Scribd
Upload
20 views2 pages

Experiment Number 4

The document outlines a procedure for detecting suspicious network activity by analyzing traffic patterns, utilizing tools like Wireshark for packet analysis, and implementing specific filters to identify potential attacks such as ARP spoofing and SYN floods. It emphasizes the importance of recognizing red flags like repeated connection attempts, unusual communication behavior, and unencrypted credentials. Additionally, it mentions tools like Snort and Bro/Zeek for enhanced network monitoring and analysis.

Uploaded by

Legendary gamers
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views2 pages

Experiment Number 4

The document outlines a procedure for detecting suspicious network activity by analyzing traffic patterns, utilizing tools like Wireshark for packet analysis, and implementing specific filters to identify potential attacks such as ARP spoofing and SYN floods. It emphasizes the importance of recognizing red flags like repeated connection attempts, unusual communication behavior, and unencrypted credentials. Additionally, it mentions tools like Snort and Bro/Zeek for enhanced network monitoring and analysis.

Uploaded by

Legendary gamers
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

EXPERIMENT-2

Aim: Detecting Suspicious Activity: Analyze network traffic to identify suspicious patterns, such as
repeated connection attempts or unusual communication between hosts.
Descriotion: Detecting Suspicious Patterns:
1. ldentification of suspicious traffic patterns: The first thing we must do is analyze network traffic to
identify patterns that may indicate the presence of an attack. Some of these patterns may be:

A high volume of traffic coming from the same IP address.


- Unusual network traffic at unusual times.
-A large number of packets with the same size or with similar structures.
- Packets with an unusually high retransmission rate.
Traffic that deviates from normal network communication patterns.

2. Wireshark packet analysis: Once these patterns are identified, it's time to analyze the packets in
Wireshark to learn more about suspicious traffic. Some of the techniques we can use are:

- Filter the traffic to focus on the packages that interest us.


- Use statistics and graphs to visualize traffic and detect patterns.
- Analyze the protocols used in the packages to identify possible vulnerabilities or exploits.
Look for strings of characters or specific patterns in the packets that can indicate the presence of an
attack.

3. Decision making: Once we have identified the suspicious traffic and have analyzed the packets in
Wireshark, it is time to make decisions. Some of the actions that we can carry out are:

Block the |P address that is generating the suspicious traffic.


- Isolate the infected machine to prevent the attack from spreading.
- Notify the IT security team for further action.
- Monitor traffic to detect possible future attacks.

Here are some filters that we can use in Wireshark to detect intrusions and malware attacks:

1. Filter to detect false ARP packets:


arp.opcode == 2 && arp.dst.proto_ipy4 == (our IP address)

This filter allows us to detect fake ARP packets, which are commonly used in man-in-the-middle attacks.
By using this filter, Wireshark will only show us the ARP packets that have our IP address as destination.

2. Filter to detect ping flood packets:


icmp.type == 8 && icmp.code ==0

Ping flood attacks consist of sending a large number of ICMP Echo Request (ping) packets to a specific
IP address, causing a network overload. With this filter, we can quickly detect these types of attacks.
3. Filter to detect SYN flood packets:
tcp.flags.syn ==1 && tcp.flags.ack == 0
SYN flood attacks consist of sending a large number of TCP SYN packets to a server, causing a
connection overload. With this filter, we can detect packets that have the SYN flag set and the ACK flag
set.

4. Filter to detect XSS packets:


http.request.uri matches ()

XSS attacks consist of injecting malicious code into a web page, which allows the attacker to steal user
information. With this filter, we can detect HTTP requests that include HTML code.

When analyzing network traffic, keep an eagle eye out for the following red flags:
1. Repeated Connection Attempts:
o Frequent connection requests from the same source to different ports or services can be
suspicious.
o Look for patterns like rapid retries or brute-force attacks.
2. Unusual Communication Behavior:

o Abnormal communication between hosts can raise suspicions.


o Examples:
Unusual Port Usage: Unexpected services running on non-standard ports.
Data Exfiltration: Large data transfers to uncommon destinations.
Domain Generation Algorithms (DGAs): Unpredictable domain names generated by
malware.
3. Traffic Volume and Timing:

o Sudden spikes in traffic volume or unusual timing patterns may indicate malicious activity.
o Monitor for unexpected peaks during off-hours.
4. Protocol Anomalies:

Deviations from expected protocol behavior can be indicative of compromise.


o For instance:
HTTP Requests: Look for unusual User-Agent strings or excessive requests.
DNS Queries: Check for domain flux or excessive lookups.
5. Unencrypted Credentials:
Capturing plaintext credentials (e.g., in HTTP traffic) is a major concern.
o Be vigilant for sensitive information transmitted without encryption.

Tools for Analysis:

Wireshark: As we discussed earlier, Wireshark is your trusty sidekick for capturing and dissecting
packets.
Snort: An open-source intrusion detection system (|DS) that detects and alerts on suspicious
network traffic.

Bro/Zeek: A powerful network analysis framework for real-time monitoring arnd analysis.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy