Investigations

Question 1

How does a vulnerability scanner find out which systems are vulnerable?

Answer 1

They are signature based.
Meaning they scan devices looking at very specific signatures for known vulnerabilities.
If the signature is not in their database then it won’t be reported and you will get a false negative.

Sometimes vulnerabilities can not be definitively identified, the scanner will give you a heads-up, and you will have to go check manually to see if a system is vulnerable.

Question 2

Whats a dump file?

Answer 2

These are a log file that you can create on demand.
A memory dump file will store everything in the memory of an application of your choice.
You can do this in windows task manager by right clicking on a running process and then clicking “create dump file”.
Commonly used for troubleshooting

Question 3

What is syslog?

Answer 3

Syslog is a standard for message logging.
Diverse systems create a consolidated log.
A standardized way of consolodating different types of log together.
Usually a central logging receiver (integrated into the SIEM)

Question 4

What is “journalctl”?

Answer 4

This is a linux utility that allows you to read and search log files that are stored in binary format.

The standard format for storing system logs on LINUX is in BINARY.
Optimized for storage and queries.
Can’t read them with a text editor.
You will need journalctl to read system logs on linux.

Question 5

What is bandwidth monitoring? name a few utilities than can do this

Answer 5

A way of measuring the percentage of network use over time.

SNMP
Netflow
sFlow
IPFIX

Question 6

What is metadata?

Answer 6

Metadata is data that describes other data sources.

For example the metadata with an email would be:
Header details, destination address, etc.

Question 7

What is a netflow? how does it work?

Answer 7

Think traffic statistics. Think information about how the network ~normally~ operates etc.

This is a word describing gathering traffic statistics from all traffic flows in your network and all shared communication between devices.

This is usually achieved by having “probe” devices on your network that watch the data and keep statistics, and then a “collector” which is a centralized netflow server which all of the summary records are sent to from the probes.

Question 8

What is IPFIX?

Answer 8

IP Flow Information Export
This is a newer netflow-based standard
This allows us flexible data support and control over what data will be reported to a centralized server.
Same premise as netflow but more customizable.

Question 9

What is sFlow?

Answer 9

Sampled Flow
This is kind of like netflow/IPFIX but not technically a flow.

Only a portion of the actual network traffic is taken into account for statistics to try and bring down overhead.

Question 10

What is a protocol analyzer?

Answer 10

Wireshark is technically one of these.
This is a tricky way of saying packet analyzer.
Please don’t let this fool you.
Basically the same exact thing as a packet analyzer.