"Things you really don't want to see during a serious log audit"
Sometimes all that is available is a .log file. Can you imagine one that is 4GB and you have to find out specific details fast ?
I enjoyed www.loganalysis.org . They have logging infrastruture details, data analysis tools for
programming syslog, syslog replacements (UNIX) , log parsers (Application specific and Generic) and regular expressions for tracing.
Have fun!
Spot the bug quickly.
Network PEid - see the bugs in the network stream http://www.malforge.com/npeid/npeid.zip
PEid - extract the details about the bugs packaging and more http://www.peid.info/ and http://upx.sourceforge.net/
Throw in a bit of cryptography, MD5 (Message-Digest algorithm 5) application use.
Now, if only this was all automated.
Have fun!
These are the books that spark my interest in Network Forensics:
Slightly New Release:"Cisco Router and Switch Forensics : Investigating and Analyzing Malicious Network Activity"
by Dale Liu
ISBN-13: 9781597494182
Current New Release:"Wireshark Network Analysis:
The Official Wireshark Certified Network Analyst Study Guide
By Laura Chappell"
ISBN 978-1-893939-99-8 Excellent supplemental videos and capture files: http://www.wiresharkbook.com/coffee.html
Future New Release:"Digital Forensics for Network, Internet, and Cloud Computing : A Forensic Evidence Guide for Moving Targets and Data"
by Clint P Garrison ,
This item will be available on May 01, 2010.
ISBN-13: 9781597495370
Enjoy!
A good part of learning TCP/IP and other internet protocols is reading RFC (Request for comments) details provided by IETF ( Internet Engineering Task Force). I did stumble upon some "Epic" RFC network reading material.
RFC -3514 -The Security Flag in the IPv4 Header
"Firewalls [CBR03], packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header. Benign packets have this bit set to 0; those thatare used for an attack will have the bit set to 1."
- via http://tools.ietf.org/html/rfc3514
Also:
RFC1606 -A Historical Perspective On The Usage Of IP Version 9
"The up to 42 deep hierarchy of routing levels built into IPv9 must have been one of the key features for its wide deployment. The ability to assign a whole network, or group of networks to an electronic component must be seen as one of the reasons for its takeup. The use of the Compact Disk Hologram units is typical of the usage. They typically have a level 37 network number assigned to each logical part, and a level 36 network number assigned to the whole device. This allows the CDH management protocol to control the unit as a whole, and the high-street vendor to do remote diagnostics on discreet elements of the device."- via http://tools.ietf.org/html/rfc1606
With peaked interest I read the following:
RFC2795- The Infinite Monkey Protocol Suite (IMPS) -
http://www.ietf.org/rfc/rfc2795.txt
RFC2324 - Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)
http://tools.ietf.org/html/rfc2324
RFC1149 -A Standard for the Transmission of IP Datagrams on Avian Carriers http://www.ietf.org/rfc/rfc1149.txt
RFC 1925 - The Twelve Networking Truths http://www.ietf.org/rfc/rfc1925.txt
Also FX of Phenoelit has a RFC for" JRP " http://roothausen.de//puted/2007/01/jrp.txt
*Disclaimer (I do not support use or transport of this protocol. )
Why did these protocols make it into the RFC database?
I checked out http://en.wikipedia.org/wiki/April_1_RFC#Other_humorous_RFCs for the answer to that question.
Have FUN!
-nix
Special thanks to Norman Abramson who pioneered Alohanet wireless networking system which was developed at the University of Hawaii. Deployed in 1971 over four islands using seven computers.
Here is a link to a online presentation.
Enjoy!
Carving digital attack tool traces out of packets can be fun. The network packet matrix is all around us we just have to want to see it. Here are a few of my notes:
Attack Tool Digital Signature
Cain& Abel
Cain and Abel only use arp packets to find another live host in LAN
Metasploit
Extensive SMB protocol scanning on the network.
Retina - "anonymous" user using the password "retina@example.org"
Nessus -contains the string nessus
Nmap - FIN probes, BOGUS flag probes in ICMP code field.
Ettercap - 0xe77e in IP version field.
A good reference list:
ATTACK OBJECTS by juniper
IPD Attack detection set.
https://services.netscreen.com/restricted/sigupdates/nsm-updates/HTML/index.html
Intruder Alert!
How did I learn the basics about network attack signatures?
Using the Cisco IOS Firewall IDS Signature List.
59 basic attack signatures
The signatures are categorized into four types:
(Info Atomic) -Information-gathering actions such as a port scans.
Example:
2005 ICMP Time Exceeded for a Datagram (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 11
(Info Compound)-Attacks attempted into the guarded network.
Example:
3151 FTP SYST Command Attempt (Info, Compound)
Triggers when someone tries to execute the FTP SYST command.
(Attack Atomic) - Simple intrusion patterns
Example:
1101 Unknown IP Protocol (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field set to 101 or greater. These protocol types are undefined or reserved and should not be used
(Attack Compound)- Intricate patterns or series of operations divided across many host over a specific period.
Example:
3050 Half-open SYN Attack/SYN Flood (Attack, Compound)
Triggers when multiple TCP sessions have been improperly initiated
Very good article at http://ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/CIDS-Log-Files.html
Enjoy!
TechSupport : How can I help?
Caller: My wireless device is broke.
TechSupport: What type of wireless device?
Caller:.( Ding..sounds in the background ) Hold on I have to get my lunch out of the microwave.
Wireshark Source Code History from CACE Technologies on Vimeo.
Video graphically depicts the development of Wireshark Source Code History
The video was created with the aid of Codeswarm.
Codeswarm software visualization.
The code is open source and available at http://code.google.com/p/codeswarm.
Have fun!
Q: What was the first video about networking that held your interest ?
Great graphics and easy to follow dialog.
