This series will cover analyzing the common data types found in cyber security incidents; Netflow, Domain(s) & IP address(es), PCAP. The format of the posts will be as follows Background information, Concepts & Techniques, Tools, and Recommended reading and/or videos.
The information in this blog is design to help people analyzing PCAP data. There are many programs which can automate the manipulation and organization of PCAP data for the end user. I believe it is always a good idea to know how to perform these task manually because every environment will be different. For the purpose of this blog post we'll be covering the use of open source PCAP analysis tool Wireshark.
Tools
The list tool is a free open source tool for Linux and Windows:
Background
Having a working understanding of the PCAP filters are essential to being able to read PCAP data.
A. Wireshark Filters [1]
1. HTTP header information
- Description: used to analyze the packet HTTP header information
- Syntax:
- http."option"
- Commonly used "option(s)"
- http.user_agent
- http.response
- http.connection
- Description: used to analyze the packet TCP session information
- Syntax:
- tcp."option(s)"
- Commonly used "option(s)"
- tcp.analysis.flags
- tcp.flags
- tcp.srcport
- Description: used to determine if an SSL connection was established.
- Syntax
- Commonly used "option(s)"
- ssl.handshake
- Description: used to determine who the system is trying to communicate with and how often.
- Syntax:
- dns."option(s)"."option(s)"
- Commonly used "option(s)"
- dns.qry.name
- dns.resp.addr
- dns.resp.name
- Description: used to search for specific text inside of a packet.
- Syntax:
- frame contains "text"
- Common text to search for
- "Dos"
- ".exe"
Concepts & Techniques
Two things to look for in PCAP when looking for signs of potential malicious activity are magic numbers and Base64.
A. Magic Numbers [2]
Common in programs across many operating systems. Magic numbers implement strongly typed data and are a form of in-band signaling to the controlling program that reads the data type(s) at program run-times. Detecting such constraints in files is a simple and effective way of distinguishing between many file formats and can yield further run-time information.
- GIF image file:
- ASCII cod
- "GIF89a" (47 49 46 38 39 61)
- "GIF87a" (47 49 46 38 37 61)
- JPEG image file:
- Begins with "FF D8" and ends with "FF D9"
- Postscript file:
- start with "%!" (25 21)
- MS-DOS exe file:
- start with
- "MZ" (4D 5A)
- "ZM" (5A 4D) - is NOT as common
A group of similar encoding schemes that represent binary data in an ASCII string format by translating it into a Radix-64 representation. Base64 encoding schemes are commonly used when there is a need to encode binary that needs to be stored and transferred over media that are designed to deal with textual data. This is done to ensure that the data remains intact without modification during transport.
- Characters [A-Z], [a-z],[0-9],[+],[/]
- Padding:
- "==" indicates last group contained only 1 bytes.
- "=" indicates that it contained 2 bytes.
References
Recommended Reading and/or Videos
- Real Digital Forensics: Computer Security and Incident Response by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose.
-
- Extrusion Detection: Security Monitoring for Internal Intrusions by Richard Bejtlich, foreword by Marcus Ranum.
Social Media
Facebook:
https://www.facebook.com/BDavisCS/
Twitter:
@BDavis_CyberSec
Last month, when i visited your blog i got an error on the mysql server of yours.*~,”*
ReplyDeleteWhat is My IP | My IP Address | IP Lookup | Speed Test
Security testing is must. Everybody wants security at every level of his working. as explained above failures are happened but if we test time to time then it will improve. So it depend on us how much we are serious about this.
ReplyDeletePower System Dynamic State Estimation Motivations,Definitions, Methodologies and Future Work Project For CSE
Real Time Lateral Movement Detection based on Evidence Reasoning Network for Edge Computing Environment Project For CSE
Reliable Detection of Interest Flooding Attack in Real Deployment of Named Data Networking Project For CSE
A Lightweight and Efficient Secure Hybrid RSA (SHRSA) Messaging Scheme With Four Layered Authentication Stack Project For CSE
A Remote Sensing Image Encryption Scheme Using DNA Bases Probability andTwo Dimensional Logistic Map Project For CSE