WildFire and FlowScape are powerful new tools for intrusion detection

Open Source Instead

Open source tools also have advanced capabilities for dealing with APT attacks. For example, say you want to find PDF files from a large packet capture (pcap) dump. To do so, fire up Wireshark and click File | Export Objects | HTTP and go to the file containing a PDF. You can also pick up the PDF by looking in the filter file frame that contains %PDF (Figure 7).

Figure 7: Looking for a file containing a PDF.

To find a music thief, such as someone who has downloaded a music file that you happened to catch in your pcap file, you again open Wireshark and click File | Export Objects | HTTP. Figure 8 shows a window listing eight files; if you click on the file that contains sample02.mp3, you can save it and deal with it later.

Figure 8: Finding an MP3 file with Wireshark.

On the other hand, if you are looking for a RAR file that has been downloaded and is in your pcap file, how are you going to find it in a sea of files? As for the music file, open Wireshark (Figure 9) and click File | Export Objects | HTTP (Figure 10). The RAR file is the first file, botnet.rar, in the list. Click on the file and save it to your local machine. As you can see in Figure 11, the file contains a .exe along with a readme.txt.

Figure 9: Finding files of interest in a pcap file with Wireshark by …
Figure 10: … filtering for the file type (e.g., http contains "RAR" for RAR files).
Figure 11: The suspicious RAR file contains two executable files and a readme.txt.

Conclusion

In this article, I looked at some of the tools I work with on a daily basis. Palo Alto Networks' WildFire and CyberFlow Analytics' FlowScape are two examples of tools in my arsenal that I use to keep the badness at bay. The last tool, Wireshark, is one of the best open source packet analyzers available today.

Infos

  1. WildFire: https://www.paloaltonetworks.com/products/technologies/wildfire.html
  2. FlowScape: http://www.cyberflowanalytics.com/site/how-it-works/

« Previous 1 2

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Novell Acquires Teamwork Specialists Sitescape

    Novell today announced it has acquired SiteScape, a leader in open source team collaboration, in a move that will create interoperable, open source and open standards-based workspaces for team productivity.SiteScape, the founder of the ICEcore open source collaboration project, brings impressive team workspace and real-time collaboration capabilities to Novell.

    more »
  • Metadata Analysis

    Detect operating systems, installed software, and more from easily collected metadata.

    more »
  • Packet Telemetry with Host-INT

    Inband Network Telemetry and Host-INT can provide valuable insights on network performance – including information on latency and packet drops.

    more »
  • Ethtool

    If ping won't solve your network configuration issues, try ethtool, a powerful utility that lets you manage configuration settings for your network interface card.

    more »
  • FAQ

    Welcome our new artificial intelligence overlords by tinkering with their gray matter.

    more »
comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News

Tag Cloud

Administration Community Events Hardware Linux Linux Pro Magazine Mobile Programming Security Software Ubuntu Web Development Windows free software open source