Fetch application sessions from pcap data
o dnstop: o sancp: o tcpstat: o rumint: o xplico:
Display tables of DNS traffic from pcap data Security Analyst Network Connection Profiler Network interface statistics reporting tool Network visualization tool for live or recorded pcaps Network forensic tool
o arpalert: o tcpick: o labrea: o etherape:
monitor ARP changes in ethernet networks TCP stream sniffer and connection tracker a "sticky" honeypot and IDS graphical network monitor modeled after etherman
Orion Incident Response Live CD
Additionally, custom scripts, documentation, and templates have been written and are located in the directory /orion/ in the Orion file system.
6. Using Orion
Although Orion can be used merely as a collection of tools, the intent is to enforce a consistent workflow. Orion helps the incident responder determine which workflow is appropriate, sets it up, and then encourages its use.
Orion is built around the idea that the team may grow beyond the initial responder. The first responder (or lead responder takes the title “alpha”). Subsequent added team members use the titles bravo, charlie, delta, etc. This is useful for several reasons. First, in a need-to-know environment, the titles can be used to obfuscate the parties involved. It also gives an expectation of consistency – handler alpha is the initial and primary responder.
In the degenerate case, alpha will be the only responder and Orion will not be used for team collaboration. However, secure communication channels can still be created when needed, and the workflow features of Orion are still available. Orion also has a very complete set of analysis and response tools, so even as a standalone system – it holds its own.
John Jarocki, firstname.lastname@example.org