis of network activity to help determine what might be wrong with the network itself. It is not a security tool, even though it sometimes helps in analyzing the network state during/after a security event.

Why not try a tool that is actually intended for catching malicious packets (snort, for example)?

answered 22 Mar '12, 12:55

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%