Tools written/modified by Dave Dittrich
- Searches for hosts by finding domain names that end in some
arbitrary domains and/or are IP addresses that reside in arbitrary
CIDR blocks. Useful for identifying or excluding your own hosts in
reports of hundreds of compromised victims.
- Produces a per-protocol breakdown of traffic by bytes and
packets, with average and maximum transfer rates, for a given
libpcap file (e.g., from tcpdump, ethereal, snort, etc.)
Useful for getting a high-level view of traffic patterns.
- Produces a two-level break report of X-DCC offer/transfer traffic,
as well as listing all files served on each host. This script
was written to deal with a large series of X-DCC/DDoS bot
installations at the UW, as described in a
at CanSecWest CORE '02 in Vancouver, BC Canada on May 8.