RSA Admin

Network Forensics using Netwintess

Discussion created by RSA Admin Employee on Sep 21, 2012


  • Outbound IRC connections - All infected workstation will communicate to listen the commands from Command & Control Servers, most of the outbound IRC traffic is from compromised workstations.
    • Required data to create  above report
      • Service 6660/6669/6665/6667 outbound traffic.


  • Peer File Transfer – Data transfer between peer to peer will creates a lot of noise in the network could reduce the network performance. Downloads or uploads are not from trusted domains could bring the malicious files into network
    • Required data to create above report 
      • Understand the traffic pattern and create a rule [Netwitness Live will provide the rule    for the torrent pattern]
      • Proxy logs which should have a category of site should be “peer file transfer”
      • Proxy logs with domain names.


  • Top Online Storage accessing - is the public storage could leak the confidential business data which could be a big a threat to organization.
    • Required data to create above report 
      • Data should be connecting to various storage sites like – [any free/paid  online storage sites]
      • This report can be prepared on Log data and packet data [packet data Netwitness live default rule, Log data from proxy would be useful].


  • Dyn DNS [DDNS] – Dynamic Domain Name System  Malware distributors are constantly registering and rotating Dyn DNS-hosted sub-domains that are subsequently used to spread computer Trojans.
    • Required data to create above report 
      • Collect the DDNS ranges/IP’s manually and make a list and detect [NW live has rule to detect DDNS]



  • Phishing /spear phishing – Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers". Which could lead to APT attack?
    • Required data to create above report 
      • All email with embedded suspicious links/urls /domains/Ip’s   detected by informer rule.


  • TOR Nodes – TOR/Onion routers are used to mask the original IP address of attacker’s machines which is very hard to find the details of attackers IP address.
    • Required data to create above report 
      • Collect the TOR/Onion router’s Address/ ranges of IPs make a list in informer and match with destination/ source Address for detection.


  • Malicious User Agents - User agent is a header field contains information about the user agent originating the request, usually compromised workstation try to communicate with external IP’s to listen the commands from CC servers. in this case malwares usually uses the user agent with poorly implemented protocols.


  • Required data to create above report 
    • Understand the different verities of malicious user agents and make it a list and use the informer for detection.



  • Top  bandwidth users  - Unauthorized  uploads/downloads could lead to data loss/malware downloads
    • Required data to create above report 
      • Usual packet data with size of packet is enough to generate the report


  • VNC connections inside network - VNC connection inside the network wouldn’t be safe, VNC inside network could get control for attackers.
    • Required data to create above report 
      • Destination ports should be 5800/5900..etc.