Powershell - Collecting information

 Collecting information using powershell

Get information about the make and model of a computer

Get-WmiObject -Class Win32_ComputerSystem


Get information about the BIOS of the current computer

Get-WmiObject -Class Win32_BIOS -ComputerName .


List installed hotfixes (QFEs, or Windows Update files)

Get-WmiObject -Class Win32_QuickFixEngineering -ComputerName .


Get the username of the person currently logged on to a computer

Get-WmiObject -Class Win32_ComputerSystem -Property UserName -ComputerName .


Find just the names of installed applications on the current computer

Get-WmiObject -Class Win32_Product -ComputerName. | Format-Wide -Column 1


Get IP addresses assigned to the current computer

Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName . | Format-Table -Property IPAddress


Get a more detailed IP configuration report for the current machine

Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName . | Select-Object -Property [a-z]* -ExcludeProperty IPX*,WINS*


To find network cards with DHCP enabled on the current computer

Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter "DHCPEnabled=true" -ComputerName .


Enable DHCP on all network adapters on the current computer

Get-WmiObject -ClassWin32_NetworkAdapterConfiguration -FilterIPEnabled=true -ComputerName . | ForEach-Object -Process {$_.EnableDHCP()}


Navigate the Windows Registry like the file system 

cd hkcu:


Find the five processes using the most memory 

ps | sort –p ws | select –last 5


LocalIR

Utilize for collection of local accounts, processes, services, active connections, USB history, programs and items in DNS cache. It will dump each into a text file for processing and collection in the directory that the script was ran from. Use this script locally on the device

open powershell and run the command. Output will be saved to the folder where u run the powershell


Get-WmiObject -Class Win32_UserAccount -Filter  "LocalAccount='True'"| format-list -property * | out-file accounts.txt

get-process | format-list -property *| out-file process.txt

get-service | format-list -property * | out-file services.txt

netstat -ano | format-list -property * | out-file connections.txt

Get-ItemProperty -ea 0 hklm:\system\currentcontrolset\enum\usbstor\*\* | select FriendlyName,PSChildName | out-file usb.txt

gp -ea 0 HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |Select DisplayName,DisplayVersion,Publisher,InstallDate,InstallLocation | Sort InstallDate -Desc | out-file programs.txt

ipconfig /displaydns | select-string 'Record Name' | out-file dnscache.txt



Read More...

John the Ripper - Pentools

John the Ripper is one of the most well known  hash cracking tools. It combines a fast cracking speed, with an extraordinary range of compatible hash types. 

Wordlists 

Wordlists is the list of words that you can hash and compare during a dictionary attack 

There are many different wordlists out there, a good collection to use can be found in the SecLists repository -  

Location of wordlist in Kali Linux - /usr/share/wordlists

John Basic Syntax

The basic syntax of John the Ripper commands is as follows

john --wordlist=[path to wordlist] [path to file]

Example : john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt

Identifying Hashes

We are able to use other tools to identify the hash, and then set john to use a specific format. 

Online hash identifier : https://hashes.com/en/tools/hash_identifier

To install hash identifier in kali linux 

wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py.

Then simply launch it with python3 hash-id.py and then enter the hash you're trying to identify- and it will give you possible formats!

Format-Specific Cracking

Once you have identified the hash that you're dealing with, you can tell john to use it while cracking the provided hash using the following syntax:

john --format=[format] --wordlist=[path to wordlist] [path to file]

example : john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt

A Note on Formats:

When you are telling john to use formats, if you're dealing with a standard hash type, e.g. md5 as in the example above, you have to prefix it withraw- to tell john you're just dealing with a standard hash type, though this doesn't always apply. To check if you need to add the prefix or not, you can list all of John's formats using john --list=formats and either check manually, or grep for your hash type using something like john --list=formats | grep -iF "md5".



Cracking Basic Hashes

Example Usage:

john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt



Cracking Hashes from /etc/shadow

The /etc/shadow file is the file on Linux machines where password hashes are stored. It also stores other information, such as the date of last password change and password expiration information. It contains one entry per line for each user or user account of the system. This file is usually only accessible by the root user- so in order to get your hands on the hashes you must have sufficient privileges, but if you do- there is a chance that you will be able to crack some of the hashes.

Unshadowing

John can be very particular about the formats it needs data in to be able to work with it, for this reason- in order to crack /etc/shadow passwords, you must combine it with the /etc/passwd file in order for John to understand the data it's being given. To do this, we use a tool built into the John suite of tools called unshadow. The basic syntax of unshadow is as follows:

unshadow [path to passwd] [path to shadow]

Example Usage:

unshadow local_passwd local_shadow > unshadowed.txt


Note: When using unshadow, you can either use the entire /etc/passwd and /etc/shadow file- if you have them available, or you can use the relevant line from each, for example:

FILE 1 - local_passwd

Contains the /etc/passwd line for the root user:

root:x:0:0::/root:/bin/bash

FILE 2 - local_shadow

Contains the /etc/shadow line for the root user:

root:$6$2nwjN454g.dv4HN/$m9Z/r2xVfweYVkrr.v5Ft8Ws3/YYksfNwq96UL1FX0OJjY1L6l.DS3KEVsZ9rOVLB/ldTeEL/OIhJZ4GMFMGA0:18576::::::

Cracking

We're then able to feed the output from unshadow, in our example use case called "unshadowed.txt" directly into John. We should not need to specify a mode here as we have made the input specifically for John, however in some cases you will need to specify the format as we have done previously using: --format=sha512crypt

john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt


Cracking Windows Hashes

NTHash / NTLM
NThash is the hash format that modern Windows Operating System machines will store user and service passwords in. It's also commonly referred to as "NTLM" which references the previous version of Windows format for hashing passwords known as "LM", thus "NT/LM".

format : john --wordlist=/usr/share/wordlists/rockyou.txt --format=nt  /home/kali/Desktop/hash2.txt



Single Crack Mode

In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username.

If we take the username: Markus

Some possible passwords could be:

Markus1, Markus2, Markus3 (etc.)
MArkus, MARkus, MARKus (etc.)
Markus!, Markus$, Markus* (etc.)

Using Single Crack Mode


For example if we wanted to crack the password of the user named "Joker", using single mode, we'd use:

john --single --format=[format] [path to file]

--single - This flag lets john know you want to use the single hash cracking mode.

Example Usage:

john --single --format=raw-sha256 hashes.txt

A Note on File Formats in Single Crack Mode:

If you're cracking hashes in single crack mode, you need to change the file format that you're feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to, so according to the above example- we would change the file hashes.txt

From:

1efee03cdcb96d90ad48ccc7b8666033

To

joker:1efee03cdcb96d90ad48ccc7b8666033



Cracking a Password Protected Zip File

We can use John to crack the password on password protected Zip files. Again, we're going to be using a separate part of the john suite of tools to convert the zip file into a format that John will understand

Zip2John
Similarly to the unshadow tool that we used previously, we're going to be using the zip2john tool to convert the zip file into a hash format that John is able to understand, and hopefully crack. The basic usage is like this:

zip2john [options] [zip file] > [output file]

Example Usage

zip2john zipfile.zip > zip_hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt


Cracking a Password Protected RAR Archive


Rar2John
Almost identical to the zip2john tool that we just used, we're going to use the rar2john tool to convert the rar file into a hash format that John is able to understand. The basic syntax is as follows:

rar2john [rar file] > [output file]

Example Usage

rar2john rarfile.rar > rar_hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt


Cracking SSH Key Passwords


SSH2John
As the name suggests ssh2john converts the id_rsa private key that you use to login to the SSH session into hash format that john can work with.Note that if you don't have ssh2john installed, you can use ssh2john.py, which is located in the /opt/john/ssh2john.py. If you're doing this, replace the ssh2john command with python3 /opt/ssh2john.py or on Kali, python /usr/share/john/ssh2john.py.

ssh2john [id_rsa private key file] > [output file]

Example Usage

ssh2john id_rsa > id_rsa_hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt




Read More...

Wireshark notes - DFIR

Wireshark, a tool used for creating and analyzing PCAPs (network packet capture files), is commonly used as one of the best packet analysis tools. Wireshark can run on Windows, macOS, and Linux. To begin installing Wireshark on a Windows or macOS device you will need to first grab an installer from the Wireshark website. Once you have downloaded an installer, simply run it and follow the GUI wizard. 

If you are using Linux you can install Wireshark with apt install Wireshark 

Filtering Operators

Wireshark's filter syntax can be simple to understand making it easy to get a hold of quickly. To get the most out of these filters you need to have a basic understanding of Boolean and logic operators.

Wireshark only has a few that you will need to be familiar with:



Basic Filtering Syntax

Filtering by IP

ip.addr == <IP Address>


Filtering by SRC and DST IP

ip.src == <SRC IP Address> and ip.dst == <DST IP Address> 


Filtering by TCP Protocols

tcp.port eq <Port #> or <Protocol Name>


Filtering by UDP Protocols

udp.port eq <Port #> or <Protocol Name>


Show only SMTP (port 25) and ICMP traffic:

 tcp.port eq 25 or icmp 


Show only traffic in the LAN (192.168.x.x), between workstations and servers 

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16


Show HTTP or DNS traffic:

http or dns


Show all traffic except ARP, ICMP and DNS:

!(arp or icmp or dns)


Interface Filters

Show packets only sent or received on the wlan0 interface:

frame.interface_name == "wlan0"


Link Layer Traffic

To show ARP traffic:

arp


how ARP protocol frames sent from device with MAC address 00:c0:ca:96:cf:cb:

arp.src.hw_mac == 00:c0:ca:96:cf:cb


Show ARP protocol frames sent from a device with an IP address 192.168.50.90:

arp.src.proto_ipv4 == 192.168.50.90


Show ARP protocol frames sent to a device with a MAC address 00:00:00:00:00:00 (this address is used when the protocol tries to find out the target MAC address.

arp.dst.hw_mac == 00:00:00:00:00:00


Show ARP protocol frames sent to the device having the IP address 192.168.50.1:

arp.dst.proto_ipv4 == 192.168.50.1


Show Ethernet traffic

eth


Show frames (in general, all frames, not just ARP, as it was in the previous examples) sent from a device that has the MAC address 00:c0:ca:96:cf:cb:

eth.src == 00:c0:ca:96:cf:cb


Show frames sent to device with MAC address 78:cd:8e:a6:73:be:1

eth.dst == 78:cd:8e:a6:73:be


Internet Layer Traffic


IPv4 Protocol Filtering


Show IP traffic (this includes TCP, UDP, as well as application layer protocols DNS, HTTP - that is, almost everything except the data link layer protocols that do not use IP addresses for data transmission (in local Ethernet networks they use MAC addresses)):


ip


Show traffic associated with a specific IP address (enter it instead of x.x.x.x). Packets will be shown in which this IP address is the source of the data OR the recipient:

ip.addr == x.x.x.x


Show traffic associated with these two IP addresses. According to the only possible situation, one of these addresses is the source, and the second is the destination address.

ip.addr == x.x.x.x && ip.addr == y.y.y.y


Show traffic originated from the host with the IP address 138.201.81.199:

ip.src == 138.201.81.199


Show traffic whose destination is the host with the IP address 138.201.81.199:

ip.dst == 138.201.81.199


Filter subnets and IP ranges in Wireshark


You can specify a subnet instead of a single IP address:

ip.addr == 192.168.1.0/24


Filtering traffic sent from a specific IP range. If you need to filter out traffic whose source is the subnet, then use a filter of the form:

ip.src == 192.168.1.0/24


Filtering traffic destined for sending to a specific IP range. If you need to filter traffic whose destination is a subnet, then use a filter of the form:

ip.dst == 192.168.1.0/24


Application layer traffic

For the application protocols of HTTP, DNS, SSH, FTP, SMTP, RDP, SNMP, RTSP, GQUIC, CDP, LLMNR, SSDP there are filters that are called like the protocols themselves, but are written in small letters.

For example, to see HTTP traffic:

http

To see the traffic of the new HTTP/2 protocol:

http2


NOTE: Remember that when deciding which protocol the transmitted data belongs to, the program considers the used port number. If a non-standard port is used, the program will not be able to find the necessary data. For example, if you connect to SSH on port 1234, the ssh filter will not find SSH traffic.


A filter that shows only the data sent by the POST method:

http.request.method == "POST"


A filter that shows only the data transmitted by the GET method:

http.request.method == "GET"


Search for requests to a specific site (host):

http.host == "<URL>"


Search requests to a specific site by part of the name:

http.host contains "here.particle.name"


Filter for outputting HTTP requests in which cookies were transmitted:

http.cookie


Requests in which the server has set cookies in the user's browser.

http.set_cookie


To search for any transferred images:

http.content_type contains "image"


To search for certain types of images:

http.content_type contains "gif"

http.content_type contains "jpeg"

http.content_type contains "png"


To search for files of a specific type:

http.content_type contains "text"

http.content_type contains "xml"

http.content_type contains "html"

http.content_type contains "json"

http.content_type contains "javascript"

http.content_type contains "x-www-form-urlencode"

http.content_type contains "compressed"

http.content_type contains "application"


Search for requests for files of a certain type. For example, to search for transferred ZIP archives:

http.request.uri contains "zip"


Instead of http.request.uri for greater accuracy, you can use the http.request.uri.path or http.request.uri.query filters, for example, to search for requests to download JPG files (links to pictures):1

http.request.uri.path contains "jpg"


You can also filter requests that contain a specific HTTP REFERRER header value. For example, to search for queries in which the referrer is ru-board.com:

http.referer contains "ru-board.com"

To investigate problems, you can analyze the status of HTTP response codes. For example, the following filter will show traffic for which a 404 Not Found error was received (page not found):

http.response.code==404


you can use the filter without specifying the desired value, for example:

http.host 


In this case, all connections with any Host field value in the HTTP header will be shown.


You can specify the exact value:

http.host == "www.archlinux.org"


Or specify part of the desired string:

http.host contains "archlinux.org"


Filter by Host field in HTTP header:

http.host == "www.archlinux.org"


Filter by the Content-Type field in the HTTP header:

http.content_type == "text/plain"


Filter by Server field in HTTP header:

http.server == "nginx"


Filter by Cookie field in HTTP header:

http.cookie

http.cookie_pair


Filter by User Agent field in HTTP header:

http.user_agent == "Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"



To search for redirects (Location field):

http.location


To search for sites from which a transition was made to the page (Referer field):

http.referer contains "sysnetnotes.blogspot.com"


Request filter:

http.request

http.request.uri

http.request.uri.path

http.request.uri.query.

http.request.uri.query.parameter

http.request.method


Response filters:

http.response


Search by response code:

http.response.code == 404

http.response.code==200


In fact, this list is far from complete. You can use the hints that appear as you type the names of the filters, or you can be guided by the names of the HTTP header fields, which are similar to the names of the filters.

Detecting Network Attacks with Wireshark

This section contains Wireshark filters that could help in identifying adversaries trying to find alive systems on our network.

Using these filters we should be able to detect various network discovery scans, ping sweeps and other things typically done during reconnaissance (asset discovery) phase.

TechniqueWireshark FilterCommand / Tool
ARP scanningarp.dst.hw_mac==00:00:00:00:00:00arp-scan -l
IP protocol scanicmp.type==3 and icmp.code==2nmap -sO <target>
ICMP ping sweepicmp.type==8 or icmp.type==0nmap -sn -PE <subnet>
TCP ping sweepstcp.dstport==7nmap -sn -PS/-PA <subnet>
UDP ping sweepsudp.dstport==7nmap -sn -PU <subnet>


Detection of network port scanning

TechniqueWireshark FilterCommand / Tool
TCP SYN scantcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size<=1024nmap -sS <target>
TCP Connect() scantcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size>1024nmap -sT <target>
TCP Null scantcp.flags==0nmap -sN <target>
TCP FIN scantcp.flags==0x001nmap -sF <target>
TCP Xmass scantcp.flags.fin==1 && tcp.flags.push==1 && tcp.flags.urg==1nmap -sX <target>
UDP port scanicmp.type==3 and icmp.code==3nmap -sU <target>


Detection of network attacks

TechniqueWireshark FilterCommand / Tool
ARP poisoningarp.duplicate-address-detected or arp.duplicate-address-framearpspoof, ettercap
ICMP floodicmp and data.len > 48fping, hping
VLAN hopingdtp or vlan.too_many_tagsfrogger, yersinia
Unexplained packet losstcp.analysis.lost_segment or tcp.analysis.retransmissionn/a


Read More...

DFIR - Windows Event ID

In an event of a forensic investigation, Windows Event Logs serve as the primary source of evidence as the operating system logs every system activities. Windows Event Log analysis can help an investigator draw a timeline based on the logging information and the discovered artifacts. On Windows systems, event logs contains a lot of useful information about the system and its users.

For a forensic investigator  Security Log is the most important event log.it contains Logon/Logoff activity and other activities related to windows security. 


Location: C:\Windows\System32\winevt\Logs

Tools : Default event viewer or  https://eventlogxp.com/ 


1102 is logged whenever the Security log is cleared

4697 A new service was installed on the system

4688 A new process has been created

EVENT LOG RELATED TO ACCOUNT LOGON/LOGOFF

4624 An account was successfully logged on

4625 An account failed to log on

4634 An account was logged off

4647 User initiated logoff

4648 Logon using Explicit Cred(Run AS)

4672 Privileged account usage

EVENT LOG RELATED TO SCHEDULED TASKS

4698 A scheduled task was created

4699 A scheduled task was deleted

4701 A scheduled task was disabled

4702 A scheduled task was updated


ACCOUNT MANAGEMENT

4720 A user account was created

4722 A user account was enabled

4723 An attempt was made to change an account's password

4724 An attempt was made  to reset an accounts Password

4725 A user account was disabled

4726 A user account was deleted

4728 A member was added to a security-enabled global group

4732 A member was added to a security-enabled local  group

4735 A security-enabled local group was changed

4738 A user account was changed

4740 A user account was locked out

4767 A user account was unlocked

4756 A member was added to a security enabled universal group

4798 A users local group membership was enumerated

4799 A security-enabled local group membership was enumerated

ACCOUNT LOGON

4768 Ticket Granting  was granted(Successful Logon)Kerberos

4769 Successful/Failed account auth (NTLM protocol)

4770 A Kerberos service ticket was renewed

4771 Pre-Authentication Failed (Failed Logon)Kerberos

4776 Successful/Failed account auth (NTLM protocol)


RDP LOGS

4778 RDP Session Reconnected

4779 RDP session Disconnected


EVENT LOG RELATED TO NETWORK SHARE ACCESS

5140 A network share object was accessed 

5142 A network share object was added

5143 A network share object was modified

5144 A network share object was deleted

5145 A network share object was checked to see whether client can be granted desired access 


EVENT LOG RELATED TO SERVICES

7034 Service Crashed Unexpectedly

7035 Service Sent a start/Stop control

7036 Service Started or stopped

7040 Start type changed (Boot | On Request | Disabled)

7045 New service service was installed on the system(win2008R2+)


Logon Type

2 - Interactive [Logon type 2 is logged when a user logs on at the console whether it is domain or a

local user account]

3 - Windows logs logon type 3 for network logons such as accessing shared folders, printers, GPOs, and most logons to IIS. 

4 - For a scheduled task execution in Windows, the Scheduled Task service first creates a new logon session for the task so that it can run under the user account specified for that task. Windows logs this logon attempt as logon type 4

5 - Service (service startup)

7 - This occurs when a user returns to the console and unlocks the password protected screen. Windows treats this as a logon and logs the appropriate Logon/Logoff event using logon type 7 identifying the event as an unlock attempt.

8 - Network Cleartext (Most often indicates a logon to IIS with “basic authentication”)

10 - Logons through Terminal Services, Remote Desktop or Remote Assistance are qualified as remote interactive and logs the logon attempt with logon type 10

11 Logon with cached credentials


Logon Failure Codes

0xC0000064 - User name does not exist

0xC000006A - User name is correct but the password is wrong

0xC0000234 - User is currently locked out

0xC0000072 - Account is currently disabled

0xC000006D - reason not specified (Sub status may provide more information)

0xC000006F - User tried to logon outside his day of week or time of day restrictions

0xC0000070 - Workstation restriction

0xC00000193 - Account expiration

0xC0000071 - Expired password

0xC0000133 - Clocks between DC and other computer too far out of sync

0xC0000224 - User is required to change password at next logon

0xC0000225 -  Evidently a bug in Windows and not a risk

0xC000015b The user has not been granted the requested logon type (aka logon right) at this machine

KERBEROS FAILURE CODES

0x6 Bad user name

0x7 New computer account?

0x9 Administrator should reset password

0xC Workstation restriction

0x12 Account disabled, expired, locked out,logon hours restriction

0x17 The user’s password has expired

0x18 Bad password

0x20 Frequently logged by computer accounts

0x25 Workstation’s clock too far out of sync with the DC’s



Read More...

Palo Alto Basics - Traffic Monitor Filtering

 Basics of Traffic Monitor Filtering

Host Traffic Filter Examples

From Host a.a.a.a

         (addr.src in a.a.a.a)

          example: (addr.src in 1.1.1.1) 

          Explanation: shows all traffic from host ip address that matches 1.1.1.1 (addr.src in a.a.a.a) 


To Host b.b.b.b

         (addr.dst in b.b.b.b)

         example: (addr.dst in 2.2.2.2) 

         Explanation: shows all traffic with a destination address of a host that matches 2.2.2.2 


From Host a.a.a.a to Host b.b.b.b

        (addr.src in a.a.a.a) and (addr.dst in b.b.b.b)

        example: (addr.src in 1.1.1.1) and (addr.dst in 2.2.2.2)

        Explanation: shows all traffic coming from a host with an IP address of 1.1.1.1 and going to a host destination address of 2.2.2.2 


To Host Range

        Note that you cannot specify an actual range but can use CIDR notation to specify a network range of addresses

        (addr.src in a.a.a.a/CIDR)

        example:  (addr.src in 10.10.10.2/30)

        Explanation:  shows all traffic coming from addresses ranging from 10.10.10.1 - 10.10.10.3.


To or From Host a.a.a.a

        (addr in a.a.a.a)

        example: (addr in 1.1.1.1) 

        Explanation: shows all traffic with a source OR destination address of a host that matches 1.1.1.1


Zone Traffic Filter Examples: 

From Zone zone_a

        (zone.src eq zone_a)

        example: (zone.src eq PROTECT)

        Explanation: shows all traffic coming from the PROTECT zone 


To Zone zone_b

        (zone.dst eq zone_b)

        example: (zone.dst eq OUTSIDE)

        Explanation: shows all traffic going out the OUTSIDE zone 


From Zone zone_a to Zone zone_b

          (zone.src eq zone_a) and (zone.dst eq zone_b)

          example: (zone.src eq PROTECT) and (zone.dst eq OUTSIDE)

          Explanation: shows all traffic traveling from the PROTECT zone and going out the OUTSIDE zone 


Port Traffic Filter Examples: 

From Port aa

          (port.src eq aa)

          example: (port.src eq 22)

          Explanation: shows all traffic traveling from source port 22 


To Port aa

          (port.dst eq bb)

          example: (port.dst eq 25)

          Explanation: shows all traffic traveling to destination port 25 


From Port aa TO Port bb

          (port.src eq aa) and (port.dst eq bb)

          example: (port.src eq 23459) and (port.dst eq 22)

          Explanation: shows all traffic traveling from source port 23459 and traveling to destination port 22


From All Ports Less Than or Equal To Port aa

          (port.src leq aa)

          example: (port.src leq 22)

          Explanation: shows all traffic traveling from source ports 1-22 


From All Ports Greater Than Or Equal To Port aa

          (port.src geq aa)

          example: (port.src geq 1024)

          Explanation: shows all traffic traveling from source ports 1024 - 65535 


To All Ports Less Than Or Equal To Port aa

         (port.dst leq aa)

         example: (port.dst leq 1024)

         Explanation: shows all traffic traveling to destination ports 1-1024 


To All Ports Greater Than Or Equal To Port aa

          (port.dst geq aa)

          example: (port.dst geq 1024)

          Explanation: shows all traffic traveling to destination ports 1024-65535 


From Port Range aa Through bb

          (port.src geq aa) and (port.src leq bb)

          example: (port.src geq 20) and (port.src leq 53)

          Explanation: shows all traffic traveling from source port range 20-53 


To Port Range aa Through bb

          (port.dst geq aa) and (port.dst leq bb)

          example: (port.dst geq 1024) and (port.dst leq 13002)

          Explanation: shows all traffic traveling to destination ports 1024 - 13002 


Date/Time Traffic Filter Examples:


All Traffic for a Specific Date yyyy/mm/dd And Time hh:mm:ss

         (receive_time eq 'yyyy/mm/dd hh:mm:ss')

         example: (receive_time eq '2015/08/31 08:30:00')

         Explanation: shows all traffic that was received on August 31, 2015 at 8:30am 


All Traffic Received On Or Before The Date yyyy/mm/dd And Time hh:mm:ss

          (receive_time leq 'yyyy/mm/dd hh:mm:ss')

          example: (receive_time leq '2015/08/31 08:30:00')

          Explanation: shows all traffic that was received on or before August 31, 2015 at 8:30am 


All Traffic Received On Or After The Date yyyy/mm/dd And Time hh:mm:ss

          (receive_time geq 'yyyy/mm/dd hh:mm:ss')

          example: (receive_time geq '2015/08/31 08:30:00')

          Explanation: shows all traffic that was received on or after August 31, 2015 at 8:30am 


All Traffic Received Between The Date-Time Range Of yyyy/mm/dd hh:mm:ss and YYYY/MM/DD HH:MM:SS

         (receive_time geq 'yyyy/mm/dd hh:mm:ss') and (receive_time leq 'YYYY/MM/DD HH:MM:SS')

         example: (receive_time geq '2015/08/30 08:30:00') and (receive_time leq '2015/08/31 01:25:00')

         Explanation: shows all traffic that was received between August 30, 2015 8:30am and August 31, 2015 01:25 am 


Interface Traffic Filter Examples:

All Traffic Inbound On Interface ethernet1/x

          (interface.src eq 'ethernet1/x')

          example: (interface.src eq 'ethernet1/2')

          Explanation: shows all traffic that was received on the PA Firewall interface Ethernet 1/2 


All Traffic Outbound On Interface ethernet1/x

          (interface.dst eq 'ethernet1/x')

          example: (interface.dst eq 'ethernet1/5')

          Explanation: shows all traffic that was sent out on the PA Firewall interface Ethernet 1/5 


Allowed/Denied Traffic Filter Examples

All Traffic That Has Been Allowed By The Firewall Rules

         (action eq allow)

          OR

         (action neq deny)

example: (action eq allow)

Explanation: shows all traffic allowed by the firewall rules.  Placing the letter 'n' in front of 'eq' means 'not equal to,' so anything not equal to 'deny' is displayed, which is any allowed traffic. 


All Traffic Denied By The FireWall Rules.

          (action eq deny)

          OR

         (action neq allow)

example: (action eq deny)

Explanation: shows all traffic denied by the firewall rules. Placing the letter 'n' in front of 'eq' means 'not equal to,' so anything not equal to 'allow' is displayed, which is any denied traffic.

Combining Traffic Filter Examples

All Traffic From Zone Outside And Network 10.10.10.0/24 TO Host Address 20.20.20.21 In The Protect Zone:

      example:    (zone.src eq OUTSIDE) and (addr.src in 10.10.10.0/24) and (addr.dst in 20.20.20.21) and (zone.dst eq PROTECT)


All Traffic From Host 1.2.3.4 to Host 5.6.7.8 For The Time Range 8/30/2015 -08/31/2015

   example:       (addr.src in 1.2.3.4) and (addr.dst in 5.6.7.8) and (receive_time geq '2015/08/30 00:00:00') and (receive_time leq '2015/08/31 23:59:59')



Read More...