When news of Conficker surfaced I obtained a traffic sample from our botnet honeynet. I wanted to see what relevant aggregate information I could extract and see if there was any specific indication of Conficker activity. Using some lightweight tools I was able to quickly analyze my traffic sample and focus further research. I find that these high level analysis techniques lead me to ask the more interesting questions and, more importantly, come to my rescue when I’m pressed for time. Below, I share a little about how I deconstructed the traffic sample, briefly discuss visualization and turn to IPS and Global Correlation to get a bigger perspective on what was happening. Some of my colleagues here in Cisco Security Intelligence Operations (SIO) find these techniques useful so I thought I would pass them on in the hopes that others will as well. I’d like to hear from some of you on your favorite tools and tricks for this sort of sleuth work.
There are some things I should point out before delving into my traffic sample:
- I sanitized all IP addresses because the hosts in this traffic sample are Internet facing. That is, I replaced all IP addresses with a fictitious FQDN. Hosts with the domain honeynet.eg are on the honeynet and all other hosts use the network.eg domain. The hostnames are randomly selected three-letter words from CrackLib’s dictionary. My fictitious FQDNs are consistent across this post.
- Some of the xterm windows below may have a scroll bar. It’s easy to miss. Scroll down for more info.
- The honeynet has several hosts which each have multiple IP addresses. We use this to increase attack surface. Because this isn’t relevant, I normalized the traffic such that each host on my network has one and only one IP address.