Orion Incident Response Live CD
Figure 21: tcpick detects a telnet attempt
Orion also provides a script called rain (realtime audible indicator notification) that looks for interesting activity in logs and uses the espeak (eSpeak: Speech Synthesizer, 2010) voice synthesizer to alert the responder. This allows the responder to focus on tasks in progress without having to switch windows to visually keep track of logs. The rain tool is currently very crude, but it can be effective to get the responder’s attention and can be extended as needed.
Currently Orion’s containment capabilities are very rudimentary. Dug Song’s tools tcpnice and tcpkill, which slow down TCP sessions (using window size adjustments, et al.) and terminate them (using reset packets), respectively, are included. The labrea tarpit tool, by Tom Liston, is also installed in Orion.
Orion comes pre-installed with malware analysis tools that run natively in Linux, as well as Windows tools that have been installed in the WINE framework. Because of the inherent danger of analyzing live malware, the recommended use of Orion in this role is to create a separate installation of Orion – preferably virtualized with the ability to create and restore snapshots. The analyst can then use his or her primary Orion system to remotely access the malware analysis system via the desktop sharing, data acquisition, and other tools provided in both Orion installations.