I'd posted a few sites where you could download packet captures to study network traffic and practice your analysis skills, especially if you're new to network security or if investigating alerts is only one of many things that you do (that's more common, especially in smaller shops, than you may realize.) One of the security listserv's I subscribe to had someone post a question on where to find packet captures and the aggregate experience on that list came up with a nice list of additional sites.
Back in March, I posted the packet repositories found on pcapr.net, the HoneyNet Challenges and the Inter-Service Academy Cyber Warfare Competition (http://jeffsoh.blogspot.com/2011/03/practice-makes-perfect.html) . Add to that list these sites from that post..
1. https://www.openpacket.org/
2. https://www.evilfingers.com/
3.http://packetlife.net/captures/
4. http://forensicscontest.com/ (Excellent place to practice, as this is a scenario you must solve, like the Honeynet challenges..)
5. http://chrissanders.org/packet-captures/
A list of pcap sites can be found here
It can be tough after working all day to then sit at home and look at MORE packets, but the more you work with captures, you more familiar you'll become with the both the data and the tools and methods you'll learn to work through huge amounts of data to find that one packet that confirms or denies your investigations theory.
If you're a programmer as well, you'll soon write up all sort of nifty scripts to automate things. If you're not, others have written tons of them, and reinventing the wheel isn't really necessary anyways. Enjoy.
Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
Tuesday, September 20, 2011
Monday, September 19, 2011
Packet Analysis Tools
I'm often asked if doing intrusion analysis requires a lot of high-cost tools
(actually I don't recall anyone ever asking that of me, but it sounded good as a
lead in to this topic). The answer, if someone SHOULD ask me that, is no, it
doesn't have to.
After identifying alerts of interest, my current tool kit for analysis includes the following:
- Snorby: Open source front end to snort databases. I just recently started using this instead of BASE
- IDABench: Packet auditing system written by George Bakos, based on Shadow.
(Hasn't been actively supported since 2003, but still works fine. Going to look at OpenFPC as a possible replacement.)
- ngrep: The ever popular packet grepper from Jordan Ritter.
- Wireshark. The best free protocol analyzer available
- xtractr - packet indexer from Mu Dynamics
- Netwitness Investigator - packet indexer/search tool from NetWitness Corporation
- p0f, tcpdump, dsniff, chaosreader, and other various cmd line tools
All of those tools are open-source and freely available. Of course, we use multiple commercial IDS systems and a SIEM and a commercial log analyzer, but all the tools I use to do actual analysis are free.
Does that answer the question you didn't ask? Good!
(actually I don't recall anyone ever asking that of me, but it sounded good as a
lead in to this topic). The answer, if someone SHOULD ask me that, is no, it
doesn't have to.
After identifying alerts of interest, my current tool kit for analysis includes the following:
- Snorby: Open source front end to snort databases. I just recently started using this instead of BASE
- IDABench: Packet auditing system written by George Bakos, based on Shadow.
(Hasn't been actively supported since 2003, but still works fine. Going to look at OpenFPC as a possible replacement.)
- ngrep: The ever popular packet grepper from Jordan Ritter.
- Wireshark. The best free protocol analyzer available
- xtractr - packet indexer from Mu Dynamics
- Netwitness Investigator - packet indexer/search tool from NetWitness Corporation
- p0f, tcpdump, dsniff, chaosreader, and other various cmd line tools
All of those tools are open-source and freely available. Of course, we use multiple commercial IDS systems and a SIEM and a commercial log analyzer, but all the tools I use to do actual analysis are free.
Does that answer the question you didn't ask? Good!
Friday, September 2, 2011
chaosreader
I've been tailoring most of my posts towards "if you're new to network security", and lately I've been seeing a good number of stuff on Twitter about how we need to increase mentoring in our industry and share info more effectively. That said, I'm going to use this blog primarily to try and share info with those who are new to security full time (realizing that doesn't mean new to the IT industry a lot of the time).
That said, here's another tool that might be helpful. It's old, but still very useful.
chaosreader:
What it is: chaosreader.pl is a Perl script, written by Brendan Gregg, that takes a libpcap packet capture and indexes all of the connections and extracts a fair amount of the data and organizes it all into a nice web site. You take all the output and load it up in a Web browser (you could do that locally if you're running X on the box you ran it from, or share it via a web server, or tar it up and move to a web server you own.) I personally find it easy to just copy everything to /var/www or /var/www/html, depending on what you're running, since I don't serve web pages out of the default location anyway.
You have lots of options, but the basic ones you need to know tell chaosreader what kind of files to create:
chaosreader infile # Create application session files, indexes
chaosreader -v infile # Verbose - Create ALL files
chaosreader -i infile # Create info files
chaosreader -r infile # Create raw files
Verbose will create all file types chaosreader knows about, -i, just the info files and -r, the raw files. Raw files are data files from TCP or UDP transfers, and info files are descriptor files listing the source, destination and such of the connection. chaosreader also generates a Get/POST report, an image report, and an HTTP proxy report.
Rather than me screenshot chaosreader, the author has created a live sampling here or here that you can browse and get an idea of what the tool does.
How to use it: Download the latest version and put it in a separate directory (it creates a lot of files; you REALLY don't want to run it in the root of your home dir). You can run it live on an interface, or, as I do, run it against a pcap file. Use the switches show above to determine how verbose you want it to be.
For example, if you want to see it all, and had a pcap called web.pcap, you would run:
" perl chaosreader.pl -v web.pcap". With the latest version, you'll see a list of connections scroll as chaosreader reads in the packets and processes them. After it's done, you'll have an assortment of .html, .info, .raw, raw1 and raw2 files, as well as other like JPEG's and GIF's.
It's a very useful tool, but one caution. Very large captures can take a really long time to process, and if your box is running with minimal memory, it might run out before the process finishes. A strong processor and lots of RAM make a good chaosreader box.
That said, here's another tool that might be helpful. It's old, but still very useful.
chaosreader:
What it is: chaosreader.pl is a Perl script, written by Brendan Gregg, that takes a libpcap packet capture and indexes all of the connections and extracts a fair amount of the data and organizes it all into a nice web site. You take all the output and load it up in a Web browser (you could do that locally if you're running X on the box you ran it from, or share it via a web server, or tar it up and move to a web server you own.) I personally find it easy to just copy everything to /var/www or /var/www/html, depending on what you're running, since I don't serve web pages out of the default location anyway.
You have lots of options, but the basic ones you need to know tell chaosreader what kind of files to create:
chaosreader infile # Create application session files, indexes
chaosreader -v infile # Verbose - Create ALL files
chaosreader -i infile # Create info files
chaosreader -r infile # Create raw files
Verbose will create all file types chaosreader knows about, -i, just the info files and -r, the raw files. Raw files are data files from TCP or UDP transfers, and info files are descriptor files listing the source, destination and such of the connection. chaosreader also generates a Get/POST report, an image report, and an HTTP proxy report.
Rather than me screenshot chaosreader, the author has created a live sampling here or here that you can browse and get an idea of what the tool does.
How to use it: Download the latest version and put it in a separate directory (it creates a lot of files; you REALLY don't want to run it in the root of your home dir). You can run it live on an interface, or, as I do, run it against a pcap file. Use the switches show above to determine how verbose you want it to be.
For example, if you want to see it all, and had a pcap called web.pcap, you would run:
" perl chaosreader.pl -v web.pcap". With the latest version, you'll see a list of connections scroll as chaosreader reads in the packets and processes them. After it's done, you'll have an assortment of .html, .info, .raw, raw1 and raw2 files, as well as other like JPEG's and GIF's.
It's a very useful tool, but one caution. Very large captures can take a really long time to process, and if your box is running with minimal memory, it might run out before the process finishes. A strong processor and lots of RAM make a good chaosreader box.
Subscribe to:
Posts (Atom)