Tools written/modified by Dave Dittrich

ipgrep (MD5 hash)

Searches for hosts by finding domain names that end in some arbitrary domains and/or are IP addresses that reside in arbitrary CIDR blocks. Useful for identifying or excluding your own hosts in reports of hundreds of compromised victims.

tcpdstat (MD5 hash)

Produces a per-protocol breakdown of traffic by bytes and packets, with average and maximum transfer rates, for a given libpcap file (e.g., from tcpdump, ethereal, snort, etc.) Useful for getting a high-level view of traffic patterns.

findoffer (MD5 hash)

Produces a two-level break report of X-DCC offer/transfer traffic, as well as listing all files served on each host. This script was written to deal with a large series of X-DCC/DDoS bot installations at the UW, as described in a talk at CanSecWest CORE '02 in Vancouver, BC Canada on May 8.