Featuring 35 Papers as of February 21, 2014
Rapid Triage: Automated System Intrusion Discovery with Python
Trenton Bond - February 21, 2014
There are six major incident handling phases typically used to manage information security incidents: preparation, identification, containment, eradication, recovery, and lessons learned.
How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk? Masters
Tim Proffitt - September 19, 2013
Metrics are used in many facets of a person's life and can be quite beneficial to the decision making process.
The Security Onion Cloud Client Network Security Monitoring for the Cloud Masters
Joshua Brower - September 17, 2013
Network Security Monitoring (NSM) is the "collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."
IP Fragment Reassembly with Scapy Masters
Mark Baggett - July 5, 2012
Overlapping IP fragments can be used by attackers to hide their nefarious intentions from intrusion detection system and analysts.
Computer Forensic Timeline Analysis with Tapestry
Derek Edwards - November 29, 2011
One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.
Tracking Malware With Public Proxy Lists
James Powers - January 27, 2011
The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).
About Face: Defending Your Organization Against Penetration Testing Teams Masters
Terrence OConnor - December 6, 2010
In the following paper, we outline several methods for obscuring your network from attack during an external penetration test. Understanding how a penetration testing team performs a test and the tools in their arsenal is essential to defense. The penetration testing cycle in the next section. Following that, we discuss defeating recon and enumeration efforts, how to exhaust the penetration testing teams time and effort, how to properly scrub outbound and inbound traffic, and finally, we present some obscure methods for preventing a successful penetration test.
Capturing and Analyzing Packets with Perl Masters
John Brozycki - January 28, 2010
The steps in setting up a Windows system with Perl and the necessary add-ons to be able to run and create packet capturing Perl scripts.
Winquisitor: Windows Information Gathering Tool
Michael Cardosa - January 19, 2010
Winquisitor is a tool that facilitates the timely retrieval of information from multiple Windows systems enabling the administrator to respond in an appropriate amount of time. Unlike other command line tools, Winquisitor allows multiple types of queries in a single command with several output formats.
Building an Automated Behavioral Malware Analysis Environment using Open Source Software
Jim Clausing - June 18, 2009
This paper describes how an automated behavioral malware analysis environment for analyzing malware targeted at Microsoft Windows can be built using free and open source software.
IOScat - a Port of Netcat's TCP functions to Cisco IOS
Robert Vandenbrink - May 29, 2009
This paper outlines both how IOScat was written, and how it can be used for both Penetration Testing and System Administration.
IOSMap: TCP and UDP Port Scanning on Cisco IOS Platforms Masters
Robert VandenBrink - November 18, 2008
This paper describes IOSmap, a port scanning tool implemented on Cisco IOS using the native TCL (Tool Command Language) scripting language on that platform. The business requirement for this tool, implementation considerations and challenges, and design choices are discussed.
Developing a Snort Dynamic Preprocessor
Daryl Ashley - August 20, 2008
The goal of this paper is to demonstrate how to create a controlled environment for testing and writing a dynamic preprocessor.
OS and Application Fingerprinting Techniques Masters
Jon Mark Allen - September 27, 2007
This paper will attempt to describe what application and operating system (OS) fingerprinting are and discuss techniques and methods used by three of the most popular fingerprinting applications: nmap, Xprobe2, and p0f. I will discuss similarities and differences between not only active scanning and passive detection, but also the differences between the two active scanners as well. We will conclude with a brief discussion of why successful application or OS identification might be a bad thing for an administrator and offer suggestions to avoid successful detection.
Nessus Primer with the NessusWX Client
Cecil Stoll - September 16, 2004
The focus of this paper will be to proactively seek out known vulnerabilities on the end systems and the processes running on them.
An Ettercap Primer
Duane Norton - June 9, 2004
Ettercap is a versatile network manipulation tool. It uses its ability to easily perform man-in-the-middle (MITM) attacks in a switched LAN environment as the launch pad for many of its other functions.
Managing Peer-to-Peer Applications in Dormitory Networks
Wayne Lai - March 9, 2004
Network security for dormitory networks have similar but special network security implications than the typical network.
Demystifying security tools: Should I use commercial or freeware?
Sang Han - October 31, 2003
In this paper, I will touch upon why all network administrators need to incorporate security tool usage into their daily practices to help secure their environment.
Virtually Free Network Security Software - For the *nix disinclined
Dennis McHugh - October 31, 2003
This paper discusses some of the tools that have become a part of my personal toolkit that provide me with the ability to detect or verify different attacks and vulnerabilities as well as give me information necessary to report the attacks to the proper authorities.
Netprowler--A Look at Symantec's Network Based IDS
Eric Biedermann - October 31, 2003
This paper examines the features and capabilities of the Netprowler IDS, reviews common types of attacks and looks at an example of a typical intrusion scenario.
Intrusion Detection using ACID on Linux
Rusty Scott - October 31, 2003
This paper addresses a set of security practices that includes a number of key features mentioned in the SANS defense in depth model.
PhoneSweep: The Corporate War Dialer
Greg Hodes - October 31, 2003
The unsecured modem provides a weak and often overlooked avenue into some of the most secure networks as discussed in this paper.
An Overview of SecureIIS - Are We Really Secured Now?
Zul Suhaimi - October 31, 2003
The objective of this practical paper is to understand how our IIS can be protected using an application firewall.
Using Basic Security Module (BSM), Tripwire, System Logs, and Symantec's ITA for Audit Data C
Philip DiFato - October 31, 2003
The primary focus of this paper is to provide host based set of tools auditing trace records of attempted attacks on a secured network of Solaris boxes.
Network Monitoring with Nagios
Scott Seglie - October 31, 2003
Nagios is a network-monitoring tool that allows administrators the ability to examine computers, routers, printers, and services.
Stop Port Scans with LaBrea
Jim McClurg - October 31, 2003
LaBrea is one of the best ideas in security retaliation.
Tools, Tools, and TOOLS!!
Firas Shaheen - October 31, 2003
This paper provides a quick reference on popular tools (IDSes, Firewalls, Exploits, Scanners, Reconnaissance, Password crackers, Auditing, etc.), with a brief explanation on how they work, and where to get them.
Tony Enriquez - October 31, 2003
The purpose of this paper is to introduce a particular set of tools that can be used to secure your network.
netForensics - A Security Information Management Solution
Michael Godfrey - October 31, 2003
This paper discusses netForensics, a security information management (SIM) solution that positions itself as a central point for your security information that is collected by various devices.
Patch Management of Microsoft Products Using HFNetChkPro
Kris Poznanski - October 31, 2003
Microsoft together with Shavlik Technologies has developed a Network Security Hotfix Checker the HFNetChk tool (Hfnetchk.exe), a command-line tool that administrators can use to centrally assess a computer or group of computers for the absence of security patches.
Using Sam Spade
Terry Pasley - October 31, 2003
This paper will examine a number of the more useful tools in Sam Spade.
An Introduction to NMAP
Tim Corcoran - October 25, 2001
NMAP is an excellent, multi functional utility that should be a part of every system administrator's toolkit.
Free NT Security Tools
Douglas Orey - August 6, 2001
A discussion of several software tools available to assist with security for NT users.
Password Cracking with L0phtCrack 3.0
Patrick Boismenu - June 19, 2001
This paper was designed to describe how most password crackers operate.
Netcat - The TCP/IP Swiss Army Knife
Tom Armstrong - February 15, 2001
Netcat is a tool that every security professional should be aware of and possibly have in their 'security tool box'.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact email@example.com.
All papers are copyrighted. No re-posting or distribution of papers is permitted.