WhileNetworking

  • Home
  • CCNA
  • Cisco Packet Tracer Download
    • Cisco packet tracer 6.3
    • cisco packet tracer 6.2
    • Cisco Packet Tracer 7
  • Linux Server Management
  • About Us
  • Privacy Policy
  • Contact Us

Correlation of NSM data

You are most welcome to this post.
Really thanks to you for your interest in this topics. :)

Each NSM collection write can communicate indisputable pieces of substance. Tenfold data types and binary aggregation sources staleness be misused unitedly to expose all the substance. To put the info together, the analyst must be fit to variable aggregation of distinguishable types from other sources. The IP 5-tuple and second stamps are invaluable for correlating events across denary information sets. Here is an admonition where fourfold data sources can be old and correlated to get a larger illustration.

The amount summarizes leash IPS alerts. Each lidless contains the sounding IP 5-tuple. The direction left (TCP opening 25) identifies the SMTP protocol. The timestamps are congruent. Netmail services are configured where inward netmail is first conventional by a method on the DMZ and then forwarded to the interior telecommunicate server. IPS sensors are deployed on both the DMZ subnet and the internal server subnet. With noesis of the DMZ and intrinsic computer addresses and IPS sensor position, the psychiatrist can deduct that all three alerts are related with the style of the homophonic email, as it was conventional on the DMZ, then forwarded from the DMZ and finally received on the intrinsic computer subnet.

three IPS alerts

three IPS alerts

Looking promote at the alert info, the shrink sees that the fly is related with a suspicious workable telecommunicate adherence, which can correlate with extracted assemblage. Bro is organized to create all telecommunicate attachments. The psychiatrist examines the files that Bro has extracted and finds that there are troika files that are extracted from SMTP by Bro with the synoptic experience stamps as the three alerts. A quick hash sum procedure on the trine files verifies that they are all monovular. Again, the like telecommunicate with the tenderness was seen leash times as it was forwarded through the web. The analyst submits this enter it to a sandbox blowup force to see if any malicious manifestation is triggered. As seen in the amount, when the enter is executed, it attempts to connect to a group on the internet.

when the file is executed, it attempts to connect to a system on the Internet.

when the file is executed, it attempts to connect to a system on the Internet.

The sandbox analysis produces an indication of compromise. 209.165.200.233 is a suspicious IP address. Any internal systems that attempted to communicate with this address may be compromised. Currently, the analyst knows which email server received the email, but does not know who the email recipient was, or if the email was received. The analyst correlates with transaction data to get more information. The analyst looks at the transaction logs on the internal SMTP server. This log will not have the entire 5-tuple in any entries. Given that the log records SMTP activities, the destination IP address can be assumed to be the server’s own IP address, the destination port is 25, and the transport layer protocol is TCP. Using the time stamp and peer information, the analyst finds log records that are associated with the reception of this email. The log entries are displayed below. Now the analyst has a user name. The email was directed to Wendy.

Oct 12 19:53:29 inside-srv postfix/smtpd[4620]: connect from dmz-srv.abc.public[
172.16.1.10]
Oct 12 19:53:29 inside-srv postfix/smtpd[4620]: 9F659187BDC: client=dmz-srv.abc.
public[172.16.1.10]
Oct 12 19:53:29 inside-srv postfix/cleanup[4625]: 9F659187BDC: message-id=<894ec
b45-9d17-474e-e263-cb8184c24f02@services.public>
Oct 12 19:53:29 inside-srv postfix/qmgr[4607]: 9F659187BDC: from=<karla@services
.public>, size=102582, nrcpt=1 (queue active)
Oct 12 19:53:29 inside-srv postfix/smtpd[4620]: disconnect from dmz-srv.abc.publ
ic[172.16.1.10]
Oct 12 19:53:29 inside-srv postfix/local[4626]: 9F659187BDC: to=<wendy@abc.priva
te>, orig_to=<wendy@abc.public>, relay=local, delay=0.07, delays=0.05/0.01/0/0.0
1, dsn=2.0.0, status=sent (delivered to maildir)
Oct 12 19:53:29 inside-srv postfix/qmgr[4607]: 9F659187BDC: removed

So far, the logs show that the email reached the internal SMTP server and was directed to Wendy. Looking further in the log file shows that Wendy logged in with an IMAP client. IMAP clients automatically synchronize mailboxes upon connection. The analyst can assume that Wendy did receive the email. The log also indicates Wendy’s IP address, which is an important artifact.

Oct 12 20:57:29 inside-srv imapd: LOGIN, user=wendy, ip=[::ffff:10.10.6.10], port=[1677], protocol=IMAP

The analyst still does not know if Wendy opened the email or executed the attachment. Session data can be used in the next step of the analysis. The analyst knows the suspicious IP address (209.165.200.233) and the analyst knows Wendy’s IP address (10.10.6.10). Querying session data for conversation from 10.10.6.10 to 209.165.200.233 confirms that there has been some activity, as shown in the screenshot. One of the conversations is to TCP port 4444, which is likely a command and control channel. The other conversation is to TCP port 21, which is the standard FTP port. There may have been data exfiltration.

 

Aug 17, 2018Himadri
 

Share with friends :

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on WhatsApp (Opens in new window)
  • Click to share on Skype (Opens in new window)
  • Click to email a link to a friend (Opens in new window)
  • Click to share on Pocket (Opens in new window)
  • Click to share on Telegram (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to print (Opens in new window)

Related

Some NSM data typesHunting the cyber threat

Leave a Reply Cancel reply

11 + two =

Himadri

Hi, I'm Himadri. I love blogging with tech topics, specially computer networking. We'll have more fun in the upcoming day. Stay with me. :)

August 17, 2018 Cyber Security107
Feel Free to Share :)
0
GooglePlus
0
Facebook
0
Twitter
0
Digg
0
Delicious
0
Stumbleupon
0
Linkedin
0
Pinterest
Find Us on Facebook
Choose a category !!
  • CCNA
  • Cisco Certification Exam
  • cisco packet tracer 6.2
  • Cisco packet tracer 6.3
  • Cisco Packet Tracer 7
  • Cisco Packet Tracer 7.1
  • Cisco Packet Tracer 7.2.1
  • Cisco Packet Tracer 7.3
  • Cyber Security
  • Engineering Ebooks
  • Excel
  • IELTS Ebook
  • Internet
  • Know computer
  • Know your computer
  • Laser Processing of Material
  • Linux installation and server management
  • PDF
  • Technology
  • Uncategorized
Top posts
  • Packet tracer 6.2 student version for Linux - Free download
  • Free download Cisco Packet Tracer 7.2 for windows (64 bit)
  • Free download Cisco Packet Tracer 7.1 for windows (32 bit)
Archieves
Get latest updates by Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 14 other subscribers
W
SC
wordpress counter
Analytics
Recent Comments
    Browse by categories
    Cyber SecurityLinux installation and server managementCCNAKnow your computerKnow computerCisco Packet Tracer 7UncategorizedCisco Certification ExamInternetPDFCisco Packet Tracer 7.3Engineering EbooksCisco packet tracer 6.3cisco packet tracer 6.2Cisco Packet Tracer 7.1TechnologyExcelLaser Processing of MaterialCisco Packet Tracer 7.2.1IELTS Ebook
    Feel free to contact with us

    Hi, any kind of comment or suggestion is valuable to us. So feel free to contact with us.

    Email: himadri.shekhar.bd@gmail.com

    Name: WhileNetworking.com

    2021 © WhileNetworking
     

    Loading Comments...