Skip to main content

Threat hunting a network attack in Linux with Python

You can investigate suspicious activity that could be a network attack by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity.

You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector

Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. And ingest one or more of the following machine data from Category #3.

Category #1

  • General system-wide error messages from /var/log/syslog
  • Auditing logs of application rulesets
  • Auditing logs of security contexts
  • Auditing logs of login attempts from /var/log/auth.log
  • Auditing logs of user management or group management
  • Auditing logs of password management
  • Application specific logs from /var/log
  • File system status of files and directories from stat
  • Auditing logs of package management
  • Auditing logs of configuration management

Category #2

  • Raw dumps from sniffing at Layers 2-3
  • Raw dumps from /proc of kernel data structures
  • Raw dumps of kernel routing tables
  • Network services configuration files
  • Network interface configuration files

Category #3

  • Headless raw dumps of active executables
  • Memory profiles of active executables
  • Summaries of memory debugging, memory management or memory profiling
  • File integrity checking with checksum matching prior to either base infection or payload infection
  • Summaries of resource utilization: physical, network, I/O, disks, processes, etc.

Do you have a suggestion about how to improve this blog? Let's talk about it. Contact me at David.Brenner.Jr@Gmail.com or 720-584-5229.

Comments

Popular posts from this blog

Application behavior monitoring in Linux with Python

You can monitor application behaviors by collecting relevant machine data from your endpoint. You can use the machine data to investigate suspicious activity and create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application rulesets Auditing logs of security contexts Auditing logs of

Network traffic monitoring in Linux with Python

You can investigate suspicious activity in your network traffic by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data: Application specific logs from /var/log Raw dumps from sniffing at Layers 2-3 Raw dumps from /proc of kernel data structures Raw dumps of kernel routing tables General system-wide error messages from /var/log/syslog Do you

Continuous Integration (CI) Best Practices

Continuous Integration (CI) automates the building and testing of software in a test environment whenever a change is committed to a revision control system. CI performs QA testing of a change before adding it to the current working version. CI makes sure all development can be integrated into a build. CI Best Practices 1. Maintain a test environment that's a clone of the production environment. 2. Maintain a revision control system such as CVS, SVN or Git. 3. Automate the building of software and the documenting of code in the test environment. 4. Automate QA testing of a change then report that change to developers. 5. Commit changes regularly to avoid integration conflicts. 6. Monitor the revision control system for a commit then build the software before replacing the current working version. Do you have a suggestion about how to improve this blog? Let's talk about it. Contact me at David.Brenner.Jr@Gmail.com or 720-584-5229.