Author: Prof Bill Buchanan

Size: px

Start display at page:

Download "Author: Prof Bill Buchanan"

Leon Randall
6 years ago
Views:

1 Data Loss Prevention 2. Data in-motion Magic Numbers/Discriminators. Detecting from network traffic. Regular Expressions. Extracting Content from traces. Converted formats. Author: Prof Bill Buchanan

2 Data in-motion DLP Data in-motion, data in-use and data at-rest Eve Switch Firewall Domain name server Bob Intrusion Detection System Data inmotion Internet Firewall Router Database server Data inuse Data atrest Web server server DMZ Intrusion Detection System Alice FTP server Proxy server

3 DLP Data in-motion Before Incident (Setting up/ Switch preventing) Switch During Incident (Responding) After Incident Firewall (Forensics) Firewall Eve Domain name server Domain name server Detector/ preventer Bob Bob Intrusion Detection Intrusion System Detection System Data inmotion Data inmotion Internet Internet Detector/ preventer Detector/ preventer Firewall Firewall Router Detector/ preventer Detector/ preventer Router Database server Database server Detector/ preventer Detector/ preventer Detector/ preventer Detector/ preventer Web server Web server server server Detector/ preventer Detector/ preventer FTP server FTP Proxy server server Proxy server DMZ DMZ Detector/ Detector/ preventer preventer Intrusion Detection Intrusion System Detection System Detector/ preventer Detector/ preventer Alice Alice Data in-motion, data in-use and data at-rest Data in-motion, data in-use and data at-rest

4 DLP Data in-motion Network Forensics Author: Prof Bill Buchanan

25 DLP Data in-motion Network Packet Analysis Author: Prof Bill Buchanan

26 Adv Net For. Cracking usernames ftp.response.code Correct login: ftp.response.code==230 Incorrect login: ftp.response.code==530 ftp contains "PASS" Administrator search: ftp contains "Administrator" Hydra (FTP) Author: Prof Bill Buchanan

27 Adv Net For. Cracking usernames Telnet.data contains login Bad Login: Telnet.data contains unknown Hydra (Telnet) Author: Prof Bill Buchanan

Adv Net For. Detecting Scanning tcp.flags.syn && tcp.

flags.ack ip.src==192.168.75.132 && tcp.flags.syn==1 && tcp.

ack==1 Ports not open: [RST, ACK] Ports not open:

28 Adv Net For. Detecting Scanning tcp.flags.syn && tcp.flags.ack==0 ip.src== && tcp.flags.reset && tcp.flags.ack ip.src== && tcp.flags.syn==1 && tcp.flags.ack==1 Ports not open: [RST, ACK] Ports not open: [SYN, ACK] NMAP (Port Scanning) Author: Prof Bill Buchanan

29 Adv Net For. Detecting Scanning ICMP/ARP Scan arp.opcode==2 Author: Prof Bill Buchanan

30 Advanced Network Forensics Signature Detection Author: Prof Bill Buchanan

$File Types http contains "\x25\x50\x44\x46" http$ $"GIF89a" http contains "\x47\x49\x46\x38" PNG: http$ $contains "\x89\x50\x4e\x47" ZIP: http contains$

31 Adv Net For. File Types http contains "\x25\x50\x44\x46" http contains %PDF http contains "GIF89a" http contains "GIF89a" http contains "\x47\x49\x46\x38" PNG: http contains "\x89\x50\x4e\x47" ZIP: http contains "\x50\0x4b\0x030\x04" Detecting File Types in Payloads Author: Prof Bill Buchanan

32 Advanced Network Forensics Converted Formats Author: Prof Bill Buchanan

Adv Net For. File Types MIME Encoding Email message ------=_NextPart_001_0005_01CF0A5E.E9FFC210-- ------=_NextPart_000_0004_01CF0A5E.E9FFC210 Content-Type: image/jpeg;.name="ehealth.

33 Adv Net For. File Types MIME Encoding message =_NextPart_001_0005_01CF0A5E.E9FFC =_NextPart_000_0004_01CF0A5E.E9FFC210 Content-Type: image/jpeg;.name="ehealth.jpg" Content-Transfer-Encoding: base64 Content-Disposition: attachment;.filename="ehealth.jpg" /9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAICAgICAgICAgICAgICAwMDAgIDAwQDAwMDAwQFBAQE BAQEBQUGBgcGBgUHBwgIBwcKCgoKCgoKCgoKCgoKCgr/2wBDAQMDAwQDBAcFBQcLCQcJCwwLCwsL DAwKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgr/wAARCABeALQDAREA.. ki0dl8iylfhb6xkc9uw9ynvugsjdpw0wnx1dbomiur2fby/3ypsrkrsiktjhkpdirlnsehsehseh SEHSEHSEHSEHSEHSEHSEf//Z =_NextPart_000_0004_01CF0A5E.E9FFC210 Content-Type: image/gif;.name="cat01_with_hidden_text.gif" Content-Transfer-Encoding: base64 Content-Disposition: attachment;.filename="cat01_with_hidden_text.gif" smtp contains "/9j/4AAQSkZJRgABAQEA" smtp contains "image/gif" R0lGODlhZABVAOYAAP////f39vH08u7u7+fn5+Hk5t/e39fa3e/OztXV1dXT0NnRoczMzMTIzGhl bgxvwnhghmc/vb27uli2tbwzrqqxtqusrauppaampqelnquockycn5mzmzsaoiuvnjosjoynioam lpilzpchgoodg3qeistexvtisij8c3x6fiv6xnn8gplmznr1cmgazmpzghtytx1uumtqbndjx/gq... AMb5Ca3QER7Rn/75nwDqn8bZGwFAEsR5AAh6FAWwoPhpehHJERAaoRI6oRCKkx/ICuiZoaAQLxza or66cieaads= =_NextPart_000_0004_01CF0A5E.E9FFC Author: Prof Bill Buchanan

$_%+-]/"; \ msg:"email in message";sid:9000000;rev:1;) [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.648260 192.168.47.$

34 Adv Net For. PCRE PCRE - Perl Compatible Regular Expressions alert tcp any any <> any 25 (pcre:"/[a-za-z0-9._%+-]+@[a-za-z0-9._%+-]/"; \ msg:" in message";sid: ;rev:1;) [**] [1: :1] in message [**] [Priority: 0] 01/05-21:41: :2826 -> :25 TCP TTL:128 TOS:0x0 ID:13590 IpLen:20 DgmLen:78 DF ***AP*** Seq: 0xB Ack: 0xFB0FDF97 Win: 0xFF71 TcpLen: 20 [**] [1: :1] in message [**] [Priority: 0] 01/05-21:41: :25 -> :2826 TCP TTL:128 TOS:0x0 ID:2017 IpLen:20 DgmLen:88 DF ***AP*** Seq: 0xFB0FDF97 Ack: 0xB14845AB Win: 0xFAB5 TcpLen: 20 [**] [1: :1] in message [**] [Priority: 0] 01/05-21:41: :2826 -> :25 TCP TTL:128 TOS:0x0 ID:13591 IpLen:20 DgmLen:66 DF ***AP*** Seq: 0xB14845AB Ack: 0xFB0FDFC7 Win: 0xFF41 TcpLen: 20 [**] [1: :1] in message [**] [Priority: 0] 01/05-21:41: :25 -> :2826 TCP TTL:128 TOS:0x0 ID:2018 IpLen:20 DgmLen:66 DF ***AP*** Seq: 0xFB0FDFC7 Ack: 0xB14845C5 Win: 0xFA9B TcpLen: 20 [**] [1: :1] in message [**] [Priority: 0] 01/05-21:41: :2826 -> :25 TCP TTL:128 TOS:0x0 ID:13593 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xB14845CB Ack: 0xFB0FE00F Win: 0xFEF9 TcpLen: 20 [**] [1: :1] in message [**] [Priority: 0] 01/05-21:41: :25 -> :2826 TCP TTL:128 TOS:0x0 ID:2030 IpLen:20 DgmLen:125 DF ***AP*** Seq: 0xFB0FE00F Ack: 0xB148AE2E Win: 0xFAEB TcpLen: 20 smtp matches "[a-za-z0-9._%+-]+@[a-za-z0-9._%+-]" Author: Prof Bill Buchanan

$Adv Net For. PCRE PCRE for Credit Card Details alert tcp any any <> any any (pcre:"/5\d{3}(\s -)?\d{4}(\s -)?$

35 Adv Net For. PCRE PCRE for Credit Card Details alert tcp any any <> any any (pcre:"/5\d{3}(\s -)?\d{4}(\s -)?\d{4}(\s -)?\d{4}/"; \ msg:"mastercard number detected in clear text";content:"number";nocase;sid: ;rev:1;) alert tcp any any <> any any (pcre:"/3\d{3}(\s -)?\d{6}(\s -)?\d{5}/"; \ msg:"american Express number detected in clear text";content:"number";nocase;sid: ;rev:1;) alert tcp any any <> any any (pcre:"/4\d{3}(\s -)?\d{4}(\s -)?\d{4}(\s -)?\d{4}/"; \ msg:"visa number detected in clear text";content:"number";nocase;sid: ;rev:1;) [**] [1: :1] Visa number detected in clear text [**] [Priority: 0] 01/06-21:20: :1061 -> :25 TCP TTL:128 TOS:0x0 ID:628 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xCA178C7B Ack: 0x Win: 0xFEF9 TcpLen: 20 [**] [1: :1] MasterCard number detected in clear text [**] [Priority: 0] 01/06-21:20: :1061 -> :25 TCP TTL:128 TOS:0x0 ID:628 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xCA178C7B Ack: 0x Win: 0xFEF9 TcpLen: 20 smtp matches "5\\d{3}(\\s -)?\\d{4}(\\s -)?\\d{4}(\\s -)?\\d{4}" Author: Prof Bill Buchanan

36 DLP Data in-motion Magic Numbers Author: Prof Bill Buchanan

37 DLP Image files.gif GIF89 MD5(c:\assets\cat01_with_hidden_text.gif)= 10117e6475c78b74b3a1a18f8d1c0d66 [ ] E FF FF FF GIF89ad.U... [ ] F7 F7 F6 F1 F4 F2 EE EE EF E7 E7 E7 E1 E4 E6 DF... [ ] DE DF D7 DA DD EF CE CE D5 D5 D5 D5 D3 D0 D9 D1... [ ] A1 CC CC CC C4 C8 CC C 6C 6F C0 D1 C hello... [ ] C0 BF BD BD BB B8 B8 B6 B5 B5 B3 AE AA B1 B6 AB... [ ] AC AD AB A9 A5 A6 A6 A6 A7 A5 9E AB A8 70 AC 9C...p.. [ ] 9F A A0 8B 95 9C E 8C 8D 8A....JPG \0xFF\0xD8 [ ] FF D8 FF E A C8...JFIF... [ ] 00 C FF FE 00 1F 4C LEAD.Tec [ ] 68 6E 6F 6C 6F E 63 2E hnologies.inc..v [ ] 31 2E FF DB F C... [ ] C 1A 19 1E 25 3F D...%?)%""%M [ ] 37 3A 2D 3F 5B E 5A B 7:-?[P`^ZPXVeq.{ [ ] 65 6B 89 6D E AC 7F A A2 A4 A2 61 ek.mvx~...a.png \0x89\0x50\0x4E\0x47 MD5(c:\assets\file04.jpg)= d82e64b5ba09960eb3e23aaf46644f45 MD5(c:\assets\bg.png)= 07f4bc9c7d4c36a864dce5c8ad108d82 [ ] E 47 0D 0A 1A 0A D PNG...IHDR [ ] F C C 27...W.' [ ] D AF C A...gAMA [ ] E F tEXtSoftwar [ ] F D e.adobe.imagerea [ ] C9 65 3C A EB DA dyq.e<...idatx. [ ] EC DD DD 6F D C0 F1 E7 9C 33 2F 7D D9 E9...oTi...3/}.. Magic Numbers

38 DLP Data in-motion Timelining Author: Prof Bill Buchanan

39 Timelining DLP NetWitness Who why when when? Pcap file IP/MAC addresses Geolocation Timeline Assets Timeline Start of incident End of incident

40 Data Loss Prevention 2. Data in-motion Magic Numbers/Discriminators. Detecting from network traffic. Regular Expressions. Extracting Content from traces. Converted formats. Author: Prof Bill Buchanan

Advanced Network Forensics User/Password Crack. Port Scan. Signature Detection. Converted Formats. ARP Spoofing. DDoS Detection.

Advanced Network Forensics User/Password Crack. Port Scan. Signature Detection. Converted Formats. ARP Spoofing. DDoS Detection. Setup Setup 192.168.47.171 192.168.47.200 Snort -i 1 -c 1.rules alert.ids