Information Security News
When a security incident occurred and must be investigated, the Incident Handlers Holy Grail is a network capture file. It contains all communications between the hosts on the network. These metadata are already in goldmine: source and destination IP addresses, ports, time stamps. But if we can also have access to the full packets with the payload, it is even more interesting. We can extract binary files from packets, replay sessions, extract IOCs and many mores.
Performing FPC or Full Packet Capture is a must but has many constraints:
So, the idea: Instead of deploying a full packet capture solution for the entire network, you can focus on more sensitive assets and collects locally. Thats what Im doing with all my servers hosted here and there. How?
First of all, when I deploy a new server, the first piece of software that I install after the operating system is Docker. It is so convenient to deploy applications in a container for production or test/development. Docker containers can be deployed at boot time and do">
FROM ubuntuMAINTAINER Xavier MertensVOLUME [ /data ]RUN apt-get update apt-get -y -q install tcpdumpCMD [ -i, any, -C, 1000, -W, 10, -w, /data/dump ]ENTRYPOINT [ /usr/sbin/tcpdump ]
And you"> # docker run -d --net=host -v /var/log/tcpdump:/data --restart=always \ --name tcpdump -i eth0 -n -s 0 -C 1000 -W 10 -w /data/dump.pcap
Keep in mind:
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant