addr address anomaly-based IDS method Detection method that looks for traffic activity that falls outside of normal traffic patterns (other methods include signature-based and protocol-based) API Application Programming Interface is an interface that allows software programs to interact with each other. ARP Address Resolution Protocol ASCII American Standard Code for Information Interchange attack signature A characteristic byte pattern used in malicious code or an indicator, or set of indicators that allows the identification of malicious network activities.

Backdoor Program A backdoor program is a means to access or maintain access to an application or system that bypasses security controls. BHO A BHO is a plug-in that runs automatically every time you start your Internet browser. A BHO can do almost anything, but generally, it will have something to do with "helping" you browse the Internet. Toolbars are a common kind of BHO. Boolean Operators Boolean operators are used widely in programming and also in forming database queries. They are logical connectives, like a symbol or word, used to connect two or more entries for search purposes. bot Refers to malicious code that is installed on a computer to take command and control of the computer for the attacker’s own purposes. The controlled computer becomes a zombie, or member of a botnet, which can be used to steal data, host malicious content, and launch other attacks, including worms and viruses, to send spam. Also see botnet. botherder Someone who covertly and illegally controls a network (or botnet) of zombie computers or devices by sending commands to a server. botnet Collection of bots controlled by a bot herder. Also see bot. BPF Berkeley Packet Filter (BPF) expressions specify the types of packets you want to captures on layer two through four header fields. See primititve.

C2 command and control CLI command-line interface Codec Codec is coder-decoder software that compresses (encodes) and decompresses (decode) data, most commonly digital media. Code Injection Code injection in the insertion of custom code, typically malicious, directly into a program, script, or application to be rendered or processed by that application as a method to exploit the victim machine. Computer Browser (NetBIOS) Computer Browser service is the mechanism that collects and distributes the list of workgroups and domains and the servers within them. It provides backward compatibility with computers running earlier versions of Windows that must use NetBIOS over TCP/IP and are not Active Directory–capable. Command Line Options Packet header field that determines whether routers are allowed to fragment a packet into segments. If fragmentation is allowed, then this field also identifies parts of the packet for the receiver. Also called flags. Coreflood From 2001 to 2011, the Coreflood Trojan infected computers running the Windows operating system. It attempted to steal personal data such as banking passwords in an effort to steal money.

Destination Address Provides the IP address of the intended receiver. Dirty Word List A dirty word list is a forensic term describing a list of content a forensic investigator believes is related to a case. DLL Dynamic Link Library DMZ Demilitarized Zone is a perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s Information Assurance policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks. CNSS 4009 DNS Domain Name System DoD Department of Defense DOS Disk Operating System DSL Digital subscriber line dst destination

Ephemeral ports Ports that are reserved for temporary use by the client end of client-server communications. Also see Well Known ports. eq The equivalent to the double equal sign Exchange Server/Client: The port list includes a conglomeration of ports and services utilized by Microsoft Exchange for the sending and receiving of email messages. EXE "exe" is a filename extension denoting an executable file. It is most commonly identified with Microsoft based systems.

Flags Packet header field that determines whether routers are allowed to fragment a packet into segments. If fragmentation is allowed, then this field also identifies parts of the packet for the receiver. Also called command line options. FTP File Transfer Protocol File Format Attack File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code.

hacker Unauthorized user who attempts to or gains access to an information system CNSS 4009 header Portion of a data packet or datagram that contains identifying information such as the IP version number and the source and destination addresses. HIDS Host-based Intrusion Detection System. See Host-based IDS. CNSS 4009 host The word "host" followed by an IP address is a primitive that instructs a sniffer to look for packets with that source or destination IP address Host-based IDS IDS that operates on information collected from within an individual computer system. This vantage point allows host-based IDSes to determine exactly which processes and user accounts are involved in a particular attack on the Operating System. Furthermore, unlike network-based IDSes, host-based IDSes can more readily "see" the intended outcome of an attempted attack, because they can directly access and monitor the data files and system processes usually targeted by attacks. CNSS 4009 HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure

ID identification ICMP Internet Control Message Protocol IDS Intrusion Detection System. See Intrusion Detection System. CNSS 4009 Internet The Internet is the single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the IAB and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN). CNSS 4009 Internet Information Service Microsoft-developed web server. intrusion Unauthorized act of bypassing the security mechanisms of a system CNSS 4009 Intrusion Detection System Hardware or software products that gather and analyze information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organizations) and misuse (attacks from with the organizations) CNSS 4009 IP Internet Protocol is a standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks CNSS 4009 IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 IPX Internetwork Packet Exchange IRC Internet Relay Chat is a multi-user multi-channel chat system that is neither client nor network specific. ISP Internet service provider

kernel The central module of an operating system. It is the part of the operating system that loads first, and it remains in main memory. Because it stays in memory, it is important for the kernel to be as small as possible while still providing all the essential services required by other parts of the operating system and applications. Typically, the kernel is responsible for memory management, process and task management, and disk management. Keylogger A keylogger is a hardware device or software designed to capture keystrokes input by the user on the keyboard.

LAN local area network Leverage Social Networking Where attackers leverage these trust relationships built on social networks and the relatively open nature of social networking sites to target victims. The targeting can take many forms, but is often accomplished by exploiting an individual trusted by the victim or trying to establish a trust relationship with the victim directly. libpcap Libpcap is a portable C/C++ packet capture (pcap) library that provides the framework for reading and writing data in a standard format for tcpdump. It is used with UNIX-like platforms. Linux A family of operating systems similar to UNIX but composed of open source tools, resources, and software. Load Library The LoadLibrary API is useful for executing malicious code, injecting malicious code into DLLs, and providing access to DLLs. Logical Operators Primitives can be combined with the logical operators "and" "not" and "or" to add another layer of filtering.

MAC address Media Access Control address - the unique identifier for each network assigned to network interface cards by the manufacturer. CNSS 4009 Mariposa The Mariposa botnet was created using the Butterfly bot. The botnet infiltrated about 13 million personal, government, and corporate systems in 190 countries before it was dismantled in December 2009.

network Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices. CNSS 4009 Network-based Intrusion Detection System IDS that detects attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment. CNSS 4009 NIDS Network intrusion detection system

Open Source Readily available and free Open Systems Interconnection (OSI) model Worldwide network communications standard developed by the International Organization for Standardization, or ISO, which conceptualizes a 7-layer approach for connecting dissimilar systems with a set of standards, or protocols, allowing the systems to work together OS Operating system OSI See Open Systems Interconnection model Outside-in security model Security model that uses defenses like firewalls and server hardening in the belief that attacks begin from external actors. The focus is to prevent malicious activity from penetrating the security perimeter and getting inside the network. Not good at defending against malicious client-side activities that result from internal outbound traffic.

packet Smallest building blocks of information on networks, which consist of header fields and data, or payload. patch A patch is a an update to programs and plug-ins to close vulnerabilities before they can be exploited. It's difficult to achieve 100% patch coverage, but missing even one patch could compromise the client machine and assests on the network. PC personal computer pcap Packet capture. A raw packet is a packet that is left in its original, unmodified form as it traveled across the network from client to server. PDF Portable Document Format; most commonly associated with Adobe Acrobat Pivot Pivoting is a technique attackers use to further compromise the network after gaining an initial foothold via one compromised system on that network. port traffic Traffic going to or coming from a specific port. primitive A primitive is a shortcut used in Berekely Packet Filter (BPF) expression to specifying the desired contents of headers you want a sniffer to search for. promiscuous sniffing Method to sniff network traffic where the network interface cards is set to promiscuous mode and intercepts all packets on the network, not just those destined for that host. promiscuous mode Capturing packets using promiscuous mode will capture all traffic arriving at the network interface and requires administrator or root level privileges. protocol Set of rules and formats, semantic and syntactic, permitting information systems to exchange information protocol-based IDS method Detection method that analyzes the protocol activity against standard protocol behaviors (other methods include anomaly-based and signature-based) CNSS 4009

SEO Search Engine Optimization is a collection of techniques used to achieve higher search rankings for a given website. signature Recognizable, distinguishing pattern. See also attack signature. signature-based IDS method Detection method that looks for specific patterns of an attack in the network traffic (other methods include signature-based and anomaly-based) CNSS 4009 SMS Short Message Service SMTP Simple Mail Transfer Protocol Snort A free, open source network intrusion detection and prevention system. Social engineering Social engineering is an attempt to trick someone into revealing information (e.g., a password) that can be used to attack an enterprise. Source Address Provides the IP address of the original sender. src source SSH Secure Shell Sniffers A sniffer is a tool that listens to or "sniffs" the traffic traveling between networked devices. It is also called a packet analyzer or protocol analyzer. Stage 2 Executable The Stage 2 or second stage download occurs after the initial compromise. The initial compromise typically yields code execution capability and then downloads the second stage, which provides more robust and malicious capabilities. Storm Worm A worm that infected 1-10 million computers creating the Storm botnet. It was unique in that it used a combination of vectors (exploits, OS kernel attacks, email links about current disasters) to attack computers. Strings Strings is a tool you can use during a first pass analysis of packet data. This tool searches binary pcap files looking for ASCII printable characters. Example: strings -n 8 file1.pcap

TCP Transmission Control Protocol tcpdump Tcpdump is an open source command-line packet analyzer for Linux and UNIX systems. TCP/IP Transmission Control Protocol/Internet Protocol is the underlying protocol of the Internet, developed by a DoD agency called Defense Advanced Research Projects Agency (DARPA). Also refers to a model of interoperability that conceptualizes a 4-layer framework for connecting dissimilar systems with a set of standards, or protocols, allowing the systems to work together. Also see Open Systems Interconnection model. TCP/UDP Transmission Control Protocol/User Datagram Protocol TDL-4 TDL-4 is a fourth generation variant of the TDSS rootkit (discovered in 2008). It can infect both 32-bit and 64-bit operating systems. TDL-4 encrypts communications between the botnet command and control centers and the infected computers. TFTP Trivial File Transport Protocol TShark TShark is the command-line version of Wireshark. It uses the packet capture filtering mechanism of tcpdump and has some of the analysis capabilities of Wireshark.

WinDump WinDump is an open source command-line packet analyzer for Windows environments. WinPcap WinPcap provides the framework for reading and writing data in a standard format for WinDump. It is based on the libpcap model and Berkeley Packet Filters (BPFs) for UNIX and runs on Win32 and Win64 platforms. Wireshark Wireshark is a free complex protocol analyzer that uses a graphical user interface (GUI) to display analysis results. It can identify header fields for intrusion detection and analyze data payload. It was formerly known as Ethereal. Whitelisting Whitelisting is a technique that allows domains from trusted to untrusted networks or applications and file-types permitted to run on a system. WWW World Wide Web