Академический Документы
Профессиональный Документы
Культура Документы
Outline
2 / 23
Post-Facto Forensics
Scenario
1. You observe symptoms of infections
I
I
3 / 23
Messages
Application
Transport
new_connection, udp_request
Packets
(Inter)Network
new_packet, packet_contents
Frames
Link
Byte stream
arp_request, arp_reply
4 / 23
Bro Logs?
5 / 23
Bro Logs!
Events Scripts Logs
I
6 / 23
Log Analysis
I
How do we do it?
I
In-situ processing
I
I
7 / 23
Outline
8 / 23
I
I
I
I
9 / 23
Typical operations
I
I
I
10 / 23
Typical operations
I
11 / 23
Outline
12 / 23
For each resolver, no connection should reuse the same source port
For each resolver, connections should use random source ports
4. Express analysis:
I
7. Close the loop: write a Bro script that does the same
13 / 23
4. Express analysis:
I
I
Look for \0 in CN
Look for non-ASCII chars in CN
7. Close the loop: write a Bro script that does the same
15 / 23
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
17 / 23
1. Issue: APT
2. Identify relevant data , network behavior
I
II
III
18 / 23
}
global duqus: table[addr] of DuquState; ## Duqu-infected hosts.
19 / 23
20 / 23
Questions?
21 / 23
1-2pm: Exercise
Intelligence-Based Incident Response
3:10-4pm: Exercise
Advanced HTTP Traffic Analysis
References I
Srikanth Kandula, Ratul Mahajan, Patrick Verkaik, Sharad Agarwal,
Jitendra Padhye, and Paramvir Bahl.
Detailed Diagnosis in Enterprise Networks.
In Proceedings of the ACM SIGCOMM 2009 Conference on Data
Communication, SIGCOMM 09, pages 243254, New York, NY, USA,
2009. ACM.
Robin Sommer and Vern Paxson.
Outside the Closed World: On Using Machine Learning for Network
Intrusion Detection.
In Proceedings of the 2010 IEEE Symposium on Security and Privacy,
SP 10, pages 305316, Washington, DC, USA, 2010. IEEE Computer
Society.
23 / 23