De-Coder’s Ring

Consumable Security and Technology

Category: Uncategorized (page 1 of 7)

Threat Hunting: The Network and PCAP

Getting back to a technical topic, let’s talk about PCAP.    Is an abbreviation for Packet Capture.   PCAP is the industry standard format for capturing, storing and analyzing network data.

PCAP was made ubiquitous thanks to ‘libpcap‘, a pretty common *nix library for network monitoring and manipulation.  libpcap is enabled via some super simple (to use) tools called tcpdump and tcpreplay.   These allow a developer/analyst to work with the data, over real or virtual networks.

Those tools are command linux utilities for experts to use primarily, but they’re simple to get started with.   Alternatively, you can use a tool called Wireshark to monitor, capture and analyze network traffic.  Wireshark is free, and has some great features around session decoding, traffic analysis and filtering.

Without jumping into too much detail in this post (more information can be found in the video below), we’ll go over some high level information about what a packet looks like.

A packet is a chunk of data, sent across a network.  A packet can contain a full message, or can be one component of a much larger stream, that’s used to break up large pieces of data (movies, songs, pictures, etc) into bite sized chunks.

A packet contains a header, which tells the network gear things like source and destination address, timestamp, protocol and packet size.   Network data can be classified in different layers, reference the OSI Model.   Each layer up from the ‘physical’ layer can be thought of as more specialized.

An example of that would be an HTTP (layer 7) packet, contained in a TCP packet (Layer 4) within an IP packet (layer 3) which is contained in an Ethernet (layer 2) packet.    The ethernet packet has very little information in the header.  Source, destination and what protocol the next/layer 3 packet it.   The address in the ethernet packet is a physical/hardware address.   An IP packet is potentially a globally reachable packet (  8.8.8.8 ) and the TCP packet adds application ports.

Here’s an example of the packet break down for an HTTP request.   (( FYI:  Wireshark puts layer 7 at the bottom, while I said layer 7 is at the top ))

HTTP Packet

HTTP Packet

Indexed Data: The Common Stack

Throughout the past 20 years of my career, I’ve seen a lot of data.  Small data applications that handle a few transactions (re: blogs),  large applications (multi-tenant network data collection).

Just about every single one of them has dealt with text searching in some capacity or another.

These days, if I’m moving data in work projects or fun/personal projects, I’m relying over and over on the same stack.

Logstash/Beats -> Kafka -> Logstash -> Elasticsearch with some cool visualizations in Kibana.

Want to know why?

It just freaking works. Especially well for time based events.   Even if it’s not time based, it works.

… best of all?   It’s all freaking free.

You can stand up a single node with all of the above on it.    Easy.  Sure, it won’t scale on a single node, but, each component of that list scales horizontally.

Prototype small, grow big.

Threat Hunting with Open Source Software

I’ve begun working on a new project, with a spiffy/catchy/snazzy name:
Threat Hunting: With Open Source Software, Suricata and Bro

I’ve planned out multiple chapters, from raw PCAP analysis, building with session reassembly, into full on network monitoring and hunting with Suricata and Elasticsearch.

This project will take a long time. While I work through it, I’ll be posting here regularly. I very much welcome feedback.

Here’s a little introduction video, but , more will come as I add videos.

The next video will be looking at how data is transmitted over a network… anyone ready for a super brief OSI Network model overview?

Foray into video

Recently, I worked with Packt publishing to release a video on Neo4j.  This gave me a little confidence and ideas for how to build my own video series.    I have a plan in place to start building some items around technologies that I’m a huge fan of.    Some will be perch related, some will not be, so, get prepared for a wide mix!

Here’s one that I put together to introduce a new feature at Perch!

Older posts

© 2017 De-Coder’s Ring

Theme by Anders NorenUp ↑