Network Traffic Analysis (NTA)

Packet Analysis

wireshark example.pcap

# Tcpdump
sudo tcpdump -i eth0 icmp
# output pcap file
sudo tcpdump -i eth0 icmp -w /tmp/tcpdump.pcap

Brim

is an application to search and analyze super-structured data.

brim sample.pcap

Filters

_path=="http" "example.com" id.resp_p==80 | cut ts, host, id.resp_p, uri | sort ts

# Find UserAgent in HTTP requests
user_agent | cut _path,id.orig_h,id.resp_h,method,host,user_agent

Snort

Snort is a network intrusion detection system (NIDS) and intrusion prevention system (NIPS).

# Validate the configuration
# -c: Identify the config file
# -T: Test the configuration
sudo snort -c /etc/snort/snort.conf -T

# Sniffer mode
# -d: Dump packet data
# -e: Link-layer header grabbing
# -v: Verbose mode
sudo snort -dev
# -X: Full packet dump mode
sudo snort -X

# Logger mode
# -l: Logger mode
sudo snort -dev -l .
# -K ASCII: ASCII mode 
sudo snort -dev -K ASCII -l .

# IDS/IPS mode
# -A full: full alert mode
sudo snort -c /etc/snort/snort.conf -A full
# Using local rules
sudo snort -c /etc/snort/rules/local.rules -A full
# -q: Quiet mode
# --daq: Data aquisition
# -i: Listen on interface <if>
sudo snort -c local.rules -q --daq afpacket -i eth0:eth1 -A full
# Wait until packets receiving, the file will be dumped.

# Read generated logs
sudo snort -r snort.log.xxxxxxxx
# Filters
sudo snort -r snort.log.xxxxxxxx -X
sudo snort -r snort.log.xxxxxxxx tcp
sudo snort -r snort.log.xxxxxxxx 'udp and port 53'

# Investigate pcap file
# -n: The first N packets
sudo snort -c /etc/snort/snort.conf -q -r example.pcap -A full -n 10
# --pcap-list: Multiple pcap files
sudo snort -c /etc/snort/snort.conf -q --pcap-list="example.pcap example2.pcap" -A full -n 10

Modify rules

We can edit /etc/snort/rules/local.rules or our custom local.rules in another directory.

sudo vim /etc/snort/rules/local.rules

Below is the example rules.

# ICMP
alert icmp any any <> any any (msg:"ICMP Packet Found"; sid:1000001; rev:1;)

# Drop
drop tcp any any -> any any (sid:1000005;)

Detect a Type of Malware

Extract files from PCAP.
1. Open target pcap file on Wireshark.
2. Select "File" -> "Export Options" -> "HTTP..."
3. Save the target file.
Get the MD5 hash.
```
md5sum suspicious.exe
```
Search on VirusTotal using the MD5 hash.

PreviousAttack Flow NextNetworking

Last updated 1 year ago

# Validate the configuration # -c: Identify the config file # -T: Test the configuration sudo snort -c /etc/snort/snort.conf -T # Sniffer mode # -d: Dump packet data # -e: Link-layer header grabbing # -v: Verbose mode sudo snort -dev # -X: Full packet dump mode sudo snort -X # Logger mode # -l: Logger mode sudo snort -dev -l . # -K ASCII: ASCII mode sudo snort -dev -K ASCII -l . # IDS/IPS mode # -A full: full alert mode sudo snort -c /etc/snort/snort.conf -A full # Using local rules sudo snort -c /etc/snort/rules/local.rules -A full # -q: Quiet mode # --daq: Data aquisition # -i: Listen on interface <if> sudo snort -c local.rules -q --daq afpacket -i eth0:eth1 -A full # Wait until packets receiving, the file will be dumped. # Read generated logs sudo snort -r snort.log.xxxxxxxx # Filters sudo snort -r snort.log.xxxxxxxx -X sudo snort -r snort.log.xxxxxxxx tcp sudo snort -r snort.log.xxxxxxxx 'udp and port 53' # Investigate pcap file # -n: The first N packets sudo snort -c /etc/snort/snort.conf -q -r example.pcap -A full -n 10 # --pcap-list: Multiple pcap files sudo snort -c /etc/snort/snort.conf -q --pcap-list="example.pcap example2.pcap" -A full -n 10