SANS560 at SANS Baltimore 2011

Just a quick one here. Today was day 2 of SANS Balitmore 2011, and I am even more impressed with the presentations we had today in SANS560 than we had in day 1. John Strand is our instructor, something a co-worker and I intentionally attempted to schedule, and it's been well worth it so far. It's not every day I get time to play with nmap, nessus, scapy, hping2, and tcpdump (well...tcpdump is pretty much everyday for me), but we spend some actual FUN time in those today. At least it was fun for me. There did appear to be some that struggled with the exercises due to a lack of non-familiarity. However, it seems as though everyone is enjoying it.

My employer paid for part of this training, but a chunk of change still had to/has to come from me. Had the class been boring or non-informative, I think I would be a little ticked off. However, even with having some experience pen-testing and having gone through other pen test training, I am so far thinking that I have gotten over 1000% ROI and that this has been one of the better classes so far...or it at least rivals the SANS507 I took earlier this year from David Hoelzer.

One of the nice things about most of today just being review...I could rather quickly run through the examples and work on installing both BackTrack 5r1 AND the newest release of Doug Burk's SecurityOnion (which there really is no excuse for anyone NOT to have by now). I am just having too much nerdy fun this week!

ngrep oneliner: look for a domain name in DNS traffic

ngrep is a pretty useful tool and should be useful to any network security work. It is NOT the same as tcpdump, in case anyone was wondering. I may be a little off in my explanation tonight, but ngrep does something so much better than tcpdump: searches for regex's.

So, to search for a hostname, as a whole word, in DNS traffic in an already captured traffic file:

ngrep -w 'somehost' -I /stored/mypcaps.pcap port 53