Expanding Response: Deeper Analysis for Incident Handlers

To achieve my GCIH Gold, I recently completed a paper called Expanding Response: Deeper Analysis for Incident Handlers, now available in the SANS Reading Room. The premise was to further expand on the topics discussed in my Malware analysis tools post. This paper includes tools discussed at various times in my toolsmith column in the ISSA Journal, and includes details on Argus, HeX, NSM-Console, and NetworkMiner.

Abstract:
"The perspective embraced for this discussion is that of an analyst who is working a process to determine the exact nature of malicious software on his network. He is in receipt of the above mentioned .exe and .pcap files and seeks to further his understanding with the use of less typical tools. She begins the process with the network capture, and then takes a closer look at the binary to see what can be learned and what the impacts of an outbreak on her network might be."

del.icio.us | digg | Submit to Slashdot

NSM-Console and HeX update

While researching the HeX System for the pending February toolsmith, I was extremely pleased to discover NSM-Console, from Matthew Lee Hinman. I've not yet seen such an efficient, useful, all encompassing framework for offline packet analysis. NSM-Console includes modules for:
# aimsnarf
# ngrep (gif/jpg/pdf/exe/pe/ne/elf/3pg/torrent)
# tcpxtract
# tcpflow
# chaosreader
# bro-IDS
# snort
# tcpdstat
# capinfos
# tshark
# argus
# ragator
# racount
# rahosts
# hash (md5 & sha256)
# ra
# honeysnap
# p0f
# pads
# fl0p
# iploc
Consider giving both HeX System and the included NSM-Console an immediate look.