I'm a sec-admin in a 3,000 users company. My SIEM harvesting many syslog for forensic analysis but i like to see what happens, on some network interfaces, in real time. But like many sec-admins, i don't have many time to spend watching syslogs flow.
As many computer engineer, i'm often listening music when i'm working, which allows me to be more concentrated on what i'm working at.
So, one day i thought: why not transform this flow of syslogs into sound to listen? Like this I can spend my time to work like every day and listen to what is happening on my network.
Uh, could be nice, but i'm not a real coder and this sound like a very big development project. Erf!
Anyway, let's try to do something!
This first public release, v0.5, of Snoffer (sniffer-sound-offer) just listening the network connection of a local client with some Perl scripts sniffers.
These Perl sniffers transform the destination port (for TCP and UDP packets), or Ethernet type (for layer 2 frame), into data and send it to a local listening socket used by a PureData patch (netreceive function) which is used to generate 'audible' frequencies.
Be clear, be short:
The GitHub repository is there: https://github.com/t4d/Sn0ffer
You can hear some captures made with Sn0ffer (there is low frequencies, so use hearphones or a good sound-system):
This is what it looks like (v0.2):
I play Sn0ffer during some 'Orchestre Philarmonique du /tmp/lab' sets (v0.5):
As you can see, there are 3 Perl scripts, one for UDP packets, one for TCP packets and the last one for Layer 2 frames (Ethernet).
You need to install several Perl Libs to use this sniffers, you can use CPAN for that:
root@sn0ffer# cpan -i Net::PcapUtils NetPacket::Ethernet NetPacket::IP NetPacket::UDP NetPacket::TCP IO::Socket::INET
To execute this scripts you need a root/admin access to the machine, 'cause you will use network interface with the promiscuous option (to read all packets, not only yours).
Use the -i switch to specify the interface you want to listen.
For using PureData you have to download the Extended version there http://puredata.info/downloads/pd-extended.
You can record (.wav) your capture, use the PD's edit mode, change the name of the capture (bottom right of the patch), switch to PD's play mode, click on the name then 'start'.
Come out and play:
Open the PureData patch, start Perl scripts, open your ears.
Phy: Meet me at /tmp/lab or blackBoxe or le loop, sometimes...