"Things you really don't want to see during a serious log audit"
Sometimes all that is available is a .log file. Can you imagine one that is 4GB and you have to find out specific details fast ?
I enjoyed www.loganalysis.org . They have logging infrastruture details, data analysis tools for
programming syslog, syslog replacements (UNIX) , log parsers (Application specific and Generic) and regular expressions for tracing.
Have fun!
Spot the bug quickly.
Network PEid - see the bugs in the network stream http://www.malforge.com/npeid/npeid.zip
PEid - extract the details about the bugs packaging and more http://www.peid.info/ and http://upx.sourceforge.net/
Throw in a bit of cryptography, MD5 (Message-Digest algorithm 5) application use.
Now, if only this was all automated.
Have fun!
These are the books that spark my interest in Network Forensics:
Slightly New Release:"Cisco Router and Switch Forensics : Investigating and Analyzing Malicious Network Activity"
by Dale Liu
ISBN-13: 9781597494182
Current New Release:"Wireshark Network Analysis:
The Official Wireshark Certified Network Analyst Study Guide
By Laura Chappell"
ISBN 978-1-893939-99-8 Excellent supplemental videos and capture files: http://www.wiresharkbook.com/coffee.html
Future New Release:"Digital Forensics for Network, Internet, and Cloud Computing : A Forensic Evidence Guide for Moving Targets and Data"
by Clint P Garrison ,
This item will be available on May 01, 2010.
ISBN-13: 9781597495370
Enjoy!
A good part of learning TCP/IP and other internet protocols is reading RFC (Request for comments) details provided by IETF ( Internet Engineering Task Force). I did stumble upon some "Epic" RFC network reading material.
RFC -3514 -The Security Flag in the IPv4 Header
"Firewalls [CBR03], packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header. Benign packets have this bit set to 0; those thatare used for an attack will have the bit set to 1."
- via http://tools.ietf.org/html/rfc3514
Also:
RFC1606 -A Historical Perspective On The Usage Of IP Version 9
"The up to 42 deep hierarchy of routing levels built into IPv9 must have been one of the key features for its wide deployment. The ability to assign a whole network, or group of networks to an electronic component must be seen as one of the reasons for its takeup. The use of the Compact Disk Hologram units is typical of the usage. They typically have a level 37 network number assigned to each logical part, and a level 36 network number assigned to the whole device. This allows the CDH management protocol to control the unit as a whole, and the high-street vendor to do remote diagnostics on discreet elements of the device."- via http://tools.ietf.org/html/rfc1606
With peaked interest I read the following:
RFC2795- The Infinite Monkey Protocol Suite (IMPS) -
http://www.ietf.org/rfc/rfc2795.txt
RFC2324 - Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)
http://tools.ietf.org/html/rfc2324
RFC1149 -A Standard for the Transmission of IP Datagrams on Avian Carriers http://www.ietf.org/rfc/rfc1149.txt
RFC 1925 - The Twelve Networking Truths http://www.ietf.org/rfc/rfc1925.txt
Also FX of Phenoelit has a RFC for" JRP " http://roothausen.de//puted/2007/01/jrp.txt
*Disclaimer (I do not support use or transport of this protocol. )
Why did these protocols make it into the RFC database?
I checked out http://en.wikipedia.org/wiki/April_1_RFC#Other_humorous_RFCs for the answer to that question.
Have FUN!
-nix
Special thanks to Norman Abramson who pioneered Alohanet wireless networking system which was developed at the University of Hawaii. Deployed in 1971 over four islands using seven computers.
Here is a link to a online presentation.
Enjoy!
Carving digital attack tool traces out of packets can be fun. The network packet matrix is all around us we just have to want to see it. Here are a few of my notes:
Attack Tool Digital Signature
Cain& Abel
Cain and Abel only use arp packets to find another live host in LAN
Metasploit
Extensive SMB protocol scanning on the network.
Retina - "anonymous" user using the password "retina@example.org"
Nessus -contains the string nessus
Nmap - FIN probes, BOGUS flag probes in ICMP code field.
Ettercap - 0xe77e in IP version field.
A good reference list:
ATTACK OBJECTS by juniper
IPD Attack detection set.
https://services.netscreen.com/restricted/sigupdates/nsm-updates/HTML/index.html
