UNIT IV

CYBER SECURITY TOOLS

• cyber security tools available to help protect against threats like
malware, network attacks, and data theft. Each tool has its own
strengths and weaknesses, and it is important to choose the right tool
for the job and use it correctly to maximize its effectiveness.
Nmap
• Nmap is short for Network Mapper.
Nmap
• It is an open-source Linux command-line tool that is used to scan IP addresses and ports in a network and to
detect installed applications.
• Nmap allows network admins to find which devices are running on their network, discover open ports and
services, and detect vulnerabilities.
Why use Nmap?
• Ability to quickly recognize all the devices including servers, routers, switches, mobile devices, etc on
single or multiple networks.
• Helps identify services running on a system including web servers, DNS servers, and other common
applications.
• Nmap can also detect application versions with reasonable accuracy to help detect existing vulnerabilities.
• Nmap can find information about the operating system running on devices. It can provide detailed
information like OS versions, making it easier to plan additional approaches during penetration testing.
• During security auditing and vulnerability scanning, you can use Nmap to attack systems using existing scripts
from the Nmap Scripting Engine.
• Nmap has a graphical user interface called Zenmap. It helps you develop visual mappings of a network for
better usability and reporting.
• It also offers advanced features like OS and version detection, service
and application fingerprinting, and scriptable interactions with target
systems.
• It can be used for a variety of purposes, including network inventory,
vulnerability scanning, and penetration testing.
 Basic scans

Ping scan — Scans the list of devices up and running on a given subnet.
Scan a single host — Scans a single host for 1000 well-known ports. These ports are the ones used by popular
services like SQL, SNTP, apache, and others.
Stealth scan -Stealth scanning is performed by sending an SYN packet and analyzing the response. If
SYN/ACK is received, it means the port is open, and you can open a TCP connection.
Version scanning:
It makes your life easier since you can find an existing vulnerability from the Common Vulnerabilities and
Exploits(CVE) database for a particular version of the service. You can then use it to attack a machine using an
exploitation tool like Metasploit.
To do a version scan, use the ‘-sV’ command. Nmap will provide a list of services with its versions.
OS Scanning- In addition to the services and their versions, Nmap can provide information about the underlying
operating system using TCP/IP fingerprinting. Nmap will also try to find the system uptime during an OS scan.
Aggressive Scanning -Nmap has an aggressive mode that enables OS detection, version detection, script
scanning, and traceroute. You can use the -A argument to perform an aggressive scan.
• Scanning Multiple Hosts
• Nmap has the capability of scanning multiple hosts simultaneously. This feature comes in real handy when
you are managing vast network infrastructure.
• You can scan multiple hosts through numerous approaches:
• Write all the IP addresses in a single row to scan all of the hosts at the same time.
• Port Scanning
• Port scanning is one of the most fundamental features of Nmap. You can scan for ports in
several ways.
• Using the -p param to scan for a single port
OSSEC
• OSSEC (Open Source Security) is a free and open-source host-based intrusion detection system
(HIDS) that provides security alerts for suspicious activity on a computer or network
• OSSEC is designed to monitor file systems, logs, and other system activity to detect security threats
• including malware infections, unauthorized access, and system breaches.
• It can analyze logs from various sources, including firewalls, intrusion prevention systems, and
other security tools to identify patterns of suspicious activity.
• OSSEC uses a combination of signature-based and anomaly-based detection methods to identify
security threats.
• Signature-based detection involves comparing system activity to known signatures of malware or other
malicious activity.
• Anomaly-based detection involves identifying activity that deviates from normal behavior patterns.
• OSSEC also provides real-time alerts for security threats and can send alerts via email or other
methods.
• OSSEC is highly customizable, allowing users to configure it to monitor specific files or systems
and to define their own rules for detecting suspicious activity.
• OSSEC is compatible with a wide range of operating systems, including Windows, Linux, and
macOS, making it a versatile tool for host-based intrusion detection.
• OSSEC is a powerful tool for detecting and responding to security threats on a host system, but it
• OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS) OSSEC has a
powerful correlation and analysis engine, integrating log analysis, file integrity monitoring, Windows registry
monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.
• Is OSSEC a SIEM?
• OSSEC is a platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based
intrusion detection), log monitoring, and Security Incident Management (SIM)/Security Information and Event
Management (SIEM) together in a simple, powerful, and open source solution.
• Who uses OSSEC?
• OSSEC is a growing project, with more than 5,000 downloads per month on average. It is being used by ISPs,
universities, governments and even large corporate data centers as their main HIDS solution.
• Is OSSEC a IPS or IDS?
• OSSEC (Open Source HIDS SECurity) is a free, open-source host-based intrusion detection system (HIDS). It
performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and
active response.
• Does OSSEC need server?
• OSSEC can only be installed as an agent on Microsoft Windows platforms. These
systems will require an OSSEC server, running on Linux or another unix-like
system.
• How do I run OSSEC?
• Manager/Agent Installation
1.Download the latest version and verify its signature. ...
2.Verify the requirements listed in Installation requirements are installed or available.
3.Extract the compressed package and run the install.sh script. ...
4.The OSSEC manager listens on UDP port 1514.
• Where are OSSEC logs stored?
• /var/ossec/logs
• All logs are stored in subdirectories of /var/ossec/logs. OSSEC's log messages are
stored in /var/ossec/logs/ossec. log. Log messages from the agents are not stored by
OpenVAS
 OpenVAS
• OpenVAS is a full-featured vulnerability scanner.
• Its capabilities include unauthenticated and authenticated testing, various high-level and low-
level internet and industrial protocols, performance tuning for large-scale scans and a powerful
internal programming language to implement any type of vulnerability test.
• Purpose of OpenVAS:
• Vulnerability management scanners like OpenVAS identify and classify potential points of
weakness in your infrastructure, quantify the possible risk, and recommend mitigations to
remediate the problem.
• The goal is to prevent and minimize attacks by targeting identified exploits present within the
networks.
• What vulnerabilities does OpenVAS scan for?
• OpenVAS is a system vulnerability scanner that checks visible ports, services it can access for
known exploits, and high level web threats (like cross-site script vulnerabilities and improper
file access).
• Can OpenVAS scan websites?
• when scanning the network, hackers look for open ports exploits. Therefore in case of
exploiting websites openVAS scans all possible versions of web server and shows the
vulnerable paths.
Metasploit Framework
 Metasploit Framework
• The Metasploit framework is a very powerful tool which can be used by
cybercriminals as well as ethical hackers to probe systematic vulnerabilities on
networks and servers.
• Because it's an open-source framework, it can be easily customized and used
with most operating systems.
• Metasploit is not just a single tool. It is a complete framework. It is a Ruby-
based, modular penetration testing platform that enables you to write, test, and
execute exploit code, it is flexible and extremely robust and has tons of tools to
perform various simple and complex tasks.
• Metasploit has three editions available.
• Metasploit Pro
• Metasploit Community
• Metasploit Framework
• Various components of Metasploit:
1. Auxiliaries:
• Auxiliaries are the modules that make Metasploit so easy to work with.
• A Metasploit auxiliary is nothing but a specific piece of code written to perform a particular
task.
• For example, it can be used to check if we can access an FTP server anonymously or to check
if the webserver is vulnerable to a heart bleed attack.
• In fact, Metasploit has more than 1,000 auxiliary modules that perform various tasks like
scanning, fuzzing, sniffing, and much more.
• 2. Payloads
• An exploit is a piece of code that will be used against the component that is vulnerable.
• The exploit code may run successfully, but what do you want to do once the exploit is
successfully defined by the payload.
• In simple terms, a payload can be defined as the action that needs to be performed after the
complete execution of an exploit.
3. Exploits
• Exploits are an extremely important part of Metasploit.
• The whole purpose of the framework is to offer exploits that you can use for various vulnerabilities.
• An exploit is a code that takes advantage of a software vulnerability or security flaw and you will use this code
on the target system to take advantage of the vulnerabilities present in the target system.
• 4. Encoders
• Metasploit helps you in generating a wide variety of payloads that you can send to the target in multiple ways to
perform any task.
• In the process, it is quite possible that your payload gets detected by any of the security software present on the
target system or antivirus software.
• This is where encoders came into work.
• Encoders use various algorithms and techniques to obscure the payload in a way that it doesn’t get detected by
antivirus software.
• 5. Post-Exploitation Activities (Post)
• Once you have gained access to your target system using any of the available exploits and here we are talking
about basic access, you can make use of the post modules to further infiltrate the target system.
• These operations are mostly done in Cyber Events with complete permissions and must be done in an Ethical
way.
Nikto
 Nikto
● Created by : David Lodge and Chris Sullo,
● Version 1.00 Beta released on: December 27, 2001
● Current version: 2.1.5.
● Written in: Perl,
● The name is taken from the movie: The Day The Earth Stood Still,
● Open source, with support for SSL connections,
● Performs test against web servers
• for multiple items:
- Looks for over 6500 potentially dangerous files/CGIs,
- Checks for outdated versions of over 1250 servers,
- Looks for version specific problems on over 270 servers,
- Attempts to identify installed web servers and software,
- Checks for the presence of multiple index files and HTTP server options,
● Output can be saved in a variety of formats: text, XML, HTML.
• Installation:
● Runs on Windows , Mac, Linux : any system with support for basic Perl
installation, allow Nikton to run.
● Requirements for Windows usage: ActiveState Perl : typicall
setting, Nikto : download and extract the archive content.
Wireshark
 Wireshark
• Wireshark is the world’s foremost and widely-used network protocol analyzer.
• Features:
1. Deep inspection of hundreds of protocols, with more being added all the time
2. Live capture and offline analysis
3. Standard three-pane packet browser
4. Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many
others
5. Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
6. The most powerful display filters in the industry
7. Rich VoIP analysis
8. Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult
DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer®
(compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments
Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer,
Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets
EtherPeek/TokenPeek/AiroPeek, and many others
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth,
USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos,
SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis Output.
• Advantages of using Wireshark:
• Free software.
• Available for multiple platforms – Windows & UNIX.
• Can see detailed information about packets within a network.
• Not proprietary can be used on multiple vendors unlike Cisco Prime.
• What can hackers do with Wireshark?
1. Wireshark can also be used as a tool for hackers.
2. This usually involves reading and writing data transmitted over an unsecure or
compromised network. Nefarious actors may seek out confidential data such as
credit-card information, passwords, search queries, private messages, emails,
financial transactions, and more.
TrueCrypt
 TrueCrypt
• TrueCrypt provides free open-source disk encryption software for Windows 7/Vista/XP, Mac
OS X, and Linux.
• It creates a virtual disk that is entirely encrypted (including file names, folder names,
contents of every file, allocation tables, free space, meta data, ect.) and mounts as if it was a
real disk. It can encrypt an entire partition or storage device such as a USB flash drive or
hard drive.
• The encryption is automatic, fast, and transparent to the user. You can copy files and folders
to and from a mounted TrueCrypt volume just like you would normally do. TrueCrypt does
not save any decrypted data to a disk rather it only stores data temporarily in RAM
(memory).
• Follow the default installation procedures to install TrueCrypt. Start TrueCrypt and click No
when asked to view the tutorial.
• The main TrueCrypt window appears. Click on the Create Volume button.
You have three options. A TrueCrypt volume can reside in a file (called a Container), in a
partition or drive. A TrueCrypt container can be moved, copied, and deleted like a normal
file. Click Next.
• Access your container in the X: drive and open the document TrueCrypt
Encrypted. It is just as fast as opening up the unencrypted version.
• Important: Note that when you open a file stored on a TrueCrypt volume
(or when you write/copy a file to/from the TrueCrypt volume) you will not
be asked to enter the password again. You need to enter the correct
password only when mounting the volume.
• In order to close the volume and make your files inaccessible click
Dismount.
VeraCrypt
• VeraCrypt is a popular open-source disk encryption tool that can be
used to protect the confidentiality of files and folders stored on a
computer or external storage devices. It can also be used to encrypt
entire hard drives or USB drives, making the data on them
inaccessible to unauthorized users.
• VeraCrypt is based on the TrueCrypt encryption software, which was
discontinued in 2014. VeraCrypt has improved security features and
has been audited for security vulnerabilities by several third-party
security auditors.
Some of the features of
VeraCrypt include:
• Support for multiple encryption algorithms: VeraCrypt supports various encryption algorithms,
including AES, Serpent, and Twofish. This ensures that even if one algorithm is compromised,
the data will still be protected by the other algorithms.
• Hidden volumes: VeraCrypt allows users to create hidden volumes within a regular volume. This
means that even if someone gains access to the encrypted volume, they won't be able to see the
hidden volume unless they know the specific password to access it.
• Plausible deniability: VeraCrypt's hidden volumes feature also provides plausible deniability. This
means that if someone is forced to reveal their password, they can give the password to the outer
volume, which contains non-sensitive data, without revealing the existence of the hidden volume.
• Two-factor authentication: VeraCrypt supports two-factor authentication using a key file in
addition to a password. This adds an extra layer of security and makes it more difficult for
unauthorized users to gain access to the encrypted data.
• VeraCrypt is a reliable tool for protecting sensitive data from unauthorized access. However,
like any security tool, it is important to use it correctly and follow best practices to ensure
maximum security.
KeePass
 KeePass
KeePass is a free open source password manager, which helps you to manage your passwords in
a secure way.
You can store all your passwords in one database, which is locked with a master key.
So you only have to remember one single master key to unlock the whole database.
Database files are encrypted using the best and most secure encryption algorithms currently
known (AES-256, ChaCha20 and Twofish)
• Features:
• Strong Security:
• KeePass supports the Advanced Encryption Standard and the Twofish algorithm to encrypt its
password databases. Both of these ciphers are regarded as being very secure. AES e.g.
became effective as a U.S. Federal government standard and is approved by the National
Security Agency (NSA) for top secret information.
• The complete database is encrypted, not only the password fields.
• SHA-256 is used to hash the master key components. SHA-256 is a 256-bit cryptographically
secure one-way hash function. No attacks are known yet against SHA-256. The output is
transformed using a key derivation function.
• Protection against dictionary and guessing attacks.
• Multiple User Keys:
• One master password decrypts the complete database.
• Alternatively you can use key files. Key files provide better security than master
passwords in most cases. You only have to carry the key file with you, for example on a
floppy disk, USB stick, or you can burn it onto a CD.
• For even more security you can combine the above two methods: the database then
requires the key file and the password in order to be unlocked. Even if you lose your
key file, the database would remain secure.
• Additionally, you can lock the database to the current Windows user account. The
database can then only be opened by the same person who created it.
• Potable and No Installation Required, Accessibility:
 KeePass is portable: it can be carried on an USB stick and runs on Windows systems
without being installed.
 Installer packages are available, too, for the ones who like to have shortcuts in their
• Easy Database Transfer:
 A password database consists of only one file that can be transferred from one computer to
another easily.
• Import from many file formats:
 KeePass uses the common CSV export format of various passwords safes like Password Keeper
and Password Agent. Exports from these programs can be easily imported to your KeePass
databases.
 KeePass can parse and import TXT outputs of CodeWalletPro, a commercial closed-source
password safe.
 KeePass can import TXT files created by Bruce Schneier's Password Safe v2.
• Export to TXT, HTML, XML and CSV Files:
 The password list can be exported to various formats like TXT, HTML, XML and CSV.
 The XML output can be easily used in other applications.
 The HTML output uses cascading style sheets (CSS) to format the table, so you can easily change
the layout.
 The CSV output is fully compatible with most other password safes like the commercial closed-
source Password Keeper and the closed-source Password Agent, also the CSVs can be imported
• Searching and Sorting:
 You can search for specific entries in the databases.
 To sort a password group, just click on one of the column headers in the password list, you
can sort by any column.
• Strong Random Password Generator:
 KeePass can generate strong random passwords for you.
 You can define the possible output characters of the generator (number of characters and
type).
 Random seeding through user input: mouse movement and random keyboard input.
• Open Source:
 KeePass free and you have full access to its source code!
Security Onion
 Security Onion
Security Onion is a Linux distro for intrusion detection, network security monitoring,
and log management.
• It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby,
ELSA, Xplico, Network Miner, and many other security tools.
Core Functions:
• Full packet capture
• Network-based and Host-based intrusion detection systems
• Analysis tools
• IDS:
A device or software application that monitors network or system activities for malicious
activities or policy violations and produces reports to a management station.
Network Security Monitoring:
Monitoring your network for security related events.
It might be proactive, when used to identify vulnerabilities or expiring SSL certificates, or
it might be reactive, such as in incident response and network forensics.
• Log Management: To collect all logs, software activity, user events, and
network traffic.
• Snorby:
• Ruby On Rails Application For Network Security Monitoring.
• Integrates with intrusion detection systems like Snort, Suricata and
Sagan.
• Squert:
• Squert is a web application that is used to query and view event data stored in a Sguil database
(typically IDS alert data).
• It attempts to provide additional context to events through the use of metadata, time series
representations and weighted and logically grouped result sets.
• Deployment Scenarios:
• Standalone: A single physical or virtual machine running both the server and sensor
components and related processes.
• Server-sensor: A single machine running the server
• component with one or more separate machines
• running the sensor component and reporting back to the
• server.

• Hybrid: A hybrid installation consists of a standalone

• installation that also has one or more separate sensors
• reporting back to the server component of the it.
OpenSSH
 OpenSSH
• OpenSSH is a free and open-source implementation of the Secure Shell (SSH)
protocol, which provides encrypted communication between two networked
devices. OpenSSH is widely used as a secure method for accessing and
managing remote servers and systems.
• OpenSSH provides several security features, including:
1. Encrypted communication: OpenSSH encrypts all communication between the
client and server, ensuring that sensitive information such as passwords, files,
and commands are protected from interception by unauthorized parties.
2. Secure authentication: OpenSSH provides several authentication methods,
including password-based, public-key, and keyboard-interactive authentication.
Public-key authentication, in particular, is highly secure and is commonly used
for remote server access.
3. Port forwarding: OpenSSH allows for secure port forwarding, which
enables users to access remote services over an encrypted connection. This is
useful for accessing services that may not be directly accessible over the
internet, or for accessing services securely over untrusted networks.
4. Control over network access: OpenSSH provides fine-grained control over
network access by allowing administrators to configure which hosts are
allowed to connect to a server, and which users are allowed to log in.

• OpenSSH is a highly secure and reliable tool for remote server access and
management. It is widely used in production environments, and its open-source
nature ensures that it is constantly being updated and improved by the community.
However, like any security tool, it is important to configure and use OpenSSH
correctly to ensure maximum security.
Kali Linux
 Kali Linux
• Kali Linux is a Debian-derived Linux distribution And a member of UNIX OS Family.
• Maintained and Funded by Offensive Security Limited.
• Primarily designed for Penetration Testing and
• Digital Forensics.
• Developed by Mati Aharoni and Devon Kearns of Offensive Security.
• Rewrite of Backtrack.
• History
• Knoppix , ancestor of Kali Linux was the first ever bootable Live Linux Operating
system , which is still in existence.
• Knoppix project was then forked into Whoppix and then re-forked into WHAX.
• WHAX was then re-branded and streamlined into the
• BackTrack , the predecessor of Kali Linux.
• BackTrack had a long reign of almost seven years as the pentesters and hackers choice.
• BackTrack is a customised native environment dedicated to hacking. As of 2011 it was used
• Open Source
• Has Monolithic type Kernel
• Available in 32-bit and 64-bit images for use on hosts based on the x-86
instruction set.
• Also available as an image for ARM architecture for use on Raspberry Pi
and Samsung’s ARM Chromebook.
• Its newest version Kali Linux 1.0.9 was released on 25 August 2014.
• Features of KALI LINUX:
• Has more than 300 penetration testing tools.
• Multilingual Support
• Completely Customizable.
• Free and Always will be.
• Vast Wireless device support and Compatible with USB.
• GPG signed packages and repos.
• ARM support(ARMEL & ARMHF)-Kali Linux has ARM repositories
integrated with mainline distribution.
• Flexibility of KALI LINUX:
• Kali Linux can run natively when installed on a computer’s hard disk or,
• Can be booted from a live CD or a live USB or,
• It can run within a virtual machine.
• Available for ARM devices like Samsung Chromebook, Samsung Galaxy Note
10.1, Raspberry Pi , CuBox , and a lot more.
• KALI LINUX can also be installed within a chroot environment on an android
device.
Moloch
 Moloch
• Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search system.
• Arkime augments your current security infrastructure to store and index network traffic in standard PCAP
format, providing fast, indexed access.
• Arkime was created to replace commercial full packet systems at AOL in 2012. By having complete control of
hardware and costs, we found we could deploy full packet capture across all our networks for the same cost as
just one network using a commercial tool.
• The Arkime system is comprised of 3 components:
• capture - A threaded C application that monitors network traffic, writes PCAP formatted files to disk, parses
the captured packets, and sends metadata (SPI data) to elasticsearch.
• viewer - A node.js application that runs per capture machine. It handles the web interface and transfer of PCAP
files.
• elasticsearch - The search database technology powering Arkime.
• Once installed, a user can look at the data Arkime has captured using a simple web interface. Arkime provides
multiple views of the data. The primary view is the Sessions page that contains a list of sessions. Each session
can be opened to view the metadata and PCAP data.
•Moloch is an open source, large scale, full packet capturing, indexing, and database system.
•Moloch augments your current security infrastructure to store and index network traffic in
standard PCAP format, providing fast, indexed access.
•Moloch exposes APIs which allow for PCAP data and JSON formatted session data to be
downloaded and consumed directly.
•Moloch stores and exports all packets in standard PCAP format, allowing you to also use your
favorite PCAP ingesting tools, such as wireshark, during your analysis workflow.
•Moloch is built to be deployed across many systems and can scale to handle tens of gigabits/sec
of traffic.
•PCAP retention is based on available sensor disk space. Metadata retention is based on the
Elasticsearch cluster scale. Both can be increased at anytime and are under your complete
control.
•Moloch was created to replace commercial full packet systems at AOL in 2012
• Installation :
• Users can build Moloch yourself by following the below steps:
 git clone https://github.com/aol/moloch
 ./easybutton-build.sh --install downloads all the prerequisites, build, and install
 make config - performs an initial Moloch configuration
Bro IDS
•
Bro IDS
Bro IDS (Intrusion Detection System) is a free and open-source network
security monitoring tool. It is designed to detect and prevent network intrusion
attempts by analyzing network traffic in real-time. Bro IDS can help identify
and alert network administrators to suspicious or malicious activities, including
network attacks, malware infections, and data exfiltration.
• Some of the features of Bro IDS include:
1. Real-time traffic analysis: Bro IDS analyzes network traffic in real-time,
allowing for immediate detection and response to network security incidents.
2. Protocol-aware analysis: Bro IDS is protocol-aware and can analyze traffic at
multiple layers of the OSI model, including the application layer. This enables it
to detect attacks that may be missed by traditional network security tools.
3. Open architecture: Bro IDS has an open architecture that allows for
easy customization and integration with other security tools. This makes
it a highly flexible and extensible tool for network security monitoring.
4. Comprehensive logging: Bro IDS generates detailed logs of network
activity, providing network administrators with a complete view of
network traffic and security events. These logs can be used for forensic
analysis and incident response.
Snort
 Snort
• NIDS: A network intrusion detection system (NIDS) is an intrusion detection system that
tries to detect malicious activity such as denial of service attacks, port scans or even
attempts to crack into computers by monitoring network traffic.
• Snort: an open source network intrusion prevention and detection system. It uses a rule-
based language combining signature, protocol and anomaly inspection methods
• Snort: the most widely deployed intrusion detection and prevention technology and it
has become the de facto standard technology worldwide in the industry.
• Snort components:
• Logical components of snort:
• Packet Decoder: takes packets from different types of network interfaces (Ethernet,
SLIP,PPP…), prepare packets for processing
•  Preprocessor: (1) prepare data for detection engine; (2) detect anomalies in packet
headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP
streams.
•  Detection Engine: the most important part, applies rules to packets
• Logging and Alerting System
•  Output Modules: process alerts and logs and generate final output.
• Challenges with snort:
• Misuse detection – avoid known intrusions
• Rules database is larger and larger It continues to grow
• snort version 2.3.2, there are 2,600 rules 80% of them are signatures
• Snort spends 80% work time to do string match
•Anomaly detection – identify new attacks
•Probability of detection is low
OSQuery
 OSQuery
• OSquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and
FreeBSD. The tools make low-level operating system analytics and monitoring both performance and intuitive.

• OSquery exposes an operating system as a high-performance relational database. This allows you to write SQL
queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running
processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.

• SQL as osquery
• The osquery SQL language is a superset of SQLite's, please read
SQL as understood by SQLite for reference. This is a great starting place if coming from
MySQL, PostgreSQL, or MSSQL.

• SELECT only! All mutation-based verbs exist, like INSERT, UPDATE, DELETE,
and ALTER but they do not do anything—except creating run-time tables or VIEWs. ;)

• Before diving into the osquery SQL customizations, please familiarize yourself with the
osquery development shell. This shell is designed for ad-hoc exploration of your OS and
SQL query prototyping.
• Shell help
• Within the shell, try: .help

• $ osqueryi
• Using a virtual database. Need help, type '.help'
• osquery> .help
• Welcome to the osquery shell. Please explore your OS!
• You are connected to a transient 'in-memory' virtual database.
• .all [TABLE] Select all from a table
• .bail ON|OFF Stop after hitting an error; default OFF
• .echo ON|OFF Turn command echo on or off
• [...]
• osquery>
• osquery> .schema process
• [...]
• CREATE TABLE process_memory_map(pid INTEGER, start TEXT, end TEXT, permissions TEXT, offset
BIGINT, device TEXT, inode INTEGER, path TEXT, pseudo INTEGER);
• CREATE TABLE process_open_files(pid BIGINT, fd BIGINT, path TEXT);
• CREATE TABLE process_open_sockets(pid INTEGER, fd BIGINT, socket BIGINT, family INTEGER, protocol
INTEGER, local_address TEXT, remote_address TEXT, local_port INTEGER, remote_port INTEGER, path
TEXT);
• CREATE TABLE processes(pid BIGINT, name TEXT, path TEXT, cmdline TEXT, state TEXT, cwd TEXT, root
TEXT, uid BIGINT, gid BIGINT, euid BIGINT, egid BIGINT, suid BIGINT, sgid BIGINT, on_disk INTEGER,
wired_size BIGINT, resident_size BIGINT, phys_footprint BIGINT, user_time BIGINT, system_time BIGINT,
start_time BIGINT, parent BIGINT, pgroup BIGINT, nice INTEGER);
• Your first query
• On macOS (or Linux), select 1 process's pid, name, and path. Then change the display mode and issue the
same query:

• osquery> SELECT pid, name, path FROM processes LIMIT 1;

• +-----+---------+---------------+
• | pid | name | path |
• +-----+---------+---------------+
• | 1 | launchd | /sbin/launchd |
• +-----+---------+---------------+
processes ORDER BY start_time DESC LIMIT 1; several times and you will continue to select the last-most-recent process to start. This data is equivalent to ps and is a re
e representation try: SELECT * FROM time;
• osquery> .mode line
• osquery> SELECT pid, name, path FROM processes LIMIT 1;
• pid = 1
• name = launchd
• path = /sbin/launchd
• osquery> .mode pretty
•
Google Rapid Response
(GRR)
 Google Rapid Response (GRR)
• What is GRR?
• GRR Rapid Response is an incident response framework focused on remote live forensics.
• Goal: The goal of GRR is to support forensics and investigations in a fast, scalable manner to
allow analysts to quickly triage attacks and perform analysis remotely.
• GRR components:
• GRR consists of 2 parts: client and server.
• GRR client is deployed on systems that one might want to investigate. On every such system,
once deployed, GRR client periodically polls GRR frontend servers for work. "Work" means
running a specific action: downloading file, listing a directory, etc.
• GRR server infrastructure consists of several components (frontends, workers, UI servers) and
provides web-based graphical user interface and an API endpoint that allows analysts to
schedule actions on clients and view and process collected data.
• Remote forensics at scale
• GRR was built to run at scale so that analysts are capable of effectively collecting and
• GRR client features:
 Cross-platform support for Linux, OS X and Windows clients.
 Live remote memory analysis using YARA library.
 Powerful search and download capabilities for files and the Windows registry.
 OS-level and raw file system access, using the SleuthKit (TSK).
 Secure communication infrastructure designed for Internet deployment.
 Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.
• GRR server features:
 Fully fledged response capabilities handling most incident response and forensics tasks.
 Enterprise hunting (searching across a fleet of machines) support.
 Fast and simple collection of hundreds of digital forensic artifacts.
 AngularJS Web UI and RESTful JSON API with client libraries in Python, PowerShell and Go.
 Powerful data export features supporting variety of formats and output plugins.
 Fully scalable back-end capable of handling large deployments.
 Automated scheduling for recurring tasks.
 Asynchronous design allowing future task scheduling for clients, designed to work with a large fleet of
laptops.
• Investigating with GRR:
 Overview
• Once set up and configured, the GRR user interface is a web interface which allows the analyst to search for
connected client (agent) machines, examine what data has been collected from the machines and issue requests to
collect additional data.
• The GRR server also provides access to this functionality through a JSON API. Client libraries to support
scripting from python or go are provided.
• Starting Points
• Depending on the type of client data that the analyst is interested in, there are several places that they might start.
• Virtual File System
• The virtual file system shows the files, directories, and registry entries which have already been collect from a
client. It shows when the entry was collected, and provides some buttons to collect additional buttons of this sort.
• This is a natural starting point for ad-hock examination of an individual machine.
• Flows
• A Flow performs one or more operations on a client machine, in order to collect or check for data. For example,
the data collection buttons shown by the virtual file system start flows to collect specific files and directories.
However, flows can do many other things - from searching a directory for files containing a particular substring,
to recording the current network configuration. The administrative interface shows for each client the flows
which have been launched against it also the flow's status and any results returned.
• When an analyst would like to collect a specific bit of information about a machine, they will need to directly or
indirectly run a flow.
 Hunts
• A Hunt is a mechanism to run a Flow on a number of clients. For example, this makes it possible to
check if any Windows machine in the fleet has a file with a particular name in a particular location.
• Artifacts
• An artifact is a way to collect and name a group of files or other data that an analyst might want to collect
as a unit. For example, an artifact might try to collect all the common linux persistence mechanisms.
• Client-Server Communication in GRR:
• When a Flow needs to request information from a client, it queues up a message for the client. GRR
clients poll the GRR server approximately every 10 minutes, and it will receive the message and begin
responding to the request at the next poll.
• After a client performs some work, it will normally enter 'fast-poll' mode in which it polls much more
rapidly. Therefore when an analyst requests data from a machine, it might initially take some minutes to
respond but additional requests will be noticed more quickly.
• Protocol
• The client poll is an HTTP request. It passes a signed and encrypted payload and expects the same from
the GRR server. The client signs using its client key. This key is created on the client when first run, and
the GRR ID is actually just a fingerprint of this key.
• This means that no configuration is required by the client to establish an identity, but that clients cannot
eavesdrop on or impersonate other clients.