Showing posts with label Reports. Show all posts
Showing posts with label Reports. Show all posts

Sunday, November 24, 2013

How to create a GeoIP map report with Wireshark


We usually need to create an executive report when we are involved in an incident handling. In these cases, a good option could be to include in it a world map with the connections which were established in the incident. Maybe we are interested in showing on a map where the command an control servers are hosted or for example to show which countries the distributed denial of service came from...

To achieve this purpose I am going to show you how to create a map using Wireshark. The last Wireshark version 1.10.2 will be used in this guide.

The first thing we need to do is to  download the GeoIP database: GeoLite City, Country, and ASNum from the link below: http://geolite.maxmind.com/download/geoip/database/ (free download).



Then, we need to put into a folder the files contained in the downloads above, for example "C:\Geoip".


Now, we need to tell Wireshark where the GeoIP files are. To achieve this, we need to open Wireshark and go to Edit -> Preferences - > Name Resolution and click on Edit in the "GeoIP database directories" section...


... and create a New path where the files were saved, in this case "C:\Geoip".


It is necessary to restart Wireshark in order to apply the changes. Now, we only need to load a PCAP file or create a new traffic capture. When we have all the traffic captured and we want to create the map with the connection involved in the incident, we need to go to Statistics -> Endpoints...


... select the IPv4 tab and click on the map bottom. Notice that if for example you have set a filter in Wireshark only with the UDP connections which are related to the malware, you can select "Limit to display filter" in order to only print these connections on the map. Then you click on map.


Finally, we have a dynamic map complete connections on the map. In this case, I've used the PCAP file related to the attack to php.net which can be downloaded from the Barracuda website here.




Posted on Sunday, November 24, 2013 by Javier Nieto

3 comments

Thursday, April 11, 2013

Choosing hardware-based firewall


In this post, we'll try to identify what are the main features need to be analyzed before buying an Enterprise Network.

Very often I hear some things like... "What's the best firewall in the market?" What Firewall should I buy for my Company?" 

The answer is: "Depend on what type of network you need to protect"

It's not the same a network with 100 users than other critical and redundant network with 50,000 users and 300 servers...



In my opinion these are the essential question you need to thinking about.

Features
  • How many maximum firewall concurrent sessions are need it?
  • How many firewall new sessions per second do you have in your network?
  • How many firewall throughput do you need?
  • How many VPN tunnels and VPN Troughput do you need?
  • What VPN protocols do you want to use (IPSec, L2TP, PPTP)
  • Do you require high availability (load balancing, failover)?
  • Do you need cobber, fiber, 10-100-1000-10000 Mbps interfaces?
  • Are you currently using IPv6 o it will be implemented in the future?
  • How many concurrent session and throughput will you need in the future?

Be careful when calculating the throughput. Throughput is the average rate of successful message delivery over all your network interfaces, not only on the Internet connections.
Commonly, throughput is calculated by the manufacturers in a Lab with a certain packet sizes and not in a real World

Today, Firewalls has extra features to keep in mind.
  • Control Application
  • Antivirus
  • IDS/IPS
  • AntiSpam
  • URL Filtering
  • SSL decryption
  • Date Loss Prevention
  • DHCP
  • Bandwidth Management
  • Wan Optimization
  • Web Cache
  • Proxy
  • ...

Posted on Thursday, April 11, 2013 by Javier Nieto

7 comments

Wednesday, April 03, 2013

SANS INSTITUTE IPS Report 2013


The last week of March, SANS Institute published "Beating the IPS". This report shows us different IPS evasion techniques manipulating the payload, header, and traffic flow of a well-known attack.

The target is evading detection by widely used products from major security vendors like Cisco, Check Point, Fortinet, Paloalto, TippingPoint and Snort trying to take advantage of MS08-067(http://technet.microsoft.com/en-us/security/bulletin/ms08-067), used by Conficker some years ago...




You can download the report by clicking on this link: http://www.sans.org/reading_room/whitepapers/intrusion/beating-ips_34137

The report's conclusion indicates the efficiency against the automatic attack, however, when we have a custom attack, the situation changes...

All vendors were bypassed using the default IPS settings except one: Checkpoint

The Sans's report recommends blocking Null sessions if we do not need them, and keep an eye on your IPS alerts.

Posted on Wednesday, April 03, 2013 by Javier Nieto

No comments

Subscribe to: Posts (Atom)