FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Active Directory Enumeration & Attacks
    • Active Directory Enumeration & Attacks
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  • The Zeek Network Security Monitor
  • ModSecurity Rules
  • ngrep
  • tcpdump
  • TShark
  1. SANS SEC511 & Labs
  2. Resources
  3. Tools

Network

PreviousToolsNextElastic Stack

Last updated 7 months ago

The Zeek Network Security Monitor

Run zeek against a pcap, create zeek log files in the current directory. Some of the following logs files may be created, depending on the pcap content and zeek configuration:

  • conn.log

  • dns.log

  • files.log

  • http.log

  • irc.log

  • packet_filter.log

  • ssl.log

  • weird.log

zeek -r /pcaps/Hancitor-Ficker-Cobalt-Strike.pcap

Carve all zeek-supported file types from a file:

sudo zeek -r /pcaps/Hancitor-Ficker-Cobalt-Strike.pcap /usr/local/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek

Display x.509 issuer subjects:

zeek -C -r /pcaps/normal/https/alexa-top-500.pcap
cat x509.log | zeek-cut certificate.subject

View Zeek logs without wrapping lines:

zeek -r /pcaps/tbot.pcap
less -S http.log

ModSecurity Rules

Rules will need to be added to a .conf file that will be processed with ModSecurity starting up. On the SEC511 VM, this path is /etc/modsecurity. A new file for custom rules should generally be created rather than overwriting a Core Rule Set (CRS) provided file.

Basic Rule Structure:

SecRule VARIABLE "OPERATOR" "ACTION"

We will replace VARIABLE, OPERATOR, and ACTION with appropriate options provided by ModSecurity.

The default action we will use simply causes log information to be generated and a user defined message to be supplied. For example:

"log,auditlog,msg:'alert message'"

Detect an HTTP user agent containing the string 'sqlmap':

SecRule REQUEST_HEADERS:User-Agent "@contains sqlmap" "log,auditlog,msg:'alert message'"

Detect an HTTP user agent NOT containing the string 'sqlmap':

SecRule REQUEST_HEADERS:User-Agent "!@contains sqlmap" "log,auditlog,msg:'alert message'"

Match any HTTP user agents that begin with the string 'Mozilla/5':

SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5" "log,auditlog,msg:'alert message'"

Match an argument named 'ip' being set to an IPv4 address or any string of simply numbers and periods:

SecRule ARGS:ip "^[\d.]+$" "log,auditlog,msg:'alert message'"

Detect the Host header not being equal to the string www.sec511.org:

SecRule REQUEST_HEADERS:Host "!@streq www.sec511.org" "log,auditlog,msg:'alert message'"

Match the Host header being set to any IP address within 10.5.11.0-255:

SecRule REQUEST_HEADERS:Host "@ipMatch 10.5.11.0/24" "log,auditlog,msg:'alert message'"

Detect the OPTIONS method being used:

SecRule REQUEST_HEADERS:Method "@streq OPTIONS" "log,auditlog,msg:'alert message'"

Detect HTTP responses that lack a Content-Type header:

SecRule &RESPONSE_HEADERS:Content-Type "@eq 0" "log,auditlog,msg:'alert message'"

Detect HTTP requests without a User-Agent:

SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "log,auditlog,msg:'alert message'"

Detect HTTP requests with more than one parameter named password:

SecRule &ARGS:password "@gt 1" "id:'999999',log,auditlog,msg:'alert message'"

Detect HTTP requests without a Host header:

SecRule &REQUEST_HEADERS:Host "@eq 0" "log,auditlog,msg:'alert message'"

Detect HTTP requests without a Host header. Add the HTTP User Agent to the information provided in the error.log:

SecRule &REQUEST_HEADERS:Host "@eq 0" "log,auditlog,msg:'alert message',logdata:%{REQUEST_HEADERS.User-Agent}"

error.log - example:

[Sun Dec 13 20:06:18 2015] [error] [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\\'\"]) ?[=<>]+" at ARGS:name. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "427"] [id "959071"] [rev "2.2.0"] [msg "SQL Injection Attack"] [data "or 1="] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/scanners/pilots.php"] [unique_id "Vm3S7X8AAQEAAB@2CLQAAAAD"]

ngrep

ngrep brings basic power of grep to network traffic. We need ngrep because PCAPs are a binary structure. Although piping the output of strings to grep can work, grep will still not be PCAP aware in the way ngrep is. Rather than simply showing, for example, a line within the PCAP that includes a string match, ngrep understands which packet contains this string and will indicate high level packet details such as source and destination IP addresses, port numbers, and TCP flags.

Source: ngrep man page

man ngrep

Quietly search /pcaps/angler-java.pcap for user agents via the string 'User-Agent':

ngrep -qI /pcaps/angler-java.pcap "User-Agent"

Search /pcaps/angler-java.pcap for 'User-Agent' in TCP segments destined for port 80:

ngrep -qI /pcaps/angler-java.pcap "User-Agent" "tcp and dst port 80"

Note: In the above command line "tcp and dst port 80" is an example of using BPF (Berkely Packet Filter) expressions. Review the man page for pcap-filter for additional information.

Search /pcaps/styx.pcap for 'User-Agent' in TCP segments destined for traffic other than port 80:

ngrep -q -I /pcaps/styx.pcap "User-Agent" "tcp and not dst port 80"

Search /pcaps/angler-java.pcap for 'User-Agent' in TCP segments destined for port 80. Have the output honor any linefeeds encountered and wrap text.

ngrep -q -W byline -I /pcaps/angler-java.pcap "User-Agent" "tcp and dst port 80"

Note: To make the output of some traffic, most notably HTTP, easier to read, the -W switch can be set to byline.

Search /pcaps/angler-java.pcap for traffic with the ACK FIN and PUSH flags set:

ngrep -q -I /pcaps/angler-java.pcap "" "tcp[tcpflags]==(tcp-ack|tcp-fin|tcp-push)"

Note: When using BPF expressions, a search string, even if blank "" as above, is expected. Otherwise ngrep will treat the BPF expression itself as the regex search pattern.

Sniff on the eth0 interface and look for the string 'HoneyToken' without the quotes being passed in clear text:

sudo ngrep -q -d eth0 "HoneyToken"

Note: When using ngrep to bind to an interface, superuser privileges will generally be required.

Sniff on the eth0 interface and look for the string 'HoneyToken' without the quotes being passed in clear text. When found, kill the connection by sending a spoofed TCP RST:

sudo ngrep -q -d eth0 "HoneyToken" -K1

tcpdump

tcpdump man page:

man tcpdump

Read a pcap file:

tcpdump -r /pcaps/zeus-gameover-loader.pcap

Read a pcap, don't resolve names (layers 3 or 4):

tcpdump -nr /pcaps/zeus-gameover-loader.pcap

Read a pcap, show TCP SYN packets, don't resolve names:

tcpdump -r /pcaps/zeus-gameover-loader.pcap -n "tcp[tcpflags]==tcp-syn"

Read a pcap, show TCP SYN packets not sent to port 80, don't resolve names:

tcpdump -r /pcaps/zeus-gameover-loader.pcap -n "tcp[tcpflags]==tcp-syn and not tcp dst port 80"

Read a pcap without name resolution, /pcaps/angler-java.pcap, and show traffic with the ACK FIN and PUSH flags set.

tcpdump -r /pcaps/angler-java.pcap -n "tcp[tcpflags]==(tcp-ack|tcp-fin|tcp-push)"

TShark

tshark man page:

man tshark

Read a pcap file:

tshark -r /pcaps/zeus-gameover-loader.pcap

Read a pcap, don't resolve names (layers 3 or 4):

tshark -nr /pcaps/zeus-gameover-loader.pcap

Read a pcap, use the display filter "http.request.method==GET":

tshark -r /pcaps/zeus-gameover-loader.pcap -Y "http.request.method==GET"

Read a pcap, show TCP SYN packets not sent to port 80, don't resolve names:

tshark -r /pcaps/zeus-gameover-loader.pcap -n -Y "not tcp.port==80 and tcp.flags == 0x0002"

Print TCP conversations in a pcap:

tshark -n -r /pcaps/virut-worm.pcap -q -z conv,tcp

Print HTTP User-Agents in a pcap:

tshark -nr /pcaps/normal/http/normal-user-agent.pcap -Y "http.user_agent" -Tfields -e http.user_agent

Print X.509 certificates in a pcap:

tshark -r /pcaps/normal/https/alexa-top-500.pcap -T fields -Y "ssl.handshake.certificate" -e