Ask Yourself Questions
A lot of analysis is asking yourself questions and then using your tools and data to answer those questions. I was recently looking at some alerts that used a non-standard user agent in the client header, but the desktop team wasn't finding any indication of malware. My thought was an app was making requests and setting the user agent. All of the traffic from each machine was to one, business related site. If malware were involved, I would expect to see traffic to different sites all using that same user-agent. So my question to answer was "Does this machine use a different, standard user-agent to other sites?" To answer this I needed to go to a packet audit server that the traffic was captured at and pull all of the packets from that day in the hour they happened and the hour before for good measure, then look at the web traffic and compare the user agents.
for i in $( ls -lah | grep 'Jul 8' | grep -w '1[7-8]' | awk '{print $9}' );do tcpdump -nn -r $i -s0 -X 'host x.x.x.x and (port 3128 or port 80)' -w work/$i.pcap;done
Each hours worth of data from that machine (and there were multiple captures per hour) on those ports is now in my work directory with a filename of the original packet capture filename and a .pcap extension. Now I need to use mergecap to concatenate all those captures into one file.
mergecap -w aggregate.pcap dmz1tap.*
Now I have all the traffic on one pcap called aggregate.pcap and can run it through ngrep or through Wireshark and use the Find Packet function to search for the "User-Agent:" string. (That's under Edit, Find Packet). I need to change the type in the "By:" field to String and change the Search In type to "Packet bytes".
As expected, only certain packets used the user agent in question. Now the next question to ask myself is "Why do these particular connections use this non-standard user agent?" Ask, find answers, and repeat until the analysis is done.
for i in $( ls -lah | grep 'Jul 8' | grep -w '1[7-8]' | awk '{print $9}' );do tcpdump -nn -r $i -s0 -X 'host x.x.x.x and (port 3128 or port 80)' -w work/$i.pcap;done
Each hours worth of data from that machine (and there were multiple captures per hour) on those ports is now in my work directory with a filename of the original packet capture filename and a .pcap extension. Now I need to use mergecap to concatenate all those captures into one file.
mergecap -w aggregate.pcap dmz1tap.*
Now I have all the traffic on one pcap called aggregate.pcap and can run it through ngrep or through Wireshark and use the Find Packet function to search for the "User-Agent:" string. (That's under Edit, Find Packet). I need to change the type in the "By:" field to String and change the Search In type to "Packet bytes".
As expected, only certain packets used the user agent in question. Now the next question to ask myself is "Why do these particular connections use this non-standard user agent?" Ask, find answers, and repeat until the analysis is done.