To start the analysis, we want to understand the environment in which the log files were collected. A few simple queries should reveal some of the topology. Firstly it is interesting to figure out what the network looks like that the snort instance was running on. To get an idea of the topology, let us have a look at the MAC addresses2.3:
tcpdump -nnelr /tmp/sans | awk '{print $2}' | sort | uniq -c
141216 00:00:0c:04:b2:33
183245 00:03:e3:d9:26:c0
The output shows the source MAC addresses and the number of times they showed up. It is important to understand that the number of packets from each of the two devices does not have to be the same. It seems interesting that the number of packets that triggered an alert from both devices are about the same. One would think that the number of packets triggering a snort rule would be higher for connections coming into a network and would therefore show a clear asymmetry in these numbers. This might be a first clue about the network topology that we are dealing with. It might not be that we have a clear internal vs. external situation, but something more complex. Let us continue with some statistics and then see what these numbers can tell us.
The next step in our analysis is to find the destination MAC addresses and their counts:
tcpdump -nnelr /tmp/sans | awk '{print $4}' | sort | uniq -c
183239 00:00:0c:04:b2:33
6 00:00:c0:6b:e9:c6
141216 00:03:e3:d9:26:c0
We have a new device showing up. We will see later what this device is. The other two counts are directly linked to the counts we got before and we actually see that the new device only received traffic and only from device 00:03:e3:d9:26:c0. Figure 2.1 summarizes our findings in a visual representation.
We can see that the snort sensor is surrounded by three other devices. To understand the role of these three devices, we can try to look up what vendor produces them. The IEEE OUI[8] assignments reveal the following:
00:00:0c:04:b2:33 Cisco Systems, Inc. 00:00:c0:6b:e9:c6 WESTERN DIGITAL CORPORATION 00:03:e3:d9:26:c0 Cisco Systems, Inc.
We cannot further break these assignments down to figure out what type of device these MAC addresses represent. However, we learned that we are surrounded by two network devices and most likely an end-systems. The western digital device is one that is a little strange. The company is known to manufacture harddrives[25]. However, a search on their Web page indicated that they also build firewire network interfaces. What we could be dealing with here is a storage area network (SAN). We did not find any further information about this device. None of the other GCIA practicals had a sound explanation on what this device was. We have to leave it at the speculation of it being a SAN.
