It was bound to happen - suspected hack

Brian Kelsay Brian.Kelsay at kcc.usda.gov
Thu Oct 21 12:38:16 CDT 2004 

That all sounds cool.  I wasn't 100% sure there was a way to do that.


Brian Kelsay

>>> "Dustin Decker" <> 10/21/04 12:27PM >>>
> -----Original Message-----
> From: On Behalf Of Brian Kelsay
> 
> You said you can "playback" the intrusion.  What exactly do you mean by
> that?  Do you setup a test network and resend the packets and data, or are
> you just viewing the packets from the log?  I'm wondering about the
> ability to do a full-scale recreation, say for a demo in a court or at a
> customer site or something.

In reality, if I "possess" the packets, I can do whatever I want with them.
Generally, I use the term "replay" loosely, implying that I pass the binary
file to Snort, and it does analysis on it and produces whatever the output
I'm after is.

There are of course other fun things one can do with these files.  Tcpreplay
is a program I use frequently, in testing environments.  It allows me to
replay files back onto the wire, or as I'm fond of, loop back.  What's great
about tcpreplay is the ability to take known traffic (good or bad) and toss
it at my IDS to test my signatures.  I can flood the sh*t outta my sensor
and determine if it will suffer packet loss, etc. as well.

So the answer is yes across the board.  In court, you generally want the
lawyers to lead you - give 'em what they're looking for and nothing more.
If they want a dog and pony show, I would suggest Ethereal if in depth
analysis, bit by bit, is required.  If the prosecution is merely looking to
get things to the jury plainly (packet analysis will fsck 'em up), you can
do a replay while Etherape displays a pseudo-real-time gui which clearly
indicates what you want.  

The waters get murky here.  Placing information in context is extremely
important.  If I have 396,984 packets in a file, it would behoove me to
replay only those packets relevant to the issue at hand.  Otherwise, folks
wonder, "Hey, what's all that other traffic I see buzzing past?"  This is
venue specific as far as I know - some judges will allow this, but others
consider pulling the packets out of the stream alone is tantamount to
evidence tampering, etc.

A great reference for this, if I had time to dig through it for you, would
be the "Cybersecurity Operations Handbook" by John W. Rittinghouse and
William M. Hancock.  (Elsevier Digital Press - ISBN: 1-55558-306-7)  This
one is more like $125.00-$150.00 IIRC.

As I consider how I would like to perhaps do a demo of this at a meeting
some time (did something similar for ILUG couple of years ago with
snort+mysql+acid), now I wonder if it wouldn't be a great thing to show off
at ITEC?  If so, I'd need some help.  (Think "tons of {SCAREY} exploits you
can throw at sensors I have in place" while I provide output via Etherape
[just network traffic as it passes on the wire ala "Wow, look what Hacker
Joe is doing, red and blue and green images!"] on one monitor, and snort
analysis information ["See, Hacker Joe is busy, but we SEE him and are onto
his ilk."] on another monitor.)  I have a pair of P4 beige boxes and my
trusty Dell laptop which can support this.

Thoughts, heckles, hysterical laughter anyone?

Dustin

More information about the Kclug mailing list