Posted by PanamaJax on November 17, 2005 20:47:23
win32 based...
running in packet mode works fine
in IDS mode:
alert tcp any any -> any any (msg:"TCP traffic";) works fine
alert tcp any any -> any any (flow: to_server, established; content: "test"; msg: "Saw Test";) - does absolutely nothing when 'test' is sent any method. Messenger service, http, telnet, ftp etc.
Based on the default virus.rules it should alert on an email beig sent with a .vbs attachment but it doesn't, through pop or exchange.
Everything seems to work fine, just not with a content statement. I've tried every permutation I can come up with, in/out bound, stateless etc etc etc and I don't get it.
If a user were to type 'google' in the web browser and there was an active rule:
alert tcp any any -> any any (flow: to_server, established; content: "google"; nocase; msg: "Saw google";)
shouldn't that trigger the alert?
Posted by brevizniak on November 26, 2005 18:36:50
yes it should work fine. There are some things to check.
- you actually see test in the traffic when running with -dve
- you can see both sides of hte connection
- the flow preprocessor is enabled
- The stream4 preprocessor is enabled
- you are not testing on the machine you are snorting from
This is because alot of systems have cards that compute a checksum in hardware so if you test and sniff on teh same machine snort may ignore the traffic because of a bad checksum.
Apr 29, 2008
Bro supported notice
Builtin Policy Files
Bro policy script is the basic analyzer used by Bro to determine what network events are alarm worthy. A policy can also specify what actions to take and how to report activities, as well as determine what activities to scrutinize. Bro uses policies to determine what activities to classify as hot, or questionable in intent. These hot network sessions can then be flagged, watched, or responded to via other policies or applications determined to be necessary, such as calling rst to reset a connection on the local side, or to add an IP address block to a main router's ACL (Access Control List). The policy files use the Bro scripting language, which is discussed in great detail in Reference Manual.
Policy files are loaded using an @load command. The semantics of @load are "load in this script if it hasn't already been loaded", so there is no harm in loading something in multiple policy scripts. The following policy scripts are included with Bro. The first set are all on by default, and the second group can be added by adding them to your site/brohost.bro policy file.
Bro Analyzers are described in detail in the Reference Manual. These policy files are loaded by default:
site defines local and neighbor networks from static config
alarm open logging file for alarm events
tcp initialize BPF filter for SYN/FIN/RST TCP packets
login rlogin/telnet analyzer (or to ensure they are disabled)
weird initialize generic mechanism for detecting unusual events
conn access and record connection events
hot defines certain forms of sensitive access
frag process TCP fragments
print-resources on exit, print resource usage information, useful for tuning
signatures the signature policy engine
scan generic scan detection mechanism
trw additional, more sensitive scan detection
http general http analyzer, low level of detail
http-request detailed analysis of http requests
http-reply detailed analysis of http replys
ftp FTP analysis
portmapper record and analyze RPC portmapper requests
smtp record and analyze email traffic
tftp identify and log TFTP sessions
worm flag HTTP-based worm sources such as Code Red
software track software versions; required for some signature matching
blaster looks for blaster worm
synflood looks for synflood attacks
stepping used to detect when someone logs into your site from an external net, and then soon logs into another site
reduce-memory sets shorter timeouts for saving state, thus saving memory. If your Bro is using < 50% of you RAM, try not loading this
These are not loaded by default:
Policy Description Why off by default
drop Include if site has ability to drop hostile remotes Turn on if needed
icmp icmp analysis CPU intensive and low payoff
dns DNS analysis CPU intensive and low payoff
ident ident program analyzer historical, no longer interesting
gnutella looks for hosts running Gnutella Turn this on if you wantto know about this
ssl ssl analyzer still experimental
ssh-stepping Detects stepping stones where both incoming and outgoing connections are ssh Possibly too CPU intensive (needs more testing)
analy Performs statistical analysis only used in off-line alalysis
backdoor Looks for backdoors only effective when also capturing bulk traffic
passwords Looks for clear text passwords may want to turn on if your site does not allow clear text passwords
file-flush Causes all log files to be flushed every N seconds may want to turn on if you are doing "real time" analysis
To modify which analyzers are loaded, edit or create a file in $BROHOME/site. If you write your own new custom analyzer, it goes in this directory too. To disable an analyzer, add "@unload policy.bro" to the beginning of the file $BROHOME/site/brohost.bro, before the line "@load brolite.bro". To add additional analyzers, add them @load them in $BROHOME/site/brohost.bro.
Notices
The primary output facility in Bro is called a Notice. The Bro distribution includes a number of standard of Notices, listed below. The table contains the name of the Notice, what Bro policy file generates it, and a short description of what the Notice is about.
Notice Policy Description
AckAboveHole weird Could mean packet drop; could also be a faulty TCP implementation
AddressDropIgnored scan A request to drop connectivity has been ignored ; (scan detected, but one of these flags is true: !can_drop_connectivity, or never_shut_down, or never_drop_nets )
AddressDropped scan Connectivity w/ given address has been dropped
AddressScan scan The source has scanned a number of addrs
BackscatterSeen scan Apparent flooding backscatter seen from source
ClearToEncrypted_SS stepping A stepping stone was seen in which the first part of the chain is a clear-text connection but the second part is encrypted. This often means that a password or passphrase has been exposed in the clear, and may also mean that the user has an incomplete notion that their connection is protected from eavesdropping.
ContentGap weird Data has sequence hole; perhaps due to filtering
CountSignature signatures Signature has triggered multiple times for a destination
DNS::DNS_MappingChanged DNS Some sort of change WRT previous Bro lookup
DNS::DNS_PTR_Scan dns Summary of a set of PTR lookups (automatically generated once/day when dns policy is loaded)
DroppedPackets netstats Number of packets dropped as reported by the packet filter
FTP::FTP_BadPort ftp Bad format in PORT/PASV;
FTP::FTP_ExcessiveFilename ftp Very long filename seen
FTP::FTP_PrivPort ftp Privileged port used in PORT/PASV
FTP::FTP_Sensitive ftp Sensitive connection (as defined in hot)
FTP::FTP_UnexpectedConn ftp FTP data transfer from unexpected src
HTTP::HTTP_SensitiveURI http shadow|netconfig)
HotEmailRecipient smtp Image:todo.pngFIXME Need Example, default = NULL
ICMP::ICMPAsymPayload icmp Payload in echo req-resp not the same
ICMP::ICMPConnectionPair icmp Too many ICMPs between hosts (default = 200)
IdentSensitiveID ident Sensitive username in Ident lookup
LocalWorm worm Worm seen in local host (searches for code red 1, code red 2, nimda, slammer)
LoginForbidden ButConfused login Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
LoginForbiddenButConfused login Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
Multiple SigResponders signatures host has triggered the same signature on multiple responders
MultipleSigResponders signatures host has triggered the same signature on multiple responders
MultipleSignatures signatures host has triggered many signatures
Multiple SigResponders signatures host has triggered the same signature on multiple responders
OutboundTFTP tftp outbound TFTP seen
PasswordGuessing scan source tried too many user/password combinations (default = 25)
PortScan scan the source has scanned a number of ports
RemoteWorm worm worm seen in remote host
Resolver Inconsistency dns the answer returned by a DNS server differs from one previously returned
ResolverInconsistency dns the answer returned by a DNS server differs from one previously returned
ResourceSummary print-resources prints Bro resource usage
Retransmission Inconsistency weird possible evasion; usually just bad TCP implementation
RetransmissionInconsistency weird possible evasion; usually just bad TCP implementation
SSL_SessConIncon ssl session data not consistent with connection
SSL_X509Violation ssl blanket X509 error
ScanSummary scan a summary of scanning activity, output once / day
SensitiveConnection conn connection marked "hot", See: Reference Manual section on hot IDs for more information.
SensitiveDNS_Lookup dns DNS lookup of sensitive hostname/addr; default list of sensitive hosts = NULL
SensitiveLogin login interactive login using sensitive username (defined in 'hot')
Sensitive PortmapperAccess portmapper the given combination of the service looked up via the pormapper, the host requesting the lookup, and the host from which it's requiesting it is deemed sensitive
SensitivePortmapperAccess portmapper the given combination of the service looked up via the pormapper, the host requesting the lookup, and the host from which it's requiesting it is deemed sensitive
SensitiveSignature signatures generic for alarm-worthy
SensitiveUsername InPassword login During a login dialog, a sensitive username (e.g., "rewt") was seen in the user's password. This is reported as a notice because it could be that the login analyzer didn't track the authentication dialog correctly, and in fact what it thinks is the user's password is instead the user's username.
SensitiveUsernameInPassword login During a login dialog, a sensitive username (e.g., "rewt") was seen in the user's password. This is reported as a notice because it could be that the login analyzer didn't track the authentication dialog correctly, and in fact what it thinks is the user's password is instead the user's username.
SignatureSummary signatures summarize number of times a host triggered a signature (default = 1/day)
SynFloodEnd synflood end of syn-flood against a certain victim. A syn-flood is defined to be more than SYNFLOOD_THRESHOLD (default = 15000) new connectionshave been reported within the last SYNFLOOD_INTERVAL (default = 60 seconds) for a certain IP.
SynFloodStart synflood start of syn-flood against a certain victim
SynFloodStatus synflood report of ongoing syn-flood
TRWAddressScan trw source flagged as scanner by TRW algorithm
TRWScanSummary trw summary of scanning activities reported by TRW
Terminating Connection conn "rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address)
TerminatingConnection conn "rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address?)
W32B_SourceLocal blaster report a local W32.Blaster-infected host
W32B_SourceRemote blaster report a remote W32.Blaster-infected host
WeirdActivity Weird generic unusual, alarm-worthy activity
Note that some of the Notice names start with "ModuleName::" (e.g.: FTP::FTP_BadPort) and some do not. This is becuase not all of the Bro Analyzers have been converted to use the [1] Modules facility} yet. Eventually all notices will start with "ModuleName::".
To get a list of all Notices that your particular Bro configuration might generate, you can type:
sh . $BROHOME/etc/bro.cfg; bro -z notice $BRO_HOSTNAME.bro
Bro policy script is the basic analyzer used by Bro to determine what network events are alarm worthy. A policy can also specify what actions to take and how to report activities, as well as determine what activities to scrutinize. Bro uses policies to determine what activities to classify as hot, or questionable in intent. These hot network sessions can then be flagged, watched, or responded to via other policies or applications determined to be necessary, such as calling rst to reset a connection on the local side, or to add an IP address block to a main router's ACL (Access Control List). The policy files use the Bro scripting language, which is discussed in great detail in Reference Manual.
Policy files are loaded using an @load command. The semantics of @load are "load in this script if it hasn't already been loaded", so there is no harm in loading something in multiple policy scripts. The following policy scripts are included with Bro. The first set are all on by default, and the second group can be added by adding them to your site/brohost.bro policy file.
Bro Analyzers are described in detail in the Reference Manual. These policy files are loaded by default:
site defines local and neighbor networks from static config
alarm open logging file for alarm events
tcp initialize BPF filter for SYN/FIN/RST TCP packets
login rlogin/telnet analyzer (or to ensure they are disabled)
weird initialize generic mechanism for detecting unusual events
conn access and record connection events
hot defines certain forms of sensitive access
frag process TCP fragments
print-resources on exit, print resource usage information, useful for tuning
signatures the signature policy engine
scan generic scan detection mechanism
trw additional, more sensitive scan detection
http general http analyzer, low level of detail
http-request detailed analysis of http requests
http-reply detailed analysis of http replys
ftp FTP analysis
portmapper record and analyze RPC portmapper requests
smtp record and analyze email traffic
tftp identify and log TFTP sessions
worm flag HTTP-based worm sources such as Code Red
software track software versions; required for some signature matching
blaster looks for blaster worm
synflood looks for synflood attacks
stepping used to detect when someone logs into your site from an external net, and then soon logs into another site
reduce-memory sets shorter timeouts for saving state, thus saving memory. If your Bro is using < 50% of you RAM, try not loading this
These are not loaded by default:
Policy Description Why off by default
drop Include if site has ability to drop hostile remotes Turn on if needed
icmp icmp analysis CPU intensive and low payoff
dns DNS analysis CPU intensive and low payoff
ident ident program analyzer historical, no longer interesting
gnutella looks for hosts running Gnutella Turn this on if you wantto know about this
ssl ssl analyzer still experimental
ssh-stepping Detects stepping stones where both incoming and outgoing connections are ssh Possibly too CPU intensive (needs more testing)
analy Performs statistical analysis only used in off-line alalysis
backdoor Looks for backdoors only effective when also capturing bulk traffic
passwords Looks for clear text passwords may want to turn on if your site does not allow clear text passwords
file-flush Causes all log files to be flushed every N seconds may want to turn on if you are doing "real time" analysis
To modify which analyzers are loaded, edit or create a file in $BROHOME/site. If you write your own new custom analyzer, it goes in this directory too. To disable an analyzer, add "@unload policy.bro" to the beginning of the file $BROHOME/site/brohost.bro, before the line "@load brolite.bro". To add additional analyzers, add them @load them in $BROHOME/site/brohost.bro.
Notices
The primary output facility in Bro is called a Notice. The Bro distribution includes a number of standard of Notices, listed below. The table contains the name of the Notice, what Bro policy file generates it, and a short description of what the Notice is about.
Notice Policy Description
AckAboveHole weird Could mean packet drop; could also be a faulty TCP implementation
AddressDropIgnored scan A request to drop connectivity has been ignored ; (scan detected, but one of these flags is true: !can_drop_connectivity, or never_shut_down, or never_drop_nets )
AddressDropped scan Connectivity w/ given address has been dropped
AddressScan scan The source has scanned a number of addrs
BackscatterSeen scan Apparent flooding backscatter seen from source
ClearToEncrypted_SS stepping A stepping stone was seen in which the first part of the chain is a clear-text connection but the second part is encrypted. This often means that a password or passphrase has been exposed in the clear, and may also mean that the user has an incomplete notion that their connection is protected from eavesdropping.
ContentGap weird Data has sequence hole; perhaps due to filtering
CountSignature signatures Signature has triggered multiple times for a destination
DNS::DNS_MappingChanged DNS Some sort of change WRT previous Bro lookup
DNS::DNS_PTR_Scan dns Summary of a set of PTR lookups (automatically generated once/day when dns policy is loaded)
DroppedPackets netstats Number of packets dropped as reported by the packet filter
FTP::FTP_BadPort ftp Bad format in PORT/PASV;
FTP::FTP_ExcessiveFilename ftp Very long filename seen
FTP::FTP_PrivPort ftp Privileged port used in PORT/PASV
FTP::FTP_Sensitive ftp Sensitive connection (as defined in hot)
FTP::FTP_UnexpectedConn ftp FTP data transfer from unexpected src
HTTP::HTTP_SensitiveURI http shadow|netconfig)
HotEmailRecipient smtp Image:todo.pngFIXME Need Example, default = NULL
ICMP::ICMPAsymPayload icmp Payload in echo req-resp not the same
ICMP::ICMPConnectionPair icmp Too many ICMPs between hosts (default = 200)
IdentSensitiveID ident Sensitive username in Ident lookup
LocalWorm worm Worm seen in local host (searches for code red 1, code red 2, nimda, slammer)
LoginForbidden ButConfused login Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
LoginForbiddenButConfused login Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
Multiple SigResponders signatures host has triggered the same signature on multiple responders
MultipleSigResponders signatures host has triggered the same signature on multiple responders
MultipleSignatures signatures host has triggered many signatures
Multiple SigResponders signatures host has triggered the same signature on multiple responders
OutboundTFTP tftp outbound TFTP seen
PasswordGuessing scan source tried too many user/password combinations (default = 25)
PortScan scan the source has scanned a number of ports
RemoteWorm worm worm seen in remote host
Resolver Inconsistency dns the answer returned by a DNS server differs from one previously returned
ResolverInconsistency dns the answer returned by a DNS server differs from one previously returned
ResourceSummary print-resources prints Bro resource usage
Retransmission Inconsistency weird possible evasion; usually just bad TCP implementation
RetransmissionInconsistency weird possible evasion; usually just bad TCP implementation
SSL_SessConIncon ssl session data not consistent with connection
SSL_X509Violation ssl blanket X509 error
ScanSummary scan a summary of scanning activity, output once / day
SensitiveConnection conn connection marked "hot", See: Reference Manual section on hot IDs for more information.
SensitiveDNS_Lookup dns DNS lookup of sensitive hostname/addr; default list of sensitive hosts = NULL
SensitiveLogin login interactive login using sensitive username (defined in 'hot')
Sensitive PortmapperAccess portmapper the given combination of the service looked up via the pormapper, the host requesting the lookup, and the host from which it's requiesting it is deemed sensitive
SensitivePortmapperAccess portmapper the given combination of the service looked up via the pormapper, the host requesting the lookup, and the host from which it's requiesting it is deemed sensitive
SensitiveSignature signatures generic for alarm-worthy
SensitiveUsername InPassword login During a login dialog, a sensitive username (e.g., "rewt") was seen in the user's password. This is reported as a notice because it could be that the login analyzer didn't track the authentication dialog correctly, and in fact what it thinks is the user's password is instead the user's username.
SensitiveUsernameInPassword login During a login dialog, a sensitive username (e.g., "rewt") was seen in the user's password. This is reported as a notice because it could be that the login analyzer didn't track the authentication dialog correctly, and in fact what it thinks is the user's password is instead the user's username.
SignatureSummary signatures summarize number of times a host triggered a signature (default = 1/day)
SynFloodEnd synflood end of syn-flood against a certain victim. A syn-flood is defined to be more than SYNFLOOD_THRESHOLD (default = 15000) new connectionshave been reported within the last SYNFLOOD_INTERVAL (default = 60 seconds) for a certain IP.
SynFloodStart synflood start of syn-flood against a certain victim
SynFloodStatus synflood report of ongoing syn-flood
TRWAddressScan trw source flagged as scanner by TRW algorithm
TRWScanSummary trw summary of scanning activities reported by TRW
Terminating Connection conn "rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address)
TerminatingConnection conn "rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address?)
W32B_SourceLocal blaster report a local W32.Blaster-infected host
W32B_SourceRemote blaster report a remote W32.Blaster-infected host
WeirdActivity Weird generic unusual, alarm-worthy activity
Note that some of the Notice names start with "ModuleName::" (e.g.: FTP::FTP_BadPort) and some do not. This is becuase not all of the Bro Analyzers have been converted to use the [1] Modules facility} yet. Eventually all notices will start with "ModuleName::".
To get a list of all Notices that your particular Bro configuration might generate, you can type:
sh . $BROHOME/etc/bro.cfg; bro -z notice $BRO_HOSTNAME.bro
Apr 28, 2008
Using a 'OR' condition in Signature payloads
Re: Using a 'OR' condition in Signature payloads: msg#00000
Subject: Re: Using a 'OR' condition in Signature payloads
On Tue, Oct 31, 2006 at 00:32 -0800, Vern Paxson wrote:
> I believe what's going on is that "payload" is matching the TCP *byte-stream*
> rather than individual packets. As such, there's just one match to the
> pattern, since the .*'s eat up everything else in the byte-stream.
That's right.
> There's an option to just match packet payloads, but I don't recall what
> it is.
No, there is no option (UDP is matched packet-wise but even for UDP
Bro reports each signature-match only once per UDP flow).
Robin
Subject: Re: Using a 'OR' condition in Signature payloads
On Tue, Oct 31, 2006 at 00:32 -0800, Vern Paxson wrote:
> I believe what's going on is that "payload" is matching the TCP *byte-stream*
> rather than individual packets. As such, there's just one match to the
> pattern, since the .*'s eat up everything else in the byte-stream.
That's right.
> There's an option to just match packet payloads, but I don't recall what
> it is.
No, there is no option (UDP is matched packet-wise but even for UDP
Bro reports each signature-match only once per UDP flow).
Robin
How does Bro capture the traffic of ftp data connection
On Thu, Mar 15, 2007 at 12:01 +0800, you wrote:
> So how does it dynamically add the filter string to capture the
> temporary traffic?
It doesn't. Dynamically changing the BPF filter is too expensive as
it would need to be recompiled every time (and the filter would
quickly get huge).
If you want Bro to analyze the content of ftp-data sessions, you
need to manually override the pcap filter to include all packets,
e.g., by running with "-f tcp".
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
> So how does it dynamically add the filter string to capture the
> temporary traffic?
It doesn't. Dynamically changing the BPF filter is too expensive as
it would need to be recompiled every time (and the filter would
quickly get huge).
If you want Bro to analyze the content of ftp-data sessions, you
need to manually override the pcap filter to include all packets,
e.g., by running with "-f tcp".
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
Find Man
List all files that belong to the user Simon:
find . -user Simon
List all the directory and sub-directory names:
find . -type d
List all files in those sub-directories (but not the directory names)
find . -type f
List all the file links:
find . -type l
List all files (and subdirectories) in your home directory:
find $HOME
Find files that are over a gigabyte in size:
find ~/Movies -size +1024M
Find files have been modified within the last day:
find ~/Movies -mtime -1
Find files have been modified within the last 30 minutes:
find ~/Movies -mmin -30
Find .doc files that also start with 'questionnaire' (AND)
find . -name '*.doc' -name questionnaire*
List all files beginning with 'memo' and owned by Simon (AND)
find . -name 'memo*' -user Simon
Find .doc files that do NOT start with 'Accounts' (NOT)
find . -name '*.doc' ! -name Accounts*
Search for files which have read and write permission for their owner,
and group, but which the rest of the world can read but not write to.
find . -perm 664
Files which meet these criteria but have other permissions bits set
(for example if someone can execute the file) will not be matched.
Search for files which have read and write permission for their owner,
and group, but which the rest of the world can read but not write to,
without regard to the presence of any extra permission bits
(for example the executable bit).
find . -perm -664
This will match a file which has mode 0777, for example.
Search for files which are writeable by somebody (their owner, or their group, or anybody else).
find . -perm +222
or
find . -perm +g+w,o+w
or
find . -perm +g=w,o=w
All three of these commands do the same thing, but the first one uses
the octal representation of the file mode, and the others use the symbolic form.
The files don't have to be writeable by both the owner and group to be matched; either will do.
Search for files which are writeable by both their owner and their group:
find . -perm -022
or
find . -perm -g+w,o+w
"Instead of getting married again, I'm going to find a woman I don't like and just give her a house." - Lewis Grizzard
Related Linux Bash commands:
fnmatch - Filename match
findutils documentation - 'Finding Files' doc with more detail on security considerations
grep - Search file(s) for lines that match a given pattern
locate - Find files - simple but fast
gawk - Find and Replace text within file(s)
xargs - Execute utility, passing constructed argument list(s)
Equivalent Windows XP command:
DIR /b /s - Display a list of files and (sub)folders
find . -user Simon
List all the directory and sub-directory names:
find . -type d
List all files in those sub-directories (but not the directory names)
find . -type f
List all the file links:
find . -type l
List all files (and subdirectories) in your home directory:
find $HOME
Find files that are over a gigabyte in size:
find ~/Movies -size +1024M
Find files have been modified within the last day:
find ~/Movies -mtime -1
Find files have been modified within the last 30 minutes:
find ~/Movies -mmin -30
Find .doc files that also start with 'questionnaire' (AND)
find . -name '*.doc' -name questionnaire*
List all files beginning with 'memo' and owned by Simon (AND)
find . -name 'memo*' -user Simon
Find .doc files that do NOT start with 'Accounts' (NOT)
find . -name '*.doc' ! -name Accounts*
Search for files which have read and write permission for their owner,
and group, but which the rest of the world can read but not write to.
find . -perm 664
Files which meet these criteria but have other permissions bits set
(for example if someone can execute the file) will not be matched.
Search for files which have read and write permission for their owner,
and group, but which the rest of the world can read but not write to,
without regard to the presence of any extra permission bits
(for example the executable bit).
find . -perm -664
This will match a file which has mode 0777, for example.
Search for files which are writeable by somebody (their owner, or their group, or anybody else).
find . -perm +222
or
find . -perm +g+w,o+w
or
find . -perm +g=w,o=w
All three of these commands do the same thing, but the first one uses
the octal representation of the file mode, and the others use the symbolic form.
The files don't have to be writeable by both the owner and group to be matched; either will do.
Search for files which are writeable by both their owner and their group:
find . -perm -022
or
find . -perm -g+w,o+w
"Instead of getting married again, I'm going to find a woman I don't like and just give her a house." - Lewis Grizzard
Related Linux Bash commands:
fnmatch - Filename match
findutils documentation - 'Finding Files' doc with more detail on security considerations
grep - Search file(s) for lines that match a given pattern
locate - Find files - simple but fast
gawk - Find and Replace text within file(s)
xargs - Execute utility, passing constructed argument list(s)
Equivalent Windows XP command:
DIR /b /s - Display a list of files and (sub)folders
Subscribe to:
Posts (Atom)