
Using this metadata, we can hypothesize that the infected machine has an IP address of 172.16.150.20 and is talking to 58.64.132.141. We can also see that a lot of traffic is originating from an IP address of 172.16.150.20 (2) and that a lot of traffic is going to an IP address of 58.64.132.141 (3). Looking at the summary, we can see straight away that there may be a Command and Control Trojan (CnC) activity in the packet capture file (1). The Summary page (below) shows a list of the top signatures and the top source and destinations via IP address and economy. Click on the Summary (1) tab to get started.įigure 3 - Squert’s Events view, with Summary (1) and Views (2) tabs. By changing the views, the events are displayed in different formats, making it easier to interpret the packets and the metadata.

Without knowing too much about the data and events, Squert’s visualization tools will help to identify suspicious sessions or behaviours. When Squert first opens you will see a list of all the events. Squert helps provide additional context to the events through the use of metadata and time series representations.

Now that we have imported the packet capture file, let’s look at the alerts that were generated by Snort using Squert, a visualization tool that will query and view event data. To import the fake_av.pcap file, type the following command in a terminal window: $ sudo so-replay fake_av.pcapįigure 2 - Output of the so-replay command.

It includes a host of open source tools, including: Security Onion is an open source Linux distribution for intrusion detection, network monitoring and log management. While there are many FOSS (Free and Open Source Software) tools available, I am focusing on Security Onion because of the included tool set and the ease of installation.

This ‘how to’ will expand on the skills that we teach in workshops and discuss some open source tools that can be used for network security monitoring. As part of the training APNIC delivers, we talk about best practices for setting up logs, intrusion detection systems and using automation to keep things up to date.
