Notifications

Clear all

network forensic aims

sirex · 2007-12-12T15:56:35Z

lo, further to http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1938prehaps a quick mail here might prove valuable in providing some further info from those that know the area best (thats you guys!).with regards to network forensics, and specifically looking at the analysis of pcap files (thinking along the lines of ethereal type applications here) - how might the forensic examiner employ such a tool (and if they wouldnt, why?).i'm going to try and include some functionality to give information for abnormal network traffic (dos attacks, possible port scanning etc) in my tool to analyse pcap files, as well as timelineing connection streams in the file, but im wondering if there's any other information which a forensic examiner looks for in network traffic which might prove useful.i might look into reconstructing files passed over the session, but it depends on the framework im using to open the pcap files, i dont know if there's enough session information avaliable including packet contents to do that, so for now its just on the drawing board.

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by azrael 18 years ago

16 Posts

6 Users

0 Reactions

1,631 Views

RSS

azrael

(@azrael)

Honorable Member

Joined: 19 years ago

Posts: 656

15/12/2007 1:57 pm

Only if there's a rule written for the anomaly, it's a signature based program.

Ah Young Jedi - you are mistaken about that … -P

There is a Snort Plugin called SPADE ( Statistical Packet Anomaly Detection Engine ) - and it is documented in the "Snort Cookbook" from O'Reilly.

It was created by Silicon Defence as part of a DARPA project before funding was killed and they went the way of the dinosaurs …

Google should provide a link to it's download location, failing that, I have a copy …

Azrael

ReplyQuote

ddow

(@ddow)

Reputable Member

Joined: 21 years ago

Posts: 278

15/12/2007 9:53 pm

Ah Young Jedi

LOL. Young, what's that? D

There is a Snort Plugin called SPADE ( Statistical Packet Anomaly Detection Engine ) - and it is documented in the "Snort Cookbook" from O'Reilly.

Well, a SPADE for the Barnyard. Makes sense, thanks

ReplyQuote

BitHead

(@bithead)

Noble Member

Joined: 20 years ago

Posts: 1206

17/12/2007 8:16 pm

LOL. Young, what's that?

It's what those of us that remember the original use of Young Jedi wish for.

ReplyQuote

sirex

(@sirex)

Active Member

Joined: 18 years ago

Posts: 8

Topic starter 14/01/2008 7:23 pm

thanks for the replies thus far, they've been very helpful ) - the project is starting to come together.

However, im required to show the project addresses (where applicable) any needs created by the lacking ability of current tools, prefferably by asking people knowlegable in the area.

to this end, does anyone have any input on how ethereal (in this instance) might not provide some functionality you require to perform forensics, or is lacking in anouther way (complicated UI, etc etc).

again, not a problem if noone can suggest anything, but i need to ask )

ReplyQuote

ddow

(@ddow)

Reputable Member

Joined: 21 years ago

Posts: 278

14/01/2008 8:17 pm

I suspect the biggest issue using Ethereal/Wireshark isn't the tool, but rather the need to understand the network protocols as well as the tool requires. The second issue is the need to pick the packets of interest out of the overwhelming amount of data. That is where snort as a pre-processor is such a helpful add on.

ReplyQuote

azrael

(@azrael)

Honorable Member

Joined: 19 years ago

Posts: 656

14/01/2008 8:19 pm

Well, to the best of my knowledge, you are still lacking anomaly detection …

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
297 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed