X hits on this document





31 / 47

Orion Incident Response Live CD


Figure 21: tcpick detects a telnet attempt

Orion also provides a script called rain (realtime audible indicator notification) that looks for interesting activity in logs and uses the espeak (eSpeak: Speech Synthesizer, 2010) voice synthesizer to alert the responder. This allows the responder to focus on tasks in progress without having to switch windows to visually keep track of logs. The rain tool is currently very crude, but it can be effective to get the responder’s attention and can be extended as needed.

8. Containment

Currently Orion’s containment capabilities are very rudimentary. Dug Song’s tools tcpnice and tcpkill, which slow down TCP sessions (using window size adjustments, et al.) and terminate them (using reset packets), respectively, are included. The labrea tarpit tool, by Tom Liston, is also installed in Orion.

9. Analysis

Orion comes pre-installed with malware analysis tools that run natively in Linux, as well as Windows tools that have been installed in the WINE framework. Because of the inherent danger of analyzing live malware, the recommended use of Orion in this role is to create a separate installation of Orion – preferably virtualized with the ability to create and restore snapshots. The analyst can then use his or her primary Orion system to remotely access the malware analysis system via the desktop sharing, data acquisition, and other tools provided in both Orion installations.

John Jarocki, john.jarocki@gmail.com

Document info
Document views114
Page views115
Page last viewedFri Oct 28 23:39:39 UTC 2016