Saturday, January 17, 2009
HTTP traffic is always very voluminous and messy, Users all over the organizatioin request all sorts of stuff online, from banking, KB stuff to malwar :) and if you are tasked to watch out or run a analysis based on your user patterns or want to know what kind of stuff is prominent accross your Internet gateways.
You can check out your Internet Gateway proxy logs and write a script that can make the logs more meaningful.
However when you are talking about running network forensics tool you always have the best handy TCPDUMP whose output can be analyzed once the capturing is done.
However I just came across this tool Httpry which captures data specific to http and things flowing in and out of your organization. There are many uses of this tool if you want to debug the http traffic or you just want to know the kind of data traveling.
I ran a simple test with this tool,
I just wanted to know if there is a specific malware infection in my company network which was trying to spread or do some exploitation. As we maintain a list of bad urls specific to the malware. for eq. after a infection when the malware tries to spread by downloading payloads and exploits on to the infection computer it makes some HTTP requests to download files like exe etc from websites. Now if the malware is known AntiVirus vendors also provide you with the list of urls the malware will access to download payloads/exploits.
We just did a http packet capture for sometime and then did a search of all the blacklisted urls we had in our database and sure enough there was one infection in the network which was not detected by the antivirus software that we use, we immediately brought the computer off the network for the clean up.
Now this can even be done by parsing proxy logs but this tool gives you a lot of data that is ideally not availiable in the proxy logs. You can see host headers, you can see the actual traffic and dig more to find the root cause.
So, everytool has its own advantages and dis-advantages, that is the reason my tools inventory keeps growing :)