nrpe on ssl
vishesh kumar
linuxtovishesh at gmail.com
Fri May 25 15:04:04 CEST 2012
Thanks to all. I verified through tcpdump and its over ssl
On Fri, May 25, 2012 at 5:33 AM, Tom Yates <madlists at teaparty.net> wrote:
> On Thu, 24 May 2012, Axel wrote:
>
> > You can use tcpdump and wireshark to check the tcp and ssl handshake.
>
> as axel says, this is the best way to be *sure* it's happening under cover
> of SSL. in case you want to see it done, here's one happening under SSL:
>
> [user at www ~]$ sudo tcpdump -n -n -A port 5666
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 10:23:11.568787 IP 78.31.111.49.45411 > 193.219.118.100.5666: S
> 1958463879:1958463879(0) win 14600 <mss 1460,sackOK,timestamp 318187570
> 0,nop,wscale 5>
> E..<.. at .9.jvN.o1..vd.c."t.........9..w.........
> ..(2........
> 10:23:11.568816 IP 193.219.118.100.5666 > 78.31.111.49.45411: S
> 4064423968:4064423968(0) ack 1958463880 win 5792 <mss 1460,sackOK,timestamp
> 3184336621 318187570,nop,wscale 7>
> E..<.. at .@.E,..vdN.o1.".c.B0 t..................
> ......(2....
> 10:23:11.574693 IP 78.31.111.49.45411 > 193.219.118.100.5666: . ack 1 win
> 457 <nop,nop,timestamp 318187571 3184336621>
> E..4.. at .9.j}N.o1..vd.c."t....B0!....?Q.....
> ..(3....
> 10:23:11.575019 IP 78.31.111.49.45411 > 193.219.118.100.5666: P 1:78(77)
> ack 1 win 457 <nop,nop,timestamp 318187571 3184336621>
> E..... at .9.j/N.o1..vd.c."t....B0!...........
> ..(3........H...D..O.OH...`+.%.Kp.gOG.
> 10:23:11.575036 IP 193.219.118.100.5666 > 78.31.111.49.45411: . ack 78 win
> 46 <nop,nop,timestamp 3184336628 318187571>
> E..4.. at .@..b..vdN.o1.".c.B0!t....... at ......
> ......(3
> 10:23:11.576362 IP 193.219.118.100.5666 > 78.31.111.49.45411: P 1:240(239)
> ack 78 win 46 <nop,nop,timestamp 3184336629 318187571>
> E..#.. at .@..r..vdN.o1.".c.B0!t.......z9.....
> ......(3....Q...M..O.O.f...F..Xc:..3h~
> 10:23:11.581549 IP 78.31.111.49.45411 > 193.219.118.100.5666: . ack 240
> win 490 <nop,nop,timestamp 318187572 3184336629>
> E..4.. at .9.j{N.o1..vd.c."t....B1.....=......
> ..(4....
>
> as you can see, the ASCII-rendered contents look like gibberish. here's
> one *not* happening under SSL:
>
> [user at www ~]$ sudo tcpdump -n -n -A port 5666
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 10:27:50.403064 IP 78.31.111.49.45449 > 193.219.118.100.5666: S
> 2022207245:2022207245(0) win 14600 <mss 1460,sackOK,timestamp 318215453
> 0,nop,wscale 5>
> ......9............d..."x.o
> ............
> 10:27:50.403095 IP 193.219.118.100.5666 > 78.31.111.49.45449: S
> 1624596014:1624596014(0) ack 2022207246 win 5792 <mss 1460,sackOK,timestamp
> 3184615495 318215453,nop,wscale 7>
> E..<.. at .@.E,..vdN.o1."..`.^.x.o......L.........
> ..`G........
> 10:27:50.408395 IP 78.31.111.49.45449 > 193.219.118.100.5666: . ack 1 win
> 457 <nop,nop,timestamp 318215454 3184615495>
> E..4.. at .9.R"N.o1..vd..."x.o.`.^/....J......
> ......`G
> 10:27:50.409395 IP 78.31.111.49.45449 > 193.219.118.100.5666: P
> 1:1037(1036) ack 1 win 457 <nop,nop,timestamp 318215454 3184615495>
> E.. at ..@.9.N.N.o1..vd..."x.o.`.^/....:......
> ......`G........i7check_mysql.........
> 10:27:50.410281 IP 193.219.118.100.5666 > 78.31.111.49.45449: . ack 1037
> win 62 <nop,nop,timestamp 3184615502 318215454>
> E..4>b at .@.....vdN.o1."..`.^/x.s....>Hf.....
> ..`N....
> 10:27:50.427262 IP 193.219.118.100.5666 > 78.31.111.49.45449: P
> 1:1037(1036) ack 1037 win 62 <nop,nop,timestamp 3184615519 318215454>
> E..@>c at .@.....vdN.o1."..`.^/x.s....>^......
> ..`_........d=.d..QUERY OK: 'select *
>
> note the name of the check (check_mysql) and the result (QUERY OK...)
> being passed back in plaintext.
>
>
> --
>
> Tom Yates - http://www.teaparty.net
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
--
http://linuxmantra.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20120525/28a6d711/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list