http://securityratty.com/tag/nsm Thu, 03 Jan 2008 16:47:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/3bd8455fedce6ac873ea3b9f63cd7b90 http://securityratty.com/article/3bd8455fedce6ac873ea3b9f63cd7b90 Expanding Response: Deeper Analysis for Incident Handlers, now available in the SANS Reading Room. The premise was to further expand on the topics discussed in my Malware analysis tools post. This paper includes tools discussed at various times in my toolsmith column in the ISSA Journal, and includes details on Argus, HeX, NSM-Console, and NetworkMiner.

Abstract:
"The perspective embraced for this discussion is that of an analyst who is working a process to determine the exact nature of malicious software on his network. He is in receipt of the above mentioned .exe and .pcap files and seeks to further his understanding with the use of less typical tools. She begins the process with the network capture, and then takes a closer look at the binary to see what can be learned and what the impacts of an outbreak on her network might be."

del.icio.us | digg | Submit to Slashdot]]> Fri, 10 Oct 2008 04:38:00 +0000 network paper includes tools incident handlers network capture deeper analysis paper gcih gold includes details pcap files Expanding Response: Deeper Analysis for Incident Handlers http://securityratty.com/article/8490240982532919695d5c4c9231e15f http://securityratty.com/article/8490240982532919695d5c4c9231e15f take on the topic, or search Emergingthreats to come up to speed.
Yesterday, EstDomains posted the most inept, ridiculous response ever issued to the endless and worthy criticism, largely leveled by Brian Krebs at the Washington Post.
Not only can't these morons from EstDomains write, they're either so deeply clueless or flagrantly malicious (likely both), it's beyond laughable. This section sums it up best:
"The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance."
What? Really?
Again, aside from the absolute butchery of the language, did they just say "The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality."? SIGH...yes, they did.

Allow me to exemplify just how ridiculous a claim that is.
Following is content from a packet capture I took during a recent Storm worm analysis.

Using the ip2asn module included in NSM-console availabe in HeX, we find:
27595 | 216.255.189.211 | INTERCAGE - InterCage, Inc.

Using Etherape, also included in HeX, we see:



Using Eric Hjelmvik's NetworkMiner, we see:



See the recurring theme? Intercage, EstDomain's "reliable ally in its battle against malware".
Nice work, guys...keep it up.

I'm submitting this to The Daily WTF as we speak.

del.icio.us | digg]]> Mon, 15 Sep 2008 17:32:00 +0000 intercage estdomains malware malware presence intercage data center track malware issues reliable ally management services malware vehicles EstDomains & Intercage: A Perfect Couple in Crime http://securityratty.com/article/23ca43a9d7f75783982ad6ad9ad47b34 http://securityratty.com/article/23ca43a9d7f75783982ad6ad9ad47b34 HeX System for the pending February toolsmith, I was extremely pleased to discover NSM-Console, from Matthew Lee Hinman. I've not yet seen such an efficient, useful, all encompassing framework for offline packet analysis. NSM-Console includes modules for:
# aimsnarf
# ngrep (gif/jpg/pdf/exe/pe/ne/elf/3pg/torrent)
# tcpxtract
# tcpflow
# chaosreader
# bro-IDS
# snort
# tcpdstat
# capinfos
# tshark
# argus
# ragator
# racount
# rahosts
# hash (md5 & sha256)
# ra
# honeysnap
# p0f
# pads
# fl0p
# iploc
Consider giving both HeX System and the included NSM-Console an immediate look.

]]> Thu, 10 Jan 2008 09:50:00 +0000 nsm-console nsm-console includes modules hex system matthew lee hinman discover nsm-console offline packet analysis february toolsmith tcpflow ngrep NSM-Console and HeX update http://securityratty.com/article/75c507f8a0df9231a9361b0e07ab5104 http://securityratty.com/article/75c507f8a0df9231a9361b0e07ab5104 toolsmith column in the ISSA Journal features Gpg4win, a suite that integrates GPG into your Windows envronment. Next month will be discussing more powerful NSM opportunities with HeX, a FreeBSD-based Live CD loaded with network security monitoring tools. toolsmith offers insights on tools useful to the infosec practitioner, typically open source or inexpensive. The ISSA Journal is available to members in print and online at issa.org. Article copies are available on the toolsmith page.

]]> Thu, 03 Jan 2008 16:47:00 +0000 toolsmith offers insights issa journal issa powerful nsm opportunities network security toolsmith column toolsmith page live cd january January's toolsmith - Gpg4win