In our analysis we deploy below tools on Single Host:
a. TSHARK
b. SNORT (loaded with latest rule-set from http://rules.emergingthreats.net/ )
c. TCPREPLAY
START:
1. Create eth0 interface with PROMISCIOUS flag enabled
root@n41k# ifconfig eth0 up (waking up eth0 interface)
a. TSHARK
b. SNORT (loaded with latest rule-set from http://rules.emergingthreats.net/ )
c. TCPREPLAY
START:
1. Create eth0 interface with PROMISCIOUS flag enabled
root@n41k# ifconfig eth0 up (waking up eth0 interface)
root@n41k# ifconfig eth0 promisc (enable promiscuous flag)
root@n41k# ifconfig eth0 -promisc (After analysis remove promiscuous flag)
Output:
eth0 Link encap:Ethernet HWaddr 00:aa:b9:c8:d5:6f
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:45 Base address:0x4000
2. Analyze Network Traffic Capture with TSHARK
root@n41k#tshark -R "tcp.port==80" -r /home/n41k/threat/botnet.pcap
root@n41k#tshark -R "http.response.code == 200" -r /home/n41k/threat/botnet.pcap
root@n41k#tshark -R "http.response.code == 404" -r /home/n41k/threat/botnet.pcap
root@n41k#tshark -R 'http.request.method == "GET" || http.request.method == "POST"' -r /home/n41k/threat/botnet.pcap
3. Configure SNORT and Verify the process list
4. Inject the packets
root@n41k# tcpreplay -i eth0 -t /home/n41k/threat/botnet.pcap
5. Monitor SNORT logs.
root@n41k# tail -f /var/log/snort/snort.alert
6. Further Analysis and Verification of Domain listed
• http://support.clean-mx.de/clean-mx/viruses.php
• http://malc0de.com/database/
• http://www.malwareblacklist.com/showMDL.php
• http://www.malwaredomainlist.com/mdl.php
• http://www.malwareurl.com/listing-urls.php
