Intro to Network Traffic Analysis

Jonathan Schipp

Tue, 12th February 2013


Speaker Bio 1:
Jon is a Unix System Administrator and Security Specialist for a small business in Southern Indiana. He is also the founder of the Dubois County Linux User Group and of the Southern Indiana Computer Klub. He spends much of his free time studying the social sciences and playing volleyball.

Questions and answers

Max, Concise Courses:
What is the best tool for mobile intrusion detection – does Snort work best for this?

Jonathan Schipp:
I actually haven’t done anything with mobile intrusion detection. We don’t have the facilities [for that] at work, I work in a small business so mobile intrusion detection is something I don’t have any experience with but I will say that there is some stuff in Snort that allows you to comment mobile commands on various types of attacks. But with that said you can write your own Snort rules for attacks that would not be there otherwise. For instance, there is a vulnerability in rooted iPhones for instance whereby they leave the SSH password there by default. So if that wasn’t available you could easily write your own Snort rule to detect that.


Max, Concise Courses:
Is there a way that you would identify that a domain has been hijacked – i.e. Domain Name Hijacking. Would we expect to see a sudden spike or a sudden decline in packet requests?

Jonathan Schipp:
Yes, probably. It depends how the hijacking attack is done, but it is possible or probable that you will see more requests depending on what the hijacker is going to do, whether he is taking multiple requests [or otherwise]. It’s difficult to answer that.


Max, Concise Courses:
Is intrusion detection becoming increasingly difficult to identify the “tell-tell” signs?

Jonathan Schipp:
I am not sure if it is increasingly difficult, but if you are on a network and you are not suppose to be there, and you’re an attacker and you want to find out whether the network has an intrusion detection system – it’s not really easy but there are things that you can do. If you are able to view any sort of traffic coming out of the network you might be able to see intrusion traffic that goes out if there are multiple domain requests. A lot of intrusion detection systems or analysts, whenever they look at packet capture analysis, if they don’t use the dash (the Domain Name Resolution option) the result of all those names over a period of time when the reading packet capture [does its’ job] may give an indication that there is an analyst looking at traffic.

If an attacker owns a domain or has a domain that he has control of, and his tool triggered some IDS Alert, and you make a request to that domain he will know that you made a request to the domain and that will give an indication that someone is investigating the traffic.


Max, Concise Courses:
What is the most common threat you see these days?

Jonathan Schipp:
Phishing. Like I said, I work in a small company and I don’t have WAN access to high levels of traffic but we experience a lot of phishing attacks. You can easily parse out the information from pcap files [using pentesting security tools] like tcpflow and tcpick.


Max, Concise Courses:
Would you consider yourself more as a forensics consultant rather than pure-play information security consultant – and which Linux distribution do you prefer based upon your career definition?

Jonathan Schipp:
I would describe myself as [more of a hobbyist] and I do a lot of this stuff in my free time, but I would love to do this stuff full-time so if anyone can help me with that in the future, please give me a ring! I am using Ubuntu to use right now, I really like that and I am comfortable with it but Fedora works as well and I have used FreeBDS in my testing phases as an operating system for full content packet package capture. I know that is highly recommended by a number of professionals like Richard Bejtlich from Mandiant. FreeBDS is excellent as well so I highly recommend trying that one out.


Max, Concise Courses:
We had Jordan Sissel on the show several months ago. He developed Logstash – which perhaps you have heard of? Logstash is a tool for managing server events and logs. Does this fall under the bracket of network traffic analysis or would you consider your work slightly different? In other words, are server logs exactly the same as networking audits?

Jonathan Schipp:
No they are not the same thing but I would say that a tool like Logstash, although I have never used it but I have heard of it, is in the same domain or realm. They are both very important; espeically depending on what you log to your servers. Like a normal system log demon can actually take in Snort Alert logs, and you can use tools like Splunk. Although I have never used Logstash or any other providers like Log Rhythm, [you can use all these services] to correlate multiple events, server events and networking events, so they are very important to have together so that you can see the bigger picture. You may have an alert then you may have a server alert that someone has logged in right after that event – that corresponds to that alert. So it is important to piece all things together.