Installing Tomahawk IPS test tool on Debian 7

For a current IPS/IDS project I was looking for a test system to benchmark various IDS/IPS engines. The idea was to record network captures carrying malware samples in HTTP, SMTP or other protocols, and replaying them against the various detection engines. Problem with that is that tools like tcpreplay, bittwist or Ostinato all replay the trace on a single network card, which means that both “client” and “server” side of the communication are injected into the same NIC of the detection engine.

It’s been a while…

…before I found some time to post something on this blog. Mostly because of the summer break, but also because I was attending DefCon 2013 in Las Vegas, after a break of 3 years. I used to be at DefCon every year while it was held at the Riviera, working for the hotel as a network security expert (“We need protection! Evil hackers everywhere!”) with my buddies Eddi and Landi. Funniest thing the Riv guys did back then was to disconnect all public network ports accessible to the public (“the hackers”) like we told them too – well, all except one. That one, they put a small padlock in front of it. Our question to them was “uhm… did you know they have lock picking contests? What do you think will happen when they see this?” 😉

PCAP and PCAPng sanitization tool for network analysts

Trace file anonymization, trace file sanitization… it seems like I can’t decide whether to call it “Sanitization” or “Anonymization” – even in my code base it is sometimes called the first, sometimes the latter. Of course there is a small difference between the two – one is removing sensitive data by cutting it away, while the other replaces it with something generic.

Spurious Retransmissions

Update: since Wireshark version 1.12 is out, lots of people look for the meaning of “tcp spurious retransmission” info message, so I changed the post a little to make it easier to find what you’re looking for.

Today, while doing a lot of testing of my trace handling code as well as in preparation for the upcoming Sharkfest 2013, I got a trace sample from Landi that he wanted me to take a look at because he wondered about some SSL decoding stuff. So I did, and while we were talking about what the SSL dissector was doing I saw a new TCP expert message I had never seen before: “TCP Spurious Retransmission”.

Name Resolution Denial of Service

Today I was using a combination of dumpcap and Wireshark to run a network forensics investigation against a server that may have been compromised. A couple of malicious files had been reported by the virus scanner, so I had to take a closer look at what it was doing in the network. Actually, dumpcap was already running for a couple of days in front of the firewall using a capture filter set to the server IP, recording everything that the server sent or received to and from the internet. So basically I wanted to separate good from bad traffic, if any, and see what was transferred.

Wireshark GeoIP resolution setup

One of the many features Wireshark provides is the name resolution for various protocol layers, and I have to admit that – at least for me – some of them are really helpful while others (well, one of them, to be more specific) annoy the hell out of me. I really like MAC layer resolution, and often I enable network layer name resolution, but I really do not like protocol name resolution. Oh, and then there is GeoIP resolution, which is really helpful in some cases as well, but it takes a little time to set it up.

Update: There’s a newer article for GeoIP setup in Wireshark 2.x here.