Friday, July 29, 2011

IDABench Lives On

I just did another install of IDABench, the intrusion analyst's toolkit based on SHADOW. This project hasn't been maintained or updated since 2003 when George Bakos left ISTS at Dartmouth, and yet it still remains a very useful tool (to me at least). I'm at a new job and the folks here never heard of IDABench, so I was happy to install it and show them it's usefulness. Still hoping some Infosec Perl jockey will come across it someday and decide it's worthy of their time to resurrect  the project and continue extending it.

Saturday, July 23, 2011

Tools from SANSFIRE

I love finding new tools. Maybe the functionality they provide is simply a shortcut to something I can do with other tools, eliminating a step or two and saving time, or else they might provide a way to do something I hadn't considered before. I came across a good number of new ones at SANSFIRE. I'll post the ones that caught my interest as I review my notes and books, in case one might fill a niche for you.
The first one is pcapcat. This is a perl script which parses through a packet capture, identifies and displays all the sessions by source IP and port and destination IP and port and displays them for you. You then supply a filename and pcapcat writes out the session to a new capture file. Not only does this save some keystrokes and time over using tcpdump, but it's also a handy way to see all off the sessions quickly and determine which ones are of interest. The tool was written by Kristinn Guojonsson to help answer a challenge on, which is found here. The actual code can be found here to paste into a new script on you analysis box.
Try it out and see if it'll help save you a little time (or if you're new to network security and aren't sure about all the tcpdump syntax yet, use this until you get up to speed)

Wednesday, July 20, 2011


It's 2:09 AM Wednesday morning, day four of SANSFIRE. Insomnia has sent in, so it's time to update my blog on the training event. Day 3 saw more excellent teaching in the FOR 558 class. This class is both a logical next step after SEC 503 (Intrusion Detection In Depth) and a different perspective from that track. Going beyond the role of intrusion analyst, it shows you how to become a forensics investigator into events from the network perspective. More than just incident response (identify, eradicate and recover), we're seeing how to take packet data found all over the network and pull the artifacts from the packets. Hex editors and protocol specific tools for SMTP, AIM, Squid and others as well as general packet parsing tools all combine to not just reconstruct the session and see what happened, but extract the data much like a traditional forensics investigator would from a hard drive. We're told day four will be the most hard core yet. From a survey of the book, looks like we're going into Netflow and wireless, as well as concepts in digital evidence.

Monday, July 18, 2011

SANSFIRE Days 1 and 2

Saturday began SANSFIRE for me with SEC 546:IPv6 Essentials. This was also Day 2 of the Security IPv6 Summit. The class was taught by Dr. Johannes Ullrich, a SANS senior instructor, Dean of Faculty and Chief Research Officer. If you're not familiar with IPv6 and the myriad of things to consider when preparing for migrating, I recommend you take this course (tell your boss you want to add it on to your five or six day course to help the security department prepare for IPv6). It was a huge amount of information packed into a one day course that will serve you well in any future discussion.

On Sunday, I began the FOR 558 course, which is network forensics. This is being taught by Jonathan Ham, an incredibly knowledgeable instructor, whose bio can be found here. This was my first class with Johnathan. The motto for FOR 558 is "No hard drive, no problem". As this suggests, the class is all about doing forensics analysis, not from the computer in question itself, but from the footprint (or fingerprint) it's network traffic has left. Day 1 took off at full bore after a quick review of networking essentials, using SNIFT, the FOR 558 equivalent of the SIFT tool used in the traditional forensics classes, to create and examine packet captures, examine them using tcpdump, Wireshark and a hex editor, and pulling data from the packets. It's not the ordinary course that has you carving graphics files with a hex editor out of bytes pulled from a pcap file. If you're an intrusion analyst, incident response team member or security investigator, you might want to look at this class. Though the class is called a forensics class, it's a perfect complement and next step to SEC 503:Intrusion In-Depth. If you have your GCIA and want to take your intrusion analysis skills a level higher, this is a great class to do so. Here's the details.

Friday, July 15, 2011

SANSFIRE Pre-Conference

I'm at the hotel that's the site of SANSFIRE 2011 (the Washington Hilton in D.C.) and ready for tomorrow. I'll start out with a one day course with Johannes Ullrich, SEC 546, which is a primer on IPv6. Then Sunday we start on Forensics 558, five days with Jonathan Ham on Network Forensics. It's going to be a good week. Saw Stephen Northcutt earlier and got to say hello to him and tell him what classes I was taking, and hear from him how well the IPv6 Summit today went. I love the atmosphere of this conference. Eager to get started tomorrow.

Friday, July 8, 2011

SANSFIRE 2011 Evenings

For SANSFIRE this year (starting July 15th) we have the following evening sessions to choose from:

Cyber Security Trends and Lessons Learned from Large Scale Incidents in Japan
- Tomohisa Ishikawa
- Sunday, July 17 * 9:15pm - 10:15pm

FACEROUTE: Mapping and Harvesting Social Media Sites
- Rob VandenBrink
- Monday, July 18 * 7:15pm - 8:15pm

Securing The Kids
- Lance Spitzner
- Monday, July 18 * 7:15pm - 8:15pm

Ninja Developers: Penetration Testing and Your SDLC
- Kevin Johnson
- Monday, July 18 * 8:15pm - 9:15pm

Securing The Human
- Lance Spitzner
- Monday, July 18 * 8:15pm - 9:15pm

Is IPv6 the Wolf in IPv4s Clothing?
- Richard Porter
- Tuesday, July 19 * 7:15pm - 8:15pm

Security Testing Automation and Reporting
- Adrien de Beaupre
- Tuesday, July 19 * 7:15pm - 8:15pm

Are your tools ready for IPv6?
- Jim Clausing
- Tuesday, July 19 * 8:15pm - 9:15pm

Nurturing the Next Gen of InfoSec Geeks: Creating Kid-Friendly Challenges for Fun and Mayhem
- Ed Skoudis, Kevin Johnson, Josh Wright
- Tuesday, July 19 * 8:15pm - 9:15pm

DNS Sinkhole Peer into your network while you sleep
- Guy Bruneau
- Wednesday, July 20 * 7:15pm - 8:15pm

Using Scapy to Craft an IDS/IPS Evasion
- Judy Novak
- Wednesday, July 20 * 7:15pm - 8:45pm

Adding Network Flow Analysis to your Security Architecture
- Sidney Faber
- Tuesday, July 20 * 8:15pm - 9:15pm

Cisco Malware; A New Risk to Consider in Perimeter Security Designs
- Manuel Humberto Santander Pelaez
- Wednesday, July 20 * 8:15pm - 9:15pm

SQL Ginsu: Better Living (and Data Reduction) through Databases
- Philip Hagen
- Thursday, July 21 * 7:15pm - 8:15pm

Friday, July 1, 2011

More Parsing for Beginners

If you're new to NetSec, you don't have to learn a ton about any one subject to get started doing your job. There are more resources out there than you could possibly ever use to quickly get enough knowledge to take care of the job at hand and then go back later and learn more. Say you have a directory of packet captures. You've been using tcpdump or Daemonlogger to get raw packets as an audit trail (or IDABench, an outdated but still useful favorite of mine). Your boss wants you to do a sanity check for some sort of PII, to validate some control. A search on doing iteration in bash will probably lead you to the for command, where you can feed ngrep with your packet captures, one by one...
Here's an example...

for i in $( ls | grep -v .gz );do ngrep -q -I $i ' [0-9]{3}-[0-9]{2}-[0-9]{4} ';done

This is simply using the for command to use ls to search for any of your captures that aren't gzipped (if you use bzip, you'll need to modify it) and populate a variable called $i, then run ngrep against the value contained in that variable (one of your packet captures) and look for numbers in the Social Security format. There are all kinds of regex sites with common searches you can use without having to become a regex guru first.

Handle the job at hand, then backtrack and learn...


I was given a really nice laptop at work as a scan/test box, so I loaded it up with Fedora 15 and Windows 7. I'll take this one to SANS with me in a couple of weeks. I realized as I started adding tools that it had been a really long time since I had updated my list that comprise my toolbox. So I just  added a few basics while I gave it some thought. I do very little vuln assessment and no pen testing, so the majority of any tools I install would be analysis related, with the exception of some to generate packets or do a quick port scan. Here's what I've put on so far..


And to be installed...


Now to find that old list and update it with the new stuff I've found lately..


Blog Archive