#1 - Question: At what time (UTC, including year) did the portscanning activity from IP address 123.150.207.231 start?
$ grep -E '123\.150\.207\.231|ntp|rtc' SWT-syslog_messages Aug 29 07:07:40 gw kernel: platform rtc_cmos: registered platform RTC device (no PNP device found) Aug 29 07:07:40 gw kernel: rtc_cmos rtc_cmos: rtc core: registered rtc_cmos as rtc0 Aug 29 07:07:40 gw kernel: rtc0: alarms up to one day, 114 bytes nvram Aug 29 07:07:40 gw kernel: rtc_cmos rtc_cmos: setting system clock to 2013-08-29 11:07:08 UTC (1377774428) Aug 29 07:07:44 gw ntpd[1115]: ntpd 4.2.4p8@1.1612-o Fri Feb 22 11:23:27 UTC 2013 (1) Aug 29 07:07:44 gw ntpd[1116]: precision = 15.532 usec Aug 29 07:07:44 gw ntpd[1116]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled Aug 29 07:07:44 gw ntpd[1116]: Listening on interface #1 wildcard, ::#123 Disabled Aug 29 07:07:44 gw ntpd[1116]: Listening on interface #2 lo, ::1#123 Enabled Aug 29 07:07:44 gw ntpd[1116]: Listening on interface #3 eth0, fe80::a00:27ff:fe53:38ee#123 Enabled Aug 29 07:07:44 gw ntpd[1116]: Listening on interface #4 eth1, fe80::a00:27ff:fe3f:710#123 Enabled Aug 29 07:07:44 gw ntpd[1116]: Listening on interface #5 lo, 127.0.0.1#123 Enabled Aug 29 07:07:44 gw ntpd[1116]: Listening on interface #6 eth0, 98.252.16.36#123 Enabled Aug 29 07:07:44 gw ntpd[1116]: Listening on interface #7 eth1, 172.16.62.1#123 Enabled Aug 29 07:07:44 gw ntpd[1116]: Listening on routing socket on fd #24 for interface updates Aug 29 07:07:44 gw ntpd[1116]: kernel time sync status 2040 Aug 29 07:07:44 gw ntpd[1116]: frequency initialized 1.726 PPM from /var/lib/ntp/drift Aug 29 07:07:46 gw named[1004]: error (unexpected RCODE SERVFAIL) resolving 'g.ntpns.org/A/IN': 108.161.191.2#53 Aug 29 07:12:03 gw ntpd[1116]: synchronized to 50.22.155.163, stratum 2 Aug 29 07:12:03 gw ntpd[1116]: time reset +2.185132 s Aug 29 07:12:03 gw ntpd[1116]: kernel time sync status change 2001 Aug 29 07:19:35 gw ntpd[1116]: synchronized to 50.22.155.163, stratum 2 Aug 29 07:24:40 gw ntpd[1116]: synchronized to 50.23.135.154, stratum 2 Aug 29 07:33:31 gw ntpd[1116]: synchronized to 158.37.91.134, stratum 2 Aug 29 07:48:34 gw ntpd[1116]: synchronized to 50.22.155.163, stratum 2 Aug 29 07:55:44 gw ntpd[1116]: synchronized to 50.23.135.154, stratum 2 Aug 29 08:15:02 gw ntpd[1116]: synchronized to 158.37.91.134, stratum 2 Aug 29 09:58:55 gw kernel: FW reject_input: IN=eth0 OUT= MAC=08:00:27:53:38:ee:08:00:27:1c:21:2b:08:00 SRC=123.150.207.231 DST=98.252.16.36 LEN=44 TOS=0x00 PREC=0x00 TTL=41 ID=35517 PROTO=TCP SPT=38553 DPT=3306 WINDOW=1024 RES=0x00 SYN URGP=0 --SNIP-- Aug 29 10:10:10 gw kernel: FW reject_input: IN=eth0 OUT= MAC=08:00:27:53:38:ee:08:00:27:1c:21:2b:08:00 SRC=123.150.207.231 DST=98.252.16.36 LEN=44 TOS=0x00 PREC=0x00 TTL=41 ID=38705 PROTO=TCP SPT=38553 DPT=16001 WINDOW=1024 RES=0x00 SYN URGP=0 Aug 30 11:13:40 gw ntpd[1116]: ntpd exiting on signal 15 Answer: Aug 29 09:58:55 2013 + 4 hours is Aug 29 13:58:55 2013
#2 - Question: What IP addresses were used by the system claiming the MAC Address 00:1f:f3:5a:77:9b?
$ tshark -r nitroba.pcap -V -Y "eth.src == 00:1f:f3:5a:77:9b" -T fields -e ip.src | sort -u 169.254.20.167 169.254.90.183 192.168.1.64 $ tshark -r nitroba.pcap -V -Y "eth.dst == 00:1f:f3:5a:77:9b" -T fields -e ip.dst | sort -u 192.168.1.64 Answer: 169.254.20.167, 169.254.90.183 and 192.168.1.64
#3 - Question: What IP (source and destination) and TCP ports (source and destination) are used to transfer the “scenery-backgrounds-6.0.0-1.el6.noarch.rpm” file?
$ tshark -r ftp-example.pcap -V -Y "ip.src == 192.168.75.29 && ip.dst == 149.20.20.135" -T fields -e tcp.seq -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e ftp.request.command -e ftp.request.arg -e ftp.response --SNIP-- Nov 23, 2013 03:39:37.716671000 EST 192.168.75.29 149.20.20.135 37028 21 RETR scenery-backgrounds-6.0.0-1.el6.noarch.rpm 0 Nov 23, 2013 03:39:37.806416000 EST 192.168.75.29 149.20.20.135 37028 21 Nov 23, 2013 03:39:37.821201000 EST 192.168.75.29 149.20.20.135 51851 30472 Nov 23, 2013 03:39:37.821383000 EST 192.168.75.29 149.20.20.135 51851 30472 --SNIP-- Answer: Source IP: 192.168.75.29 Destination IP: 149.20.20.135 Source Port: 51851 Destination Port: 30472
#4 - Question: How many IP addresses attempted to connect to destination IP address 63.141.241.10 on the default SSH port?
$ grep '63.141.241.10:22 ' IVS-netflow-2014-05-23/nfcapd.201405230000.txt | awk -F: '{print $3}' | awk '{print $4}' | sort -u | wc -l 49 Answer: 49 Unique IP addresses attempted to connect to the default SSH port
#5 - Question: What is the byte size for the file named "Researched Sub-Atomic Particles.xlsx"
--SNIP-- 640801 10.3.58.7 10.3.58.6 \users\public\temp\system7\Researched Sub-Atomic Particles.xlsx 16396 19990 10.3.58.6 10.3.58.7 \users\public\temp\system7\Researched Sub-Atomic Particles.xlsx 16396 640877 10.3.58.7 10.3.58.6 \users\public\temp\system7\Researched Sub-Atomic Particles.xlsx 16396 13625 20094 10.3.58.6 10.3.58.7 \users\public\temp\system7\Researched Sub-Atomic Particles.xlsx 16396 --SNIP-- Answer: 13625 bytes
#6a - Question: The traffic in this Snort IDS pcap log contains traffic that is suspected to be a malware beaconing. Identify the substring and offset for a common substring that would support a unique Indicator Of Compromise for this activity.
$ tshark -r snort.log.1340504390.pcap -Y "tcp.len > 0 && tcp.dstport == 1951" -T fields -e data.data > snort.payload $ for i in \`seq 1 32\`;do echo Offset:$((i-1)) Unique values:$(awk -F: "{print \$$i}" snort.payload | sort | uniq -c | sort -n | wc -l);done; Offset:0 Unique values:1 Offset:1 Unique values:1 Offset:2 Unique values:42 Offset:3 Unique values:256 Offset:4 Unique values:1 Offset:5 Unique values:1 Offset:6 Unique values:1 Offset:7 Unique values:1 Offset:8 Unique values:1 Offset:9 Unique values:1 Offset:10 Unique values:1 Offset:11 Unique values:36 Offset:12 Unique values:36 Offset:13 Unique values:36 Offset:14 Unique values:35 Offset:15 Unique values:36 Offset:16 Unique values:36 Offset:17 Unique values:36 Offset:18 Unique values:36 Offset:19 Unique values:36 Offset:20 Unique values:36 Offset:21 Unique values:36 Offset:22 Unique values:36 Offset:23 Unique values:36 Offset:24 Unique values:36 Offset:25 Unique values:36 Offset:26 Unique values:36 Offset:27 Unique values:36 Offset:28 Unique values:36 Offset:29 Unique values:36 Offset:30 Unique values:36 Offset:31 Unique values:1 Answer: Offsets 4-10 are fixed with the value ULQENP2
#6b - Bonus Question: Identify the meaning of the bytes that precede the substring above.
$ cut -d: -f1-4 snort.payload 4f:e6:c2:74 4f:e6:c2:75 4f:e6:c2:77 4f:e6:c2:78 4f:e6:c2:78 4f:e6:c2:78 4f:e6:c2:79 --SNIP-- 4f:e6:eb:b0 4f:e6:eb:b1 4f:e6:eb:b5 4f:e6:eb:b5 4f:e6:eb:c0 Answer: Offsets 0-3 appear to be a timestamp/counter as the values seem to increment Bonus: I wrote a snort signature for detecting the beacons. $ snort -c SANS-DFIR-2015.rules -r snort.log.1340504390.pcap -l . --daq pcap --daq-dir /usr/lib/daq -A console [**] [1:1000001:0] DFIR-2015 Malware beacon [**] [Priority: 0] {TCP} 10.3.59.24:42124 -> 184.82.188.7:1951 [**] [1:1000001:0] DFIR-2015 Malware beacon [**] [Priority: 0] {TCP} 10.3.59.51:43407 -> 184.82.188.7:1951 [**] [1:1000001:0] DFIR-2015 Malware beacon [**] [Priority: 0] {TCP} 10.3.59.62:53407 -> 184.82.188.7:1951 [**] [1:1000001:0] DFIR-2015 Malware beacon [**] [Priority: 0] {TCP} 10.3.59.99:53270 -> 184.82.188.7:1951 --SNIP-- [**] [1:1000001:0] DFIR-2015 Malware beacon [**] [Priority: 0] {TCP} 10.3.59.193:55426 -> 184.82.188.7:1951 [**] [1:1000001:0] DFIR-2015 Malware beacon [**] [Priority: 0] {TCP} 10.3.59.189:45839 -> 184.82.188.7:1951 [**] [1:1000001:0] DFIR-2015 Malware beacon [**] [Priority: 0] {TCP} 10.3.59.153:42877 -> 184.82.188.7:1951 [**] [1:1000001:0] DFIR-2015 Malware beacon [**] [Priority: 0] {TCP} 10.3.59.166:45140 -> 184.82.188.7:1951