Archive for the ‘Security’ category

  1. PCAP Split and Merge

    Sometimes it also happens during network troubleshooting engagements, but it is also common for analysis jobs regarding network forensics: dealing with huge number of packets, sometimes millions or more. Two typical situations may have you scratch your head: either you have one huge file containing all packets at once, or you have a ton of […]

  2. Network Forensics Playbook – Banner Inspection and Client Origin

    I recently did a hands-on-no-slides presentation at a very small security conference end of last year where I demoed some of the typical things I do when performing a network forensics analysis, using tshark, Wireshark and TraceWrangler. I’ll use these blog posts as a transcript of what I did, so that it’s easy to read […]

  3. Verifying IoCs with Snort and TraceWrangler

    After detecting a network breach it is a good idea to scan the network for further Indicators of Compromise (IoC) to check for further malicious activity. The IoCs are usually derived from forensic investigations into network packets and compromised hosts, and can be quite unique when it comes to more sophisticated attacks (let’s avoid mentioning […]

  4. A creative way of refusing connections

    A few days ago, Olli, one of our team members, sent me a funny trace that he’d taken while configuring the security settings on a Netoptics Bypass kit. This device has an SNMP and HTTP management service, and when he disabled the HTTP service he verified if the setting was accepted (like you should). Usually, […]

  5. Installing Tomahawk IPS test tool on Debian 7

    For a current IPS/IDS project I was looking for a test system to benchmark various IDS/IPS engines. The idea was to record network captures carrying malware samples in HTTP, SMTP or other protocols, and replaying them against the various detection engines. Problem with that is that tools like tcpreplay, bittwist or Ostinato all replay the […]

  6. It’s been a while…

    …before I found some time to post something on this blog. Mostly because of the summer break, but also because I was attending DefCon 2013 in Las Vegas, after a break of 3 years. I used to be at DefCon every year while it was held at the Riviera, working for the hotel as a […]

  7. Name Resolution Denial of Service

    Today I was using a combination of dumpcap and Wireshark to run a network forensics investigation against a server that may have been compromised. A couple of malicious files had been reported by the virus scanner, so I had to take a closer look at what it was doing in the network. Actually, dumpcap was […]

  8. The packet analysts “self check”

    One thing all members of our packet analysis team do every once in a while is to check what their own laptop/PC is doing on the network – meaning, that we just close all programs and run Wireshark to see what packets are still going in and out. If we’re in paranoid mode for some […]