"cooked food. when dealing with packet capture, this is the equivalent of filling up your disk. no more packets will be captured until you delete some of what you have or move it elsewhere. instead of having nagios start yelling at us about the full disk, we can adopt another meth…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1040Network Sniffing
98%
"to illustrate, i ’ ve produced this listing sorted by date ( newest on top ) showing sizes ( around 10mb, except the one that ’ s being written. ) so, now that we have our ring capture going, we can start considering what we can do with that. the simplest thing we can imagine is …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1040Network Sniffing
98%
"is that the trigger is something like an ids hit, or optimally something more sophisticated like an event - correlated score tagging. the result, though, is that now you have a little chunk of packet capture which may have something in it that warrants further analysis. these sma…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1040Network Sniffing
97%
"wireshark, the way to accomplish this is to time limit each capture file, and tell it to overwrite older files based on another criterial ( file number, time. ) for tcpdump, we use the “ - g ” parameter to limit individual capture to a specified time period and the “ - w ” parame…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1040Network Sniffing
93%
"the speeds we are talking about. at the end of this blog, i ’ ll explain exactly how to accomplish this with a real packet capture tool, tcpdump, which is widely available and simple to operate. before that, though, i should say a bit about what this method means. it means that y…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1572Protocol Tunneling
75%
"see an attacker failing to take over the connected system in 5 to 10 seconds, i can assume the device isn ’ t configured and on the internet. defenders, on the other hand, have to succeed 100 % of the time. any failure on the part of a defender is notable and potentially disastro…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071Application Layer Protocol
34%
"##ware beaconing ( essentially the method and act of some malware reaching out to its operator for new commands ) comes in many forms, and some are detectable as highly periodic, aimed at a specifically known bad reputation site, or detectable in some other way. clever malware au…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
How to selectively capture packets for further analysis and avoid buying a storage farm.