hasaccu.blogg.se - Sample wireshark captures in pdf with explanation

Using this metadata, we can hypothesize that the infected machine has an IP address of 172.16.150.20 and is talking to 58.64.132.141. We can also see that a lot of traffic is originating from an IP address of 172.16.150.20 (2) and that a lot of traffic is going to an IP address of 58.64.132.141 (3). Looking at the summary, we can see straight away that there may be a Command and Control Trojan (CnC) activity in the packet capture file (1). The Summary page (below) shows a list of the top signatures and the top source and destinations via IP address and economy. Click on the Summary (1) tab to get started.įigure 3 - Squert’s Events view, with Summary (1) and Views (2) tabs. By changing the views, the events are displayed in different formats, making it easier to interpret the packets and the metadata.

Without knowing too much about the data and events, Squert’s visualization tools will help to identify suspicious sessions or behaviours. When Squert first opens you will see a list of all the events. Squert helps provide additional context to the events through the use of metadata and time series representations.

Now that we have imported the packet capture file, let’s look at the alerts that were generated by Snort using Squert, a visualization tool that will query and view event data. To import the fake_av.pcap file, type the following command in a terminal window: $ sudo so-replay fake_av.pcapįigure 2 - Output of the so-replay command.

so-import-pcap: Import one or more capture files while keeping the timestamp the same as the original packet capture dates and times.

so-replay: Import all pcap samples in /opt/samples and replay them with the current timestamp.

tcpreplay: Import one or more of the packet capture files as new traffic and replay with the current timestamp.

There are three ways to import the pcap files into the Security Onion logs: To find out more about the samples, refer to Security Onion’s documentation.įigure 1 - Directory listing of Security Onion’s example packet captures. Security Onion includes some example packet captures (pcap files) in the /opt/samples directory.

It includes a host of open source tools, including: Security Onion is an open source Linux distribution for intrusion detection, network monitoring and log management. While there are many FOSS (Free and Open Source Software) tools available, I am focusing on Security Onion because of the included tool set and the ease of installation.

This ‘how to’ will expand on the skills that we teach in workshops and discuss some open source tools that can be used for network security monitoring. As part of the training APNIC delivers, we talk about best practices for setting up logs, intrusion detection systems and using automation to keep things up to date.