ET Cybersecurity Blog

DetailsThis section of exercises allows you to explore the use of SiLK with a NetFlow repository rather than using files generated from packet capture files. Using SiLK with packet captures is very useful during an incident response if a NetFlow repository isn’t available, but during normal day-to-day operations, you would typically use SiLK with a…

Exercise 1 I am going to use a tool called scapy to complete this lab: The first thing that I need to do is to create an Ethernet header and an IP header, assigning each to a variable: Let’s now create the ICMP sequence number: Now that all the required headers have been built, I…

Exercise 1 Description:Examine the TCP session between hosts 192.168.1.103 and 192.168.1.104. There is something that is nonstandard about this session. What is it, and why might it cause an IDS evasion? In Packet 64, the client at 192.168.1.104 tried to establish a connection with the server at 192.168.1.103. Instead of acknowledging the connection, host 192.168.1.103…

In this lab, I will be developing another useful script that is a little bit more advanced than the ones created in part 1 and 2. Exercise – HTTP Exfiltration? Description:In this exercise, we will create a script that locates anomalous outbound data transfers based on the idea that, generally, we would expect to find…

Objectives Our main objectives in this section are to both learn more about how to write Zeek scripts by experimenting with the language and to create a script that will be useful in the real world. Exercise Description: In this exercise, we will create a script that reports outbound connections for which no previous DNS…

ObjectivesThis exercise involves creating and running a very basic Zeek script. Exercise 1Description: In this first exercise, we will create the traditional “Hello, World!” that is typical of a first attempt at programming in a new language. Using any editor of your choice that is installed on the VM, please create a script that will…

Given the time spent mastering signature-based detection, signatures are a very familiar starting point, and signatures can certainly play a role in Zeek scripts and logs. Our objective is to create a simple signature and configure Zeek to use this signature to detect content. Exercise 1Description: Create a signature to find the dnscat proof-of-concept covert…

Lab Overview In this lab, I explored Zeek’s readback mode using the http.pcap file. The goal was to gain familiarity with the various logs that Zeek produces when analyzing captured network traffic. This lab builds on the foundation of working with Zeek logs to understand how different IDs such as conn_uids and fuid are generated…

Background Some of the hosts on the monitored network are forced to pass through a transparent tls proxy. Our general practice is that we prefer not to decrypt tls packets unless something motivates us to do so, so we generally store the packets as is (encrypted). We also store the accompanying tls premaster secrets (the…

Exercise 1: Description: There is a high volume of activity between 192.168.11.162 and 192.168.11.101 using UDP port 53. Can you explain what this is? Is the attack successful? The first packet is a DNS query for the A record (or IPv4 address) of the domain www.evilname.com. This query is followed by several DNS responses which…