Recently I mentioned I wanted to do the Malware-Traffic-Analysis.net’s Traffic Analysis Exercises to get back in to the swing of things with pcaps. Wow was that a mistake.
2014-11-16 – TRAFFIC ANALYSIS EXERCISE
Leave a reply
Category Archives: IR
CSEC630 Lab 2
Ok. The lab was pretty much what I expected.
Click this Panic button to reset everything. Go look at this pcap in Wireshark. Run this command in cmd.exe (and even walks the student through opening a term window by go to the start button, type cmd in the run box).
Run Snort with the test option on a pre-defined rule set using the pcap you looked at. Modify the same rule multiple times, enabling and disabling an alert each time. Run to see the difference.
Answer these 10 questions.
The last question was how to improve the class… I forgot to say use a Linux VM instead of a Windows VM. Since one of my answers did require Grep. Which means copy and paste from the VM lab to my box connected to the lab.
over reaching again
Three things I’m currently trying to work on, but there never seems to be enough time.
- CSEC630 class work
- Python
- Malware Traffic Analysis exercises
It’s all about the pcaps baby
So my android phone as an interesting problem, granted it’s an S4, running not the latest build so I don’t know if that problem still exists. Apparently the way the default mail application is set up, it can’t sync the mailboxes unless the Sync button is turned on. But that doesn’t stop that the mail application from trying to sync on a schedule.
Business Email Compromise
Last week or so, I read the Symantec Security Response blog, talking about Business Email Compromise. Short version it talks about campaigns targeting C-level employees to try and do wire transfers. There were 2 type, one is the CEO emailing another C-level because he’s stuck in meetings and needs a wire transfer. The other version is an acquisition email, that hasn’t been announced yet.
The blog linked above has screen shot examples.
At my day job, I do occasionally work on Phishing emails. While the Symantec article was good, it is missing that the example emails are no longer going to the C-levels. While I haven’t seen the acquisition email yet, I have seen lots of the person in the meeting email going around.
It isn’t just at the C-levels. I’m seeing emails claiming to be from VPs and Directors, to underlings using the same comment about being tied up in meetings and needing the wire transfer done. Where I work the C-levels are good at catching them and reporting to them. The lower levels however have been fruitful targets. Not realizing it is a phishing attempt and trying to comply.
We need to warn the lower level people in positions to send money.