Ever have interesting network traffic and been left scratching your head trying to figure out what the motive or objective was?  You can tell it is abnormal network communications but can’t place your  finger on exactly what it is?

I have compiled a database of publicly available information, that is commonly searched on during the course of traffic analysis.  This database is by no means complete or even accurate beyond any reasonable doubt.  It  will however, hopefully guide novice and professional analysts in the correct direction, given that a scientific approach is used to prove or disprove a theory using data from this database.

It must be understood that software may be bound to any port.  Thus no answer is definative but only a guide.  This database includes:

 

Protocol

The Network Communication Protocol used.  For example Transmission Control Protocol (TCP).  Follow this link for a listing of different protocols and their decimal equivilant.

Port

The port number used by the application or noted during the network communications. Not all protocols use ports so this field may be a null value.  Keep in mind that a port can be changed and some programs use a range of ports.  Try to find the default port used by the application for entry into the database if at all possible.

Application

The application that may have been used.  For Remote Procedure Calls (RPC) the Program ID is listed in this field.

Version

What version of the application or malware caused you to make this database entry?  If it was the BioNET trojan, was it version 3.13 (Millenium Edition)?

Aliases

This field is used to identify another common name an application is known by.  An example might be “Sub7” for the trojan “Sub Seven”.

Description

A description of the application or stimulus that caused the network traffic and the targeted application or operating system.

Files

Submit a list of the files found in the rootkit or application here, including file sizes and perhaps even creation/modification dates.

Operating Systems

Enter the Operating System affected, for instance if the exploit only affects Solaris 2.6 unpatched distributions you would put this here.

Dependancies

If the malware or application require dependancies or other software in order to exist this should be entered here.  An example would be a worm that requires PERL in order to propagate further after infection of the current host.

Registers

Pretty much a Windows © specific field.  What registry entries were made or modified by the application or malware?

Programmed In

What programming language was the application or malware written in?  Was it C or Pascal?

Source

Credit to the source of the database entry or a contact that allows further follow-up on the topic. Common sources include individuals, The Internet  Assigned Numbers Authority, various trojan and malware lists maintained by other parties as well as lists of programs and their specs from corporate entities and organizations. The information from major lists  like IANA will be updated approximately every 6 months as it does not change drastically.

Source CVE

Correlation to  Common Vulnerabilities and Exposures listed in the MITRE database.  For example CVE-1999-0009 would be entered if the entry was related to “Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases”.

Date of Entry

The date this entry was made into the database.

Log Type

Insert the name of the application that created this log, for instance “Apache web logs” or “CISCO PIX firewall logs”.

Sample Logs

A sample of the traffic or even the code that caused the network traffic. Traffic should be submitted in verbose mode with hex and ascii breakout being the most useful.  Higher fidelity logs are more helpful.  Only a sample is needed so please only submit relevant logs.  Feel free to sanitize your logs prior to submission.

Country of Origin

If you have actually determined where the application was developed or have a good guess, it can be entered here.  For traffic specific entries the whois country of origin is good enough.

Take a look at the form and query the database till your hearts content.  All I ask is that you recipricate by sharing information you have obtained that isn’t in the database so that others might benefit from your  knowledge.  User submissions will be reviewed prior to being committed as new records and requests to remain anonymous will be granted.

Regards,
Jamie French, GCIA, GCUX, GCWN


Non-Active Sitemap

Copyright © 2000-2014 Whitehats.ca
Contact Information 519.221.9132 : Web Contact webmaster@whitehats.ca