The following programs are not directly related to proxypot, but may be
useful:
- tcpstream
- Takes a bunch of packets and separates the TCP streams by matching the
port numbers and IP addresses, puts the data within each stream in proper
order by sequence number, and outputs 3 files for each stream: one which
contains the data that was sent by the initiator of the connection, one which
contains the data that was sent by the other end of the connection, and one
which contains both, with escape codes to display the initiator's data in
bold when the file printed on a VT100-ish terminal. The packet input can be a
saved libpcap dump file (created by tcpdump for example), or it can be taken
in real time from a network interface. This is a lot like the "Follow TCP
stream" function in ethereal, but it works in bulk on all TCP streams at
once, rather than one by one with manual selection. tcpstream can invoke a
backend for further processing at the close of each connection. The Net::Pcap
perl module is required.
- stream2maildir
- A backend for tcpstream that watches a specific port for SOCKS and HTTP
CONNECT proxy connections that lead to SMTP servers, and delivers the mail to
a Maildir, with a Received header in proxypot format so the Maildir can be
analyzed by spamstat. Sample usage:
tcpstream -l eth0 tmpdir stream2maildir 1080 /home/spamdump/Maildir
tcpstream capfile tmpdir stream2maildir 1080 /home/spamdump/Maildir
With this you can get proxypot-style evidence reports from an actual open
proxy, if you have the ability to capture its packets. This should only be
done for a short time - if you have a real open proxy on your network you are
part of the problem and you should be correcting yourself by shutting it off
quickly.