Watching Dangerous files requested in your network

HTTP traffic is always very voluminous and messy, Users all over the organizatioin request all sorts of stuff online, from banking, KB stuff to malwar :) and if you are tasked to watch out or run a analysis based on your user patterns or want to know what kind of stuff is prominent accross your Internet gateways.

You can check out your Internet Gateway proxy logs and write a script that can make the logs more meaningful.

However when you are talking about running network forensics tool you always have the best handy TCPDUMP whose output can be analyzed once the capturing is done.

However I just came across this tool Httpry which captures data specific to http and things flowing in and out of your organization. There are many uses of this tool if you want to debug the http traffic or you just want to know the kind of data traveling.

I ran a simple test with this tool,

I just wanted to know if there is a specific malware infection in my company network which was trying to spread or do some exploitation. As we maintain a list of bad urls specific to the malware. for eq. after a infection when the malware tries to spread by downloading payloads and exploits on to the infection computer it makes some HTTP requests to download files like exe etc from websites. Now if the malware is known AntiVirus vendors also provide you with the list of urls the malware will access to download payloads/exploits.

We just did a http packet capture for sometime and then did a search of all the blacklisted urls we had in our database and sure enough there was one infection in the network which was not detected by the antivirus software that we use, we immediately brought the computer off the network for the clean up.

Now this can even be done by parsing proxy logs but this tool gives you a lot of data that is ideally not availiable in the proxy logs. You can see host headers, you can see the actual traffic and dig more to find the root cause.

So, everytool has its own advantages and dis-advantages, that is the reason my tools inventory keeps growing :)

Read more...

Internet Security by Dual Internet connection

I was reading a blog of a venture capitalist and came across one of his post where he received an email from some guy asking for funding with a great idea that he had. 

The idea was simple, all the traffic that goes out to the internet should be split and sent via two different internet connections. 

I am not sure what experience he has about internet security or networks but these kinds of ideas are very common with kids. 

Check out the Video/ Presentation at youtube by that guy

http://in.youtube.com/watch?v=U4UWUG5RShE

Some questions that come up to me regarding this idea:

1) CreditCard or banking transactions are done over SSL so the data is not in cleartext

2) When a user is visiting a website he gets a session according to his IP and now if there are 2 IP's that send data to one server what will the server understand? 

3) Who wants an overhead of splitting the packets and sending and again assembling the packet to understand, we anyways have too many things that slowdown our networks like IDS/IPS, etc

3) According to this idea you are not just asking a single company who should do it, you are actually trying to change complete internet architecture. now what kind of idea is that ?

4) Now why will anybody buy your product when current SSL encryption gets the work done.

5) If it would have been feasable big players like Cisco, Juniper would have already done that long back.

Anyways, I don't think  I need to waste my time on this great idea. I will just wait till this guy gets a VC funding and shows me something that really works without any drastic changes.

By the way first post of the year 2009 started off by blasting somebody..

Now thats something bloggers are really good at ;)

Read more...