-----Original Message----- From: kclug-bounces@kclug.org [mailto:kclug-bounces@kclug.org] On Behalf Of Brian Kelsay Sent: Thursday, October 21, 2004 12:00 PM To: kclug@kclug.org Subject: RE: It was bound to happen - suspected hack

You said you can "playback" the intrusion. What exactly do you mean by that? Do you setup a test network and resend the packets and data, or are you just viewing the packets from the log? I'm wondering about the ability to do a full-scale recreation, say for a demo in a court or at a customer site or something.

In reality, if I "possess" the packets, I can do whatever I want with them. Generally, I use the term "replay" loosely, implying that I pass the binary file to Snort, and it does analysis on it and produces whatever the output I'm after is.

There are of course other fun things one can do with these files. Tcpreplay is a program I use frequently, in testing environments. It allows me to replay files back onto the wire, or as I'm fond of, loop back. What's great about tcpreplay is the ability to take known traffic (good or bad) and toss it at my IDS to test my signatures. I can flood the sh*t outta my sensor and determine if it will suffer packet loss, etc. as well.

So the answer is yes across the board. In court, you generally want the lawyers to lead you - give 'em what they're looking for and nothing more. If they want a dog and pony show, I would suggest Ethereal if in depth analysis, bit by bit, is required. If the prosecution is merely looking to get things to the jury plainly (packet analysis will fsck 'em up), you can do a replay while Etherape displays a pseudo-real-time gui which clearly indicates what you want.

The waters get murky here. Placing information in context is extremely important. If I have 396,984 packets in a file, it would behoove me to replay only those packets relevant to the issue at hand. Otherwise, folks wonder, "Hey, what's all that other traffic I see buzzing past?" This is venue specific as far as I know - some judges will allow this, but others consider pulling the packets out of the stream alone is tantamount to evidence tampering, etc.

A great reference for this, if I had time to dig through it for you, would be the "Cybersecurity Operations Handbook" by John W. Rittinghouse and William M. Hancock. (Elsevier Digital Press - ISBN: 1-55558-306-7) This one is more like $125.00-$150.00 IIRC.

As I consider how I would like to perhaps do a demo of this at a meeting some time (did something similar for ILUG couple of years ago with snort+mysql+acid), now I wonder if it wouldn't be a great thing to show off at ITEC? If so, I'd need some help. (Think "tons of {SCAREY} exploits you can throw at sensors I have in place" while I provide output via Etherape [just network traffic as it passes on the wire ala "Wow, look what Hacker Joe is doing, red and blue and green images!"] on one monitor, and snort analysis information ["See, Hacker Joe is busy, but we SEE him and are onto his ilk."] on another monitor.) I have a pair of P4 beige boxes and my trusty Dell laptop which can support this.

Thoughts, heckles, hysterical laughter anyone?

Dustin