January 5

Webinar takeaway – BPF – Picking Packets

Security

0  comments

My key takeaways

  • one lib to capture all pakets for all OS
  • BPF is to filter packages
    • better SNR for packet filtering
  • BPF filter effect only the programm you call it with
    • no change to the package itself
  • Process:
    • human creats filter
      • single quotes at the end of the line invoking the prg like tcpdump
      • double quotes for windump
    • programm pass it to libpcap
    • libpcap pass to kernel <- fast!
  • Works also fine with ngrep
  • you can stack multiple filters by putting one after the other at the end of the line each separated by a space

Env

additional links

Tags

packet capture, threathunting

You may also like

Webinar takeaway – Applying The Threat Hunter’s Runbook

My key takeaways threat hunting runbook Identify connection persistency Identify if there is a business need Protocol analysis Investigate external IP address Investigate internal IP address Threat hunting is stealthy only when in IR mode, the adversary should be allowed to notice we are after him set the TCP timeout from 5min to 1h in

Read More

Webinar takeaway – The Ins and Outs of RITA

My key takeaways RITA is made to detect beacons and long connections open source tool Signature based detection of malicious code is outdated Average detect time is over 6 month > 50% of compromised systems are detected by outsiders RITA is behaviour based Needs a bunch of pakets to work on min 1h, default 24h

Read More
Leave a Comment