Where should I look? This sequence occurs over HTTP so I’m interested in HTTP communication between 10.10.1.75 around the time identified in the alert.These questions tell me what I need to know to go forward! What led 10.10.1.75 to the landing page?.Knowing these two things are the key to overcome being overwhelmed.įor example, consider an alert that a host on your network (10.10.1.75) communicated HTTP with a landing page (HTTP) associated with an exploit kit. If you can define what question you’re trying to answer you should be able to figure out where to look and what analysis technique to use. The nature of data transferred between two hosts.Something indicating where the source of network latency is.Confirmation that an IDS signature is a true positive. When you make the decision to look at the packets, stop and ask yourself “why?” What are you looking for? Could it be: Since you’re probably only looking for one of them, that’s a lot of truth to wade through. While packets may not lie, they do tell thousands of truths. In packet analysis, you should always have a clear question in mind before you go about collecting packets. “ A question well stated is a problem half solved.” – Charles KetteringĮvery analysis and investigation focused class I teach revolves around this thesis, rooted in the scientific method. After that, I’ll describe the first technique: how to use Wireshark’s color coding feature to visually identify individual conversations. In this first article, I’ll describe the mindset you should approach a large packet capture with.
0 Comments
Leave a Reply. |