Author: Prof Bill Buchanan

Similar documents
Advanced Network Forensics User/Password Crack. Port Scan. Signature Detection. Converted Formats. ARP Spoofing. DDoS Detection.

CIS-331 Exam 2 Spring 2016 Total of 110 Points Version 1

CIS-331 Exam 2 Fall 2014 Total of 105 Points. Version 1

CIS-331 Spring 2016 Exam 1 Name: Total of 109 Points Version 1

CIS-331 Exam 2 Fall 2015 Total of 105 Points Version 1

Lab 6: Advanced Network Attack Analysis

CIS-331 Fall 2013 Exam 1 Name: Total of 120 Points Version 1

CIS-331 Fall 2014 Exam 1 Name: Total of 109 Points Version 1

CIS-331 Final Exam Spring 2015 Total of 115 Points. Version 1

CIS-331 Final Exam Spring 2018 Total of 120 Points. Version 1

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

4. Specifications and Additional Information

To use Snort for deep packet inspection, for log analysis, and to detect reconnaissance attacks from a Windows Application

Incident Response Introduction. Risk Analysis. Risk Management. Outline of threats. Data Loss. Fundamentals.

Gateway Ascii Command Protocol

ZN-DN312XE-M Quick User Guide

CIS-331 Final Exam Fall 2015 Total of 120 Points. Version 1

First Data Dual Interface EMV Test Card Set. Version 1.20

C1098 JPEG Module User Manual

First Data EMV Test Card Set. Version 1.30

CIS-331 Final Exam Spring 2016 Total of 120 Points. Version 1

First Data EMV Test Card Set. Version 2.00

Lab 4: Network Packet Capture and Analysis using Wireshark

SCP SC Security Certified Program. Download Full Version :

Data Loss Leakage/Prevention - Fundamentals Fundamentals. Regular Expressions. Author: Prof Bill Buchanan

Lab 4: Services, Logging and Intrusions

Acquirer JCB EMV Test Card Set

July Registration of a Cyrillic Character Set. Status of this Memo

FOCUS on Intrusion Detection: Intrusion Detection Level Analysis of Nmap and Queso Page 1 of 6

First Data DCC Test Card Set. Version 1.30

UNH-IOL MIPI Alliance Test Program

Certified Ethical Hacker

ID: Cookbook: browseurl.jbs Time: 19:37:50 Date: 11/05/2018 Version:

The cache is 4-way set associative, with 4-byte blocks, and 16 total lines

SANS FORENSIC CHALLENGES REPORT

TEL

Scan Results - ( Essentials - Onsharp )

The Tic-Tac-Toe Game with the NST (Not-So-Tiny) CPU Introduction

What s going on in /8. George Michaelson Geoff Huston

Acquirer JCB Dual Interface EMV Test Card Set

ECHO Process Instrumentation, Inc. Modbus RS485 Module. Operating Instructions. Version 1.0 June 2010

LynX-10 Legacy Protocol Specification Version 1.01

! ' ,-. +) +))+, /+*, 2 01/)*,, 01/)*, + 01/+*, ) 054 +) +++++))+, ) 05,-. /,*+), 01/-*+) + 01/.*+)

TLS 1.2 Protocol Execution Transcript

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 02, FALL 2012

SPAREPARTSCATALOG: CONNECTORS SPARE CONNECTORS KTM ART.-NR.: 3CM EN

RS 232 PINOUTS. 1. We use RJ12 for all of our RS232 interfaces (Link-2-Modbus & Link-2-PC- Serial/RS232). The diagram below shows our pin out.

APPLESHARE PC UPDATE INTERNATIONAL SUPPORT IN APPLESHARE PC

CMSC 313 Lecture 03 Multiple-byte data big-endian vs little-endian sign extension Multiplication and division Floating point formats Character Codes

Interac USA Interoperability EMV Test Card Set

SPARE CONNECTORS KTM 2014

Technical Specification. Third Party Control Protocol. AV Revolution

Exam Number/Code: Exam Name: Computer Hacking. Version: Demo. Forensic Investigator.

CSC Network Security

Advanced Security and Forensic Computing

6. Specifications & Additional Information

KNX TinySerial 810. Communication Protocol. WEINZIERL ENGINEERING GmbH

Lab 1: Creating Secure Architectures (Revision)

INTERNET & WORLD WIDE WEB (UNIT-1) MECHANISM OF INTERNET

DBK24. Isolated Digital Output Chassis. Overview

2-Type Series Pressurized Closures

Hash Constant C Determinants leading to collisionfree

Proxy VPN. Network Forensics. Adv Security and. Eve. Bob. Alice SIEM. Author: Prof Bill Buchanan

Digital Lighting Systems, Inc.

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

AIT 682: Network and Systems Security

Tutorial & Demo! image and audio transmission on wireless sensor networks!

CSE 123: Computer Networks

ID: Cookbook: browseurl.jbs Time: 23:19:26 Date: 20/08/2018 Version:

FORENSICS CYBER-SECURITY

ID: Cookbook: urldownload.jbs Time: 23:23:00 Date: 11/01/2018 Version:

Fundamentals of Cryptography

Network Interconnection

Communications guide. Line Distance Protection System * F1* GE Digital Energy. Title page

6.1 Combinational Circuits. George Boole ( ) Claude Shannon ( )

Triple DES and AES 192/256 Implementation Notes

Digital Projector X30N/X35N

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

ASCII Code - The extended ASCII table

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 02, SPRING 2013

How to Digital Sign a PDF document With Nexus Personal software

A quick theorical introduction to network scanning. 23rd November 2005

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

User Role Firewall Policy

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

ID: Cookbook: browseurl.jbs Time: 03:15:55 Date: 26/01/2019 Version: Tiger's Eye

Advanced Security and Forensic Computing. Advanced Security and Forensic Computing

ID: Cookbook: browseurl.jbs Time: 09:46:57 Date: 19/10/2018 Version: Fire Opal

CDR File Information. Comments Direct PCM

Chapter 8 roadmap. Network Security

Network Security: Scan

Quick Note 15. Quality of Service (QoS) on a TransPort router. UK Support

ETSI TS V ( )

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

Digital Lighting Systems, Inc. CD400-DMX DMX512 Four Channel Dimmer and Switch module

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Transcription:

Data Loss Prevention 2. Data in-motion Magic Numbers/Discriminators. Detecting from network traffic. Regular Expressions. Extracting Content from traces. Converted formats. http://asecuritysite.com/dlp Author: Prof Bill Buchanan

Data in-motion DLP Data in-motion, data in-use and data at-rest Eve Switch Firewall Domain name server Bob Intrusion Detection System Data inmotion Internet Firewall Router Database server Data inuse Data atrest Web server Email server DMZ Intrusion Detection System Alice FTP server Proxy server

DLP Data in-motion Before Incident (Setting up/ Switch preventing) Switch During Incident (Responding) After Incident Firewall (Forensics) Firewall Eve Domain name server Domain name server Detector/ preventer Bob Bob Intrusion Detection Intrusion System Detection System Data inmotion Data inmotion Internet Internet Detector/ preventer Detector/ preventer Firewall Firewall Router Detector/ preventer Detector/ preventer Router Database server Database server Detector/ preventer Detector/ preventer Detector/ preventer Detector/ preventer Web server Web server Email server Email server Detector/ preventer Detector/ preventer FTP server FTP Proxy server server Proxy server DMZ DMZ Detector/ Detector/ preventer preventer Intrusion Detection Intrusion System Detection System Detector/ preventer Detector/ preventer Alice Alice Data in-motion, data in-use and data at-rest Data in-motion, data in-use and data at-rest

DLP Data in-motion Network Forensics Author: Prof Bill Buchanan

DLP Data in-motion Network Packet Analysis Author: Prof Bill Buchanan

Adv Net For. Cracking usernames ftp.response.code Correct login: ftp.response.code==230 Incorrect login: ftp.response.code==530 ftp contains "PASS" Administrator search: ftp contains "Administrator" http://asecuritysite.com/log/hydra_ftp.zip Hydra (FTP) Author: Prof Bill Buchanan

Adv Net For. Cracking usernames Telnet.data contains login Bad Login: Telnet.data contains unknown http://asecuritysite.com/log/hydra_telnet.zip Hydra (Telnet) Author: Prof Bill Buchanan

Adv Net For. Detecting Scanning tcp.flags.syn && tcp.flags.ack==0 ip.src==192.168.75.132 && tcp.flags.reset && tcp.flags.ack ip.src==192.168.75.132 && tcp.flags.syn==1 && tcp.flags.ack==1 Ports not open: [RST, ACK] Ports not open: [SYN, ACK] http://asecuritysite.com/log/nmap.zip NMAP (Port Scanning) Author: Prof Bill Buchanan

Adv Net For. Detecting Scanning ICMP/ARP Scan arp.opcode==2 http://asecuritysite.com/log/ping_sweep.zip http://asecuritysite.com/log/arp_scan.zip Author: Prof Bill Buchanan

Advanced Network Forensics Signature Detection Author: Prof Bill Buchanan

Adv Net For. File Types http contains "\x25\x50\x44\x46" http contains %PDF http contains "GIF89a" http contains "GIF89a" http contains "\x47\x49\x46\x38" PNG: http contains "\x89\x50\x4e\x47" ZIP: http contains "\x50\0x4b\0x030\x04" http://asecuritysite.com/log/hydra_ftp.zip Detecting File Types in Payloads Author: Prof Bill Buchanan

Advanced Network Forensics Converted Formats Author: Prof Bill Buchanan

Adv Net For. File Types MIME Encoding Email message ------=_NextPart_001_0005_01CF0A5E.E9FFC210-- ------=_NextPart_000_0004_01CF0A5E.E9FFC210 Content-Type: image/jpeg;.name="ehealth.jpg" Content-Transfer-Encoding: base64 Content-Disposition: attachment;.filename="ehealth.jpg" /9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAICAgICAgICAgICAgICAwMDAgIDAwQDAwMDAwQFBAQE BAQEBQUGBgcGBgUHBwgIBwcKCgoKCgoKCgoKCgoKCgr/2wBDAQMDAwQDBAcFBQcLCQcJCwwLCwsL DAwKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgr/wAARCABeALQDAREA.. ki0dl8iylfhb6xkc9uw9ynvugsjdpw0wnx1dbomiur2fby/3ypsrkrsiktjhkpdirlnsehsehseh SEHSEHSEHSEHSEHSEHSEf//Z ------=_NextPart_000_0004_01CF0A5E.E9FFC210 Content-Type: image/gif;.name="cat01_with_hidden_text.gif" Content-Transfer-Encoding: base64 Content-Disposition: attachment;.filename="cat01_with_hidden_text.gif" smtp contains "/9j/4AAQSkZJRgABAQEA" smtp contains "image/gif" R0lGODlhZABVAOYAAP////f39vH08u7u7+fn5+Hk5t/e39fa3e/OztXV1dXT0NnRoczMzMTIzGhl bgxvwnhghmc/vb27uli2tbwzrqqxtqusrauppaampqelnquockycn5mzmzsaoiuvnjosjoynioam lpilzpchgoodg3qeistexvtisij8c3x6fiv6xnn8gplmznr1cmgazmpzghtytx1uumtqbndjx/gq... AMb5Ca3QER7Rn/75nwDqn8bZGwFAEsR5AAh6FAWwoPhpehHJERAaoRI6oRCKkx/ICuiZoaAQLxza or66cieaads= ------=_NextPart_000_0004_01CF0A5E.E9FFC210--. Author: Prof Bill Buchanan

Adv Net For. PCRE PCRE - Perl Compatible Regular Expressions alert tcp any any <> any 25 (pcre:"/[a-za-z0-9._%+-]+@[a-za-z0-9._%+-]/"; \ msg:"email in message";sid:9000000;rev:1;) [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.648260 192.168.47.171:2826 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:13590 IpLen:20 DgmLen:78 DF ***AP*** Seq: 0xB1484585 Ack: 0xFB0FDF97 Win: 0xFF71 TcpLen: 20 [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.649220 192.168.47.134:25 -> 192.168.47.171:2826 TCP TTL:128 TOS:0x0 ID:2017 IpLen:20 DgmLen:88 DF ***AP*** Seq: 0xFB0FDF97 Ack: 0xB14845AB Win: 0xFAB5 TcpLen: 20 [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.649568 192.168.47.171:2826 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:13591 IpLen:20 DgmLen:66 DF ***AP*** Seq: 0xB14845AB Ack: 0xFB0FDFC7 Win: 0xFF41 TcpLen: 20 [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.650165 192.168.47.134:25 -> 192.168.47.171:2826 TCP TTL:128 TOS:0x0 ID:2018 IpLen:20 DgmLen:66 DF ***AP*** Seq: 0xFB0FDFC7 Ack: 0xB14845C5 Win: 0xFA9B TcpLen: 20 [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.655157 192.168.47.171:2826 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:13593 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xB14845CB Ack: 0xFB0FE00F Win: 0xFEF9 TcpLen: 20 [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.861083 192.168.47.134:25 -> 192.168.47.171:2826 TCP TTL:128 TOS:0x0 ID:2030 IpLen:20 DgmLen:125 DF ***AP*** Seq: 0xFB0FE00F Ack: 0xB148AE2E Win: 0xFAEB TcpLen: 20 smtp matches "[a-za-z0-9._%+-]+@[a-za-z0-9._%+-]" Author: Prof Bill Buchanan

Adv Net For. PCRE PCRE for Credit Card Details alert tcp any any <> any any (pcre:"/5\d{3}(\s -)?\d{4}(\s -)?\d{4}(\s -)?\d{4}/"; \ msg:"mastercard number detected in clear text";content:"number";nocase;sid:9000003;rev:1;) alert tcp any any <> any any (pcre:"/3\d{3}(\s -)?\d{6}(\s -)?\d{5}/"; \ msg:"american Express number detected in clear text";content:"number";nocase;sid:9000004;rev:1;) alert tcp any any <> any any (pcre:"/4\d{3}(\s -)?\d{4}(\s -)?\d{4}(\s -)?\d{4}/"; \ msg:"visa number detected in clear text";content:"number";nocase;sid:9000005;rev:1;) [**] [1:9000005:1] Visa number detected in clear text [**] [Priority: 0] 01/06-21:20:26.755456 192.168.47.171:1061 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:628 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xCA178C7B Ack: 0x91870925 Win: 0xFEF9 TcpLen: 20 [**] [1:9000003:1] MasterCard number detected in clear text [**] [Priority: 0] 01/06-21:20:26.755456 192.168.47.171:1061 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:628 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xCA178C7B Ack: 0x91870925 Win: 0xFEF9 TcpLen: 20 smtp matches "5\\d{3}(\\s -)?\\d{4}(\\s -)?\\d{4}(\\s -)?\\d{4}" Author: Prof Bill Buchanan

DLP Data in-motion Magic Numbers Author: Prof Bill Buchanan

DLP Image files.gif GIF89 MD5(c:\assets\cat01_with_hidden_text.gif)= 10117e6475c78b74b3a1a18f8d1c0d66 [00000000] 47 49 46 38 39 61 64 00 55 00 E6 00 00 FF FF FF GIF89ad.U... [00000016] F7 F7 F6 F1 F4 F2 EE EE EF E7 E7 E7 E1 E4 E6 DF... [00000032] DE DF D7 DA DD EF CE CE D5 D5 D5 D5 D3 D0 D9 D1... [00000048] A1 CC CC CC C4 C8 CC 68 65 6C 6C 6F C0 D1 C6 84...hello... [00000064] C0 BF BD BD BB B8 B8 B6 B5 B5 B3 AE AA B1 B6 AB... [00000080] AC AD AB A9 A5 A6 A6 A6 A7 A5 9E AB A8 70 AC 9C...p.. [00000096] 9F 99 99 99 94 9A A0 8B 95 9C 93 92 8E 8C 8D 8A....JPG \0xFF\0xD8 [00000000] FF D8 FF E0 00 10 4A 46 49 46 00 01 00 01 00 C8...JFIF... [00000016] 00 C8 00 00 FF FE 00 1F 4C 45 41 44 20 54 65 63...LEAD.Tec [00000032] 68 6E 6F 6C 6F 67 69 65 73 20 49 6E 63 2E 20 56 hnologies.inc..v [00000048] 31 2E 30 31 00 FF DB 00 43 00 19 11 12 16 12 0F 1.01...C... [00000064] 19 16 14 16 1C 1A 19 1E 25 3F 29 25 22 22 25 4D...%?)%""%M [00000080] 37 3A 2D 3F 5B 50 60 5E 5A 50 58 56 65 71 91 7B 7:-?[P`^ZPXVeq.{ [00000096] 65 6B 89 6D 56 58 7E AC 7F 89 96 9A A2 A4 A2 61 ek.mvx~...a.png \0x89\0x50\0x4E\0x47 MD5(c:\assets\file04.jpg)= d82e64b5ba09960eb3e23aaf46644f45 MD5(c:\assets\bg.png)= 07f4bc9c7d4c36a864dce5c8ad108d82 [00000000] 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52.PNG...IHDR [00000016] 00 00 00 F3 00 00 00 C3 08 06 00 00 00 57 8C 27...W.' [00000032] 92 00 00 00 04 67 41 4D 41 00 00 AF C8 37 05 8A...gAMA...7.. [00000048] E9 00 00 00 19 74 45 58 74 53 6F 66 74 77 61 72...tEXtSoftwar [00000064] 65 00 41 64 6F 62 65 20 49 6D 61 67 65 52 65 61 e.adobe.imagerea [00000080] 64 79 71 C9 65 3C 00 00 0A EB 49 44 41 54 78 DA dyq.e<...idatx. [00000096] EC DD DD 6F 54 69 1D C0 F1 E7 9C 33 2F 7D D9 E9...oTi...3/}.. Magic Numbers

DLP Data in-motion Timelining Author: Prof Bill Buchanan

Timelining DLP NetWitness Who why when when? Pcap file IP/MAC addresses Geolocation Timeline Assets Timeline Start of incident End of incident

Data Loss Prevention 2. Data in-motion Magic Numbers/Discriminators. Detecting from network traffic. Regular Expressions. Extracting Content from traces. Converted formats. http://asecuritysite.com/dlp Author: Prof Bill Buchanan

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback