3461
Comment:
|
← Revision 3 as of 2010-05-17 14:10:47 ⇥
3501
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
## page was renamed from NIST HashSets |
Download degli hash set NIST NSRL
Qui si trovano gli hash set in vari formati precompilati, fra i quali quelli di Encase 6
Script per manipolare gli hash set
Riferimento: http://blogs.sans.org/computer-forensics/2010/02/22/extracting-known-bad-hashset-from-nsrl/
Questo script separa i vari hash contenuti negli hashset in diversi files contenenti gli hash set per la roba "buona" e quella "cattiva".
Uso: nsrlext.pl -n c:\nsrl\RDA_225_A\NSRLFile.txt,c:\nsrl\RDA_225_B\NSRLFile.txt -p c:\nsrl\RDA_225_A\NSRLProd.txt,c:\nsrl\RDA_225_B\NSRLProd.txt -b NSRLBad.txt -g NSRLGood.txt
# Extracts known good and known bad hashsets from NSRL # uso: nsrlext.pl -n <nsrl files comma separated> -p <nsrl prod files comma separated> -g <known good txt> -b <known bad txt> [-h] # # -n :nsrl files comma separated. Ex: -n c:nsrlRDA_225_ANSRLFile.txt,c:nsrlRDA_225_BNSRLFile.txt # -p :nsrl prod files comma separated. Ex: -p c:nsrlRDA_225_ANSRLProd.txt,c:nsrlRDA_225_BNSRLProd.txt # -g :known good txt filename. Ex: -g good.txt # -b :known bad txt filename. Ex: -b bad.txt # -h :help # # use Getopt::Std; my $ver="0.1"; #opcoes %args = ( ); getopts("hn:p:g:b:", %args); #help if ($args{h}) { &cabecalho; print <<DETALHE ; uso: nsrlext.pl -n nsrl_files_comma_separated -p nsrl_prod_files_comma_separated [-g known_good_txt] [-b known_bad_txt] [-h] -n :nsrl files comma separated. Ex: -n c:\nsrl\RDA_225_A\NSRLFile.txt,c:\nsrl\RDA_225_B\NSRLFile.txt -p :nsrl prod files comma separated. Ex: -p c:\nsrl\RDA_225_A\NSRLProd.txt,c:\nsrl\RDA_225_B\NSRLProd.txt -g :known good txt filename. Ex: -g good.txt -b :known bad txt filename. Ex: -b bad.txt -h :help DETALHE exit; } die "Enter the NSRL hashset file list (comma delimited)n" unless ($args{n}); die "Enter the NSRL product file list (comma delimited)n" unless ($args{p}); die "Enter known good and/or known bad output filenamesn" unless (($args{g}) || ($args{b})); my %hack; &cabecalho; #Prod files my @prod = split(/,/, $args{p}); foreach $item (@prod) { open(PRODUCT, "< $item"); while (<PRODUCT>) { chomp; my @line = split(/,/, $_); #create a hash of hacker tool codes $hack{$line[0]} = $item if ($line[6] =~ /Hacker Tool/); } close(PRODUCT); } #hashset files my @hset = split(/,/, $args{n}); open(BAD, "> $args{b}") if ($args{b}); open(GOOD, "> $args{g}") if ($args{g}); my $i=0; foreach $item (@hset) { open(NSRL, "< $item"); while (<NSRL>) { #stdout feedback print ">" if (($i % 10000) == 0); my @line = split(/,/, $_); if ($hack{$line[5]}) { #is a hacker tool print BAD $_ if ($args{b}); } else { print GOOD $_ if ($args{g}); } $i++; } close(NSRL); } print "nDone !n"; close(BAD) if ($args{b}); close(GOOD) if ($args{g}); ### Sub rotinas #### sub cabecalho { print <<CABEC; nsrlext.pl v$ver Extracts known good and known bad hashsets from NSRL Tony Rodrigues dartagnham at gmail dot com -------------------------------------------------------------------------- CABEC } #-----EOF-------