... 3.5^1.1

Sections 3.5 and 3.6 are published at http://raffy.ch/projects/ Raffael_Marty_GCIA_Additional_Chapters.pdf. The end of this Section explains the reason for this.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... paper^2.1

It would probably also be boring to read through all of them.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... mergecap(1).^2.2

The command to generate the merged capture file is: mergecap -w /tmp/sans 2002.*

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... addresses^2.3

The second field in the tcpdump output represents the source MAC address, see Appendix A.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... topology^2.4

The choice to summarize the IP addresses into A classes was made to keep the graph legible and is sufficient for the propose of determining the topology.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...fig:topology2^2.5

As mentioned in the very beginning, Appendix B explains in detail how this graph was generated.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... to^2.6

select sourceip, count(distinct(destip)) from sans where sourcemac="00:00:0c:04:b2:33" group by sourceip

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... IPs:^2.7

select count(distinct(destip)) from sans where sourcemac="00:03:e3:d9:26:c0"

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... classes:^2.8

select count(distinct(substring_index(destip,".",3))) from sans where sourcemac="00:03:e3:d9:26:c0"

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... classes:^2.9

select count(distinct(substring_index(destip,".",2))) from sans where sourcemac="00:03:e3:d9:26:c0"

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... 2510^2.10

grep alert *.rules | wc -l

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... 2045^2.11

grep ``flow:'' *.rules | grep -v ``stateless'' | wc -l

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... 425^2.12

grep -v ``flow:'' *.rules | grep alert | wc -l

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... 132^2.13

grep -v ``flow'' *.rules | grep alert | grep -v content | wc -l

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... properties^2.14

See the following signatures: SCAN Squid Proxy attempt, SCAN Proxy Port 8080 attempt, SCAN SOCKS Proxy attempt, ...

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... 32768^2.15

cat /proc/sys/net/ipv4/ip_local_port_range

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... alerts.^2.16

Check snortalerts.pl at [14] for the exact script to annotate the snort log entries with their corresponding alerts.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... flow^2.17

Check snortservice.pl at [14] to see how exactly the database was updated.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... machines^2.18

The query for the graph was: select destip,destport,replace(snort_alert," ","_") from sans where service=1 and destmac="00:00:0c:04:b2:33 combined with select destip,sourceport, replace(snort_alert," ","_") from sans where service=2 and destmac="00:00:0c:04:b2:33.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... established^3.1

It is very hard to actually spoof sources and simulate a successful communication.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... connections^3.2

Replies, to be correct.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... found^3.3

select snort_alert, count(*) c from sans where delta2>0 group by sourceip,delta2 having c>20

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... ASCII^3.4

tcpdump -s 0 -A -nnevr /tmp/sans src host 115.74.249.65 and dst port 80 and src port 62785

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... 3.5^3.5

To be found at http://raffy.ch/projects/Raffael_Marty_GCIA_Additional_Chapters.pdf

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... following^3.6

tcpdump -Annr /tmp/sans src host 68.36.170.9 and dst port 80 | grep User-Agent | sort | uniq

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... follows^3.7

tcpdump -Alnnevr /tmp/sans src host 68.36.170.9 and dst port 80 | grep -E "(OPTIONS|GET|POST)" | sed -e 's/.*\(OPTIONS\|GET\|POST\)/\1/g' | sort | uniq

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... rules^3.8

select distinct(sourceip) from sans where sourcemac="00:00:0c:04:b2:33"'

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... libraries^B.1

The command to generate the graph: echo ``digraph G{a->b->c}'' | neato -Tgif -o list.gif

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...afterglow^B.2

The tool was written by Christian Beedgen and myself for the purpose of graphing security events. More information about the project can be found on the Web page: http://afterglow.sourceforge.net/

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... nodes^B.3

This is for the two-node mode of AfterGlow.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... neato^B.4

Neato is one of the tools provided by GraphViz, which takes a GraphViz description of a graph and generates an image as output.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.