Featuring 38 Papers as of July 28, 2015
Coding For Incident Response: Solving the Language Dilemma
by Shelly Giesbrecht - July 28, 2015
Incident responders frequently are faced with the reality of "doing more with less" due to budget or manpower deficits. The ability to write scripts from scratch or modify the code of others to solve a problem or find data in a data "haystack" are necessary skills in a responder's personal toolkit. The question for IR practitioners is what language should they learn that will be the most useful in their work? In this paper, we will examine several coding languages used in writing tools and scripts used for incident response including Perl, Python, C#, PowerShell and Go. In addition, we will discuss why one language may be more helpful than another depending on the use-case, and look at examples of code for each language.
eAUDIT: Designing a generic tool to review entitlements
by Francois Begin - June 22, 2015
In a perfect world, identity and access management would be handled in a fully automated way.
Rapid Triage: Automated System Intrusion Discovery with Python
by Trenton Bond - February 21, 2014
There are six major incident handling phases typically used to manage information security incidents: preparation, identification, containment, eradication, recovery, and lessons learned.
How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
by Tim Proffitt - September 19, 2013
Metrics are used in many facets of a person's life and can be quite beneficial to the decision making process.
The Security Onion Cloud Client Network Security Monitoring for the Cloud
by Joshua Brower - September 17, 2013
Network Security Monitoring (NSM) is the "collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."
IP Fragment Reassembly with Scapy
by Mark Baggett - July 5, 2012
Overlapping IP fragments can be used by attackers to hide their nefarious intentions from intrusion detection system and analysts.
Computer Forensic Timeline Analysis with Tapestry
by Derek Edwards - November 29, 2011
One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.
Tracking Malware With Public Proxy Lists
by James Powers - January 27, 2011
The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).
About Face: Defending Your Organization Against Penetration Testing Teams
by Terrence OConnor - December 6, 2010
In the following paper, we outline several methods for obscuring your network from attack during an external penetration test. Understanding how a penetration testing team performs a test and the tools in their arsenal is essential to defense. The penetration testing cycle in the next section. Following that, we discuss defeating recon and enumeration efforts, how to exhaust the penetration testing teams time and effort, how to properly scrub outbound and inbound traffic, and finally, we present some obscure methods for preventing a successful penetration test.
Capturing and Analyzing Packets with Perl
by John Brozycki - January 28, 2010
The steps in setting up a Windows system with Perl and the necessary add-ons to be able to run and create packet capturing Perl scripts.
Winquisitor: Windows Information Gathering Tool
by Michael Cardosa - January 19, 2010
Winquisitor is a tool that facilitates the timely retrieval of information from multiple Windows systems enabling the administrator to respond in an appropriate amount of time. Unlike other command line tools, Winquisitor allows multiple types of queries in a single command with several output formats.
New Tools on the Bot War Front
by Jerry Shenk - December 12, 2009
- Sponsored By: FireEye
This paper discusses the bot problem and its impact on enterprises, followed by a review of how FireEye's 4200 appliance catches bot installers and bot traffic on the network.
Building an Automated Behavioral Malware Analysis Environment using Open Source Software
by Jim Clausing - June 18, 2009
This paper describes how an automated behavioral malware analysis environment for analyzing malware targeted at Microsoft Windows can be built using free and open source software.
IOScat - a Port of Netcat's TCP functions to Cisco IOS
by Robert Vandenbrink - May 29, 2009
This paper outlines both how IOScat was written, and how it can be used for both Penetration Testing and System Administration.
IOSMap: TCP and UDP Port Scanning on Cisco IOS Platforms
by Robert VandenBrink - November 18, 2008
This paper describes IOSmap, a port scanning tool implemented on Cisco IOS using the native TCL (Tool Command Language) scripting language on that platform. The business requirement for this tool, implementation considerations and challenges, and design choices are discussed.
Developing a Snort Dynamic Preprocessor
by Daryl Ashley - August 20, 2008
The goal of this paper is to demonstrate how to create a controlled environment for testing and writing a dynamic preprocessor.
OS and Application Fingerprinting Techniques
by Jon Mark Allen - September 27, 2007
This paper will attempt to describe what application and operating system (OS) fingerprinting are and discuss techniques and methods used by three of the most popular fingerprinting applications: nmap, Xprobe2, and p0f. I will discuss similarities and differences between not only active scanning and passive detection, but also the differences between the two active scanners as well. We will conclude with a brief discussion of why successful application or OS identification might be a bad thing for an administrator and offer suggestions to avoid successful detection.
Nessus Primer with the NessusWX Client
by Cecil Stoll - September 16, 2004
The focus of this paper will be to proactively seek out known vulnerabilities on the end systems and the processes running on them.
An Ettercap Primer
by Duane Norton - June 9, 2004
Ettercap is a versatile network manipulation tool. It uses its ability to easily perform man-in-the-middle (MITM) attacks in a switched LAN environment as the launch pad for many of its other functions.
Managing Peer-to-Peer Applications in Dormitory Networks
by Wayne Lai - March 9, 2004
Network security for dormitory networks have similar but special network security implications than the typical network.
Demystifying security tools: Should I use commercial or freeware?
by Sang Han - June 2, 2003
In this paper, I will touch upon why all network administrators need to incorporate security tool usage into their daily practices to help secure their environment.
Patch Management of Microsoft Products Using HFNetChkPro
by Kris Poznanski - February 1, 2003
Microsoft together with Shavlik Technologies has developed a Network Security Hotfix Checker the HFNetChk tool (Hfnetchk.exe), a command-line tool that administrators can use to centrally assess a computer or group of computers for the absence of security patches.
Using Sam Spade
by Terry Pasley - January 24, 2003
This paper will examine a number of the more useful tools in Sam Spade.
netForensics - A Security Information Management Solution
by Michael Godfrey - January 28, 2002
This paper discusses netForensics, a security information management (SIM) solution that positions itself as a central point for your security information that is collected by various devices.
by Tony Enriquez - January 23, 2002
The purpose of this paper is to introduce a particular set of tools that can be used to secure your network.
Tools, Tools, and TOOLS!!
by Firas Shaheen - November 22, 2001
This paper provides a quick reference on popular tools (IDSes, Firewalls, Exploits, Scanners, Reconnaissance, Password crackers, Auditing, etc.), with a brief explanation on how they work, and where to get them.
An Introduction to NMAP
by Tim Corcoran - October 25, 2001
NMAP is an excellent, multi functional utility that should be a part of every system administrator's toolkit.
Stop Port Scans with LaBrea
by Jim McClurg - October 19, 2001
LaBrea is one of the best ideas in security retaliation.
Network Monitoring with Nagios
by Scott Seglie - September 25, 2001
Nagios is a network-monitoring tool that allows administrators the ability to examine computers, routers, printers, and services.
Using Basic Security Module (BSM), Tripwire, System Logs, and Symantec's ITA for Audit Data C
by Philip DiFato - September 22, 2001
The primary focus of this paper is to provide host based set of tools auditing trace records of attempted attacks on a secured network of Solaris boxes.
An Overview of SecureIIS - Are We Really Secured Now?
by Zul Suhaimi - September 18, 2001
The objective of this practical paper is to understand how our IIS can be protected using an application firewall.
PhoneSweep: The Corporate War Dialer
by Greg Hodes - September 10, 2001
The unsecured modem provides a weak and often overlooked avenue into some of the most secure networks as discussed in this paper.
Intrusion Detection using ACID on Linux
by Rusty Scott - September 7, 2001
This paper addresses a set of security practices that includes a number of key features mentioned in the SANS defense in depth model.
Netprowler--A Look at Symantec's Network Based IDS
by Eric Biedermann - August 17, 2001
This paper examines the features and capabilities of the Netprowler IDS, reviews common types of attacks and looks at an example of a typical intrusion scenario.
Virtually Free Network Security Software - For the *nix disinclined
by Dennis McHugh - August 14, 2001
This paper discusses some of the tools that have become a part of my personal toolkit that provide me with the ability to detect or verify different attacks and vulnerabilities as well as give me information necessary to report the attacks to the proper authorities.
Free NT Security Tools
by Douglas Orey - August 6, 2001
A discussion of several software tools available to assist with security for NT users.
Password Cracking with L0phtCrack 3.0
by Patrick Boismenu - June 19, 2001
This paper was designed to describe how most password crackers operate.
Netcat - The TCP/IP Swiss Army Knife
by Tom Armstrong - February 15, 2001
Netcat is a tool that every security professional should be aware of and possibly have in their 'security tool box'.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact email@example.com.
All papers are copyrighted. No re-posting or distribution of papers is permitted.