hw task 804 and 803 – do in independent word documents

Task 803   – 1 page
 Instructions: Distinguish between full content data (including collection tools), session data (including collection tools) and statistical data (including collection tools)
 
 Use examples from the readings, or from your own research, to support your views, as appropriate. Encouraged to conduct research and use other sources to support your answers. Be sure to list your references at the end. References must be in APA citation format. A minimum of 250-300 words.
Number of Pages: 1 Page
Page Line Spacing: Double spaced (Default)
Academic Level: College
Paper Format: APA 

Task 804
1. 
Write 150 word replies to each of the following:
  Add additional insight opinions or challenge opinions and you can visit a couple of the web sites contributed and share your opinion of these sites. Minimum of 150 words for each.
Part 1 (respond in 150 words)
1) Session data, which can be obtained through full content data, summarizes pack exchange. The data is take from a flow, or a session, and allows analysis of source IP, source port, destination IP, destination port, the timestamp, and the overall information measurement exchanged during the session. The session first method is predicated on collecting all of the data, then summarizing all of the data as a conversation. This method is expected to work best on busy networks, where the method allows for quicker parsing of the data by an analyst, and allows for specific movement tracking.
Statistical data, on the other hand, is a way to look at a network that takes into account the normal behaviors and observed parameters of that network using descriptive statistics. This data identifies the patterns of overall traffic flow and gives the analyst the ability spot anomalies. Beyond that, these statistics can be used to identify potential inefficiencies and reallocate resources.

Each of these types of data have different tools available to collect and compile.

For full content data, the tools recommended are LIBPCAP, TCPDUMP, Tethereal, Snort, and Ethereal. Of these, LIBPCAP seems to be the foundation, as well as TCPDUMP, as the other tools seem to take those two programs and integrate them into their setups. Each provides their own format for packet data, and some allow you to go deeper into the data to pull out hexadecimal and ASCII data, including Tethereal, Ethereal, and Snort. Ethereal also has the ability to reconstruct streams.

For session data, tools use probes, collectors and consoles, working in concert to find, collate, and translate the data provided. The text recommends Cisco Net Flow due to the wide-spread use of Cisco technology, and the program’s compatibility with the many open source tools Mr. Bejtlich represents. This data can then be viewed through TCPDUMP. Some other open source collection tools include FProbe, NG_Netflow, Softflowd Pfflowd, and Ntop. Mr. Bejtlich also mentions Flow Tools, Flow Capture, Flow-Cat and Flow-Print (complimentary tools), Sflow and Sflow toolkit, and Argus, which is a complete traffic collector and analyzer.

For statistical data, Mr. Bejtlich introduces ifstat, bmon, and Trafshow, as well as many others. They provide short and long term data statistics, and allow the analyst to identify the broader trends.

Part 2 (respond in 150 words)
2) Full content data can be reviewed in two stages which are summary of data headers and inspection of individual packets. Full content data represents traffic on the wire or transmitted via radio frequency. The packet capture library libpcap (http://www.tcpdump.org) is the standard for reading packets. Three tools facilitate saving entire packet contents as given below:
Tcpdump — http://www.tcpdump.org
Ethereal/Tethereal — http://www.ethereal.com
Snort — http://www.snort.org
Session data represents conversations or flows between parties. In other words, it collects only the information pertinent to a particular area Two formats are used: NetFlow (http://www.cisco.com/go/netflow) and proprietary versions. Interface FastEthernet 0/0 on a Cisco 2600 series router can be configured to export NetFlow data to a collector listening on port 9995 UDP at IP 172.27.20.3 using the following commands:

enable

configure

interface FastEthernet 0/0

ip route-cache flow

exit

ip flow-export destination 172.27.20.3 9995

Session data is especially helpful because its ignorance of application data renders it immune to encryption. Session data can be quickly passed through grep to locate IPs or ports of interest. Because it tracks “who talked to whom and when,” session data is often the key to understanding an intrusion.

Statistical data represents broad trends in network activity. It’s easy to review dozens or hundreds of packets manually, but an overview is often helpful. Tcpdstat, which can be found at: http://staff.washington.edu/dittrich/talks/core02/tools/tools.html