http://securityratty.com/tag/toolsmith Wed, 26 Dec 2007 08:54:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/3bd8455fedce6ac873ea3b9f63cd7b90 http://securityratty.com/article/3bd8455fedce6ac873ea3b9f63cd7b90 Expanding Response: Deeper Analysis for Incident Handlers, now available in the SANS Reading Room. The premise was to further expand on the topics discussed in my Malware analysis tools post. This paper includes tools discussed at various times in my toolsmith column in the ISSA Journal, and includes details on Argus, HeX, NSM-Console, and NetworkMiner.

Abstract:
"The perspective embraced for this discussion is that of an analyst who is working a process to determine the exact nature of malicious software on his network. He is in receipt of the above mentioned .exe and .pcap files and seeks to further his understanding with the use of less typical tools. She begins the process with the network capture, and then takes a closer look at the binary to see what can be learned and what the impacts of an outbreak on her network might be."

del.icio.us | digg | Submit to Slashdot]]> Fri, 10 Oct 2008 04:38:00 +0000 network paper includes tools incident handlers network capture deeper analysis paper gcih gold includes details pcap files Expanding Response: Deeper Analysis for Incident Handlers http://securityratty.com/article/8f5b32eca2e471054acd118ae718ad31 http://securityratty.com/article/8f5b32eca2e471054acd118ae718ad31 FIRST conference in Vancouver, BC this week presenting, attending great presentations, and meeting a fantastic group of people.
I'd like to applaud some great presenters I've seen so far, including Par Osterberg Medina (Detecting Intrusions), Anton Chuvakin (Log Analysis), Raffael Marty (Applied Security Visualization), and Steve Mancini (RAPIER).
I've also been advised of some tools for your consideration, to aid in the security analysis / incident response cause, as well as possible topics for toolsmith.
Take a look at these, if you aren't already familiar with them:
BitBlaze - Binary Analysis for COTS Protection and Malicious Code Defense
F-Response - The First Truly Vendor Agnostic Solution for Remote Forensics and eDiscovery
Maltego - Maltego is an open source intelligence and forensics application. It allows for the mining and gathering of information as well as the representation of this information in a meaningful way.
The Volatility Framework - Volatile memory artifact extraction utility framework
Thanks to Richard Bejtlich for pointing out F-Response and Volatility and Steve Mancini for BitBlaze and Maltego.

On another front, in support of Eva Chen's (Trend Micro) recent claim that the anti-virus industry sucks, John Stewart of Cisco, in his keynote this morning, reiterated the premise that the fight against malware is a lost cause. The point he was really driving at is the downfall of blacklisting and that whitelisting is essential given that "the total good is smaller than the total unknown and bad". This, as his fourth postulate of many good postulates this morning, truly supports my own beliefs. I'm more focused on whitelisting in the web application security space, but the premise is the same. If the vast majority of requests to secured elements of your applications are bad, then simply deny all, and allow only that which you trust.

More to come...

del.icio.us | digg]]> Thu, 26 Jun 2008 04:53:00 +0000 steve mancini volatility volatility framework anti-virus industry sucks total unknown maltego par osterberg medina vendor agnostic solution total Live from the 20th Annual FIRST Conference http://securityratty.com/article/23ca43a9d7f75783982ad6ad9ad47b34 http://securityratty.com/article/23ca43a9d7f75783982ad6ad9ad47b34 HeX System for the pending February toolsmith, I was extremely pleased to discover NSM-Console, from Matthew Lee Hinman. I've not yet seen such an efficient, useful, all encompassing framework for offline packet analysis. NSM-Console includes modules for:
# aimsnarf
# ngrep (gif/jpg/pdf/exe/pe/ne/elf/3pg/torrent)
# tcpxtract
# tcpflow
# chaosreader
# bro-IDS
# snort
# tcpdstat
# capinfos
# tshark
# argus
# ragator
# racount
# rahosts
# hash (md5 & sha256)
# ra
# honeysnap
# p0f
# pads
# fl0p
# iploc
Consider giving both HeX System and the included NSM-Console an immediate look.

]]> Thu, 10 Jan 2008 09:50:00 +0000 nsm-console nsm-console includes modules hex system matthew lee hinman discover nsm-console offline packet analysis february toolsmith tcpflow ngrep NSM-Console and HeX update http://securityratty.com/article/75c507f8a0df9231a9361b0e07ab5104 http://securityratty.com/article/75c507f8a0df9231a9361b0e07ab5104 toolsmith column in the ISSA Journal features Gpg4win, a suite that integrates GPG into your Windows envronment. Next month will be discussing more powerful NSM opportunities with HeX, a FreeBSD-based Live CD loaded with network security monitoring tools. toolsmith offers insights on tools useful to the infosec practitioner, typically open source or inexpensive. The ISSA Journal is available to members in print and online at issa.org. Article copies are available on the toolsmith page.

]]> Thu, 03 Jan 2008 16:47:00 +0000 toolsmith offers insights issa journal issa powerful nsm opportunities network security toolsmith column toolsmith page live cd january January's toolsmith - Gpg4win http://securityratty.com/article/fb65a2d4609cbcefc5bdbbb91ee3d8c8 http://securityratty.com/article/fb65a2d4609cbcefc5bdbbb91ee3d8c8 The Malcode Analysis Software Tools from iDefense Labs are extremely useful. toolsmith featured the suite in the July 2007 column.
API-Logger can be used as a standalone tool or you can run the .exe through SysAnalyzer which includes API-Logger output.
Other important pieces in my sandbox included VMWare Server (Linux host, Windows VMs), PE Explorer, RAPIER 3.2, Wireshark, Mandiant Red Curtain (MRC), and the Systinternals tools.
Check the toolsmith page for articles on Wireshark, MRC, and RAPIER use as well.
Required reading from the "The Godfather of RE", Lenny Zeltser, includes his Reverse Engineering Malware paper.
]]> Wed, 26 Dec 2007 08:54:00 +0000 tools api-logger includes api-logger output includes malware analysis toolsmith page toolsmith mandiant red curtain systinternals tools Malware analysis tools