Using our analyst station to do triage and incident response as a stand alone system requires that we inform snort of the network that was defended when the PCAP was collected. The rules written for snort recognize this variable and alert accordingly. This variable is set in /etc/snort/nf by default. The HOME_NET variable tells Snort what network it is defending. Snort runs more effectively when it has knowledge of the environment it is monitoring. Many of these rules are written with the idea that the Snort Intrusion Detection System (IDS) will as a permanent sensor in an environment. Snort works off of signatures, or ‘rules’, to detect anomalies in network traffic. Keep in mind this is merely an intro, and is being used to quickly triage the PCAP data. Snort is a great example of a tool an analyst can use to pivot through network traffic effeciently. Using data reduction, indicators of interest, or Indicators of Compromise (IOC) analysts can pivot through large data sets quickly and effectively. An analyst must learn to pivot through the data effectively. It is small for portability, but large enough that only an insane person would begin digging through it starting at frame 1. The PCAP provided for this analysis is from the ‘edge sensor’ located on the victim network. Packet Capture (PCAP) files are tremendous resources for investigations when they are available.These small slices of PCAP typically do not tell the complete story. To Log Analysis: Malicious IP Addresses, Malicious Filenames.From Log Analysis: Malicious IP Addresses, Malicious Filenames.To Memory Analysis: Malicious IP Addresses, Malicious Filenames.From Memory Analysis: Malicious IP Addresses, Malicious Filenames.To Disk Analysis: Malicious IP Addresses, Malicious Filenames.From Disk Analysis: Malicious IP Addresses, Malicious Filenames.
A great piece of software to take Screen Shots is Greenshot.
0 kommentar(er)
