-
Analyst Tip: Spotting Botnet Members
2017-08-14
You suspect one or more hosts in your network may have unwittingly been recruited into a botnet. How can you tell? There are several indicators you can hunt for, including: A sudden spike in outbound traffic on UDP or TCP port 53 relative to normal volume for that host and/or in that network and/or system role), particularly to destinations other than approved recursive or authoritative nameservers Appearance of or increase in outbound traffic on TCP port 6660-6669 from host in question Attempted connections to known command-and-control (C2) servers DNS queries for known C2 fully-qualified domain names A sudden spike in outbound traffic on TCP port 25 (relative to normal) The presence of one or more of these indicators may warrant further investigation.…more
-
How To: Creating Your Own Animated Threat Map
2017-07-13
One day, I was challenged to create a “live” threat map from our existing SIEM data for display on our SOC wall screens. Never one to shrink from a challenge, I accepted. But I know practically no JavaScript, I'm not a web developer by any stretch of the imagination, and I had nowhere to start except this project, which is a joke threat map that plots random attacks using random geographical coordinates.…more
-
Various Shell Tricks
2017-06-12
Quickest way to get your ssh key to a remote host: ssh-copy-id username@host.example.com Shuffle items in a file: cat file.txt | perl -MList::Util=shuffle -e 'print shuffle(<STDIN>);' >file-shuffled.txt Count the number of comma-separated items on each line in a file: cat file.txt |perl -ne 'print 1+@{[/,/g]},"\n"' Count number of comma-separated items on each line in a file, and generate average of items: cat file.txt |perl -ne 'print 1+@{[/,/g]},"\n"' |awk '{ sum += $1; n++ } END { if (n > 0) print sum / n; }' Give the average of a list of numbers in a file: cat numbers-list.…more