Networking

Transmission Control Protocol (TCP)

DARPA Internet Program Protocol Specifications

A connection progresses through a series of states during its lifetime. The states are: LISTEN, SYN-SENT, SYN-RECEIVED, ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT, and the fictional state CLOSED. CLOSED is fictional because it represents the state when there is no TCB, and therefore, no connection. If a port is in any other state than CLOSED then the port is open and in use. Briefly the meanings of the states are:

• LISTEN - represents waiting for a connection request from any remote TCP and port.
• SYN-SENT - represents waiting for a matching connection request after having sent a connection request.
• SYN-RECEIVED - represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
• ESTABLISHED - represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.
• FIN-WAIT-1 - represents waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent.
• FIN-WAIT-2 - represents waiting for a connection termination request from the remote TCP.
• CLOSE-WAIT - represents waiting for a connection termination request from the local user.
• CLOSING - represents waiting for a connection termination request acknowledgment from the remote TCP.
• LAST-ACK - represents waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request).
• TIME-WAIT - represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.
• CLOSED - represents no connection state at all.

IPv4 Address Classes

• Class A(1-127.0.0.0): The first bit is zero and the next seven bits define the network. The last 24 bits, the last three octets define the hosts.
• Class B (128-191.x.0.0): The first two bits are 1 and 0 (zero). The next 14 bits; the remaining six bits of the first octet and the entire second octet, define the network. The last sixteen bits define the hosts.
• Class C (192-223.x.x.0): The first three bits are 1 - 1 - 0 (zero). The next 21 bits; the remaining five bits of the first octet and the next two octets (sixteen bits), define the network. The remaining eight bits define the hosts.
• Multicast (224-239.0.0.0): The first four bits are 1 - 1 - 1 - 0 (zero).
• Reserved (240-255.0.0.0): The first four bits are 1 - 1 - 1 - 1.
• IPv4 address blocks reserved for Documentation
• Subnet Mask Cheat Sheet
• Wikipedia - List of well known port numbers

IPv4 Private Address Space

• Class A (10.0.0.0-10.255.255.255): 8bit mask and a 24bit address space. CIDR (sbunet mask): 10.0.0.0/8 (255.0.0.0)
• Class B (172.16.0.0-172.31.255.255): 12bit mask and 20bit address space. CIDR (subnet mask): 172.16.0.0/12 (255.240.0.0)
• Class C (192.168.0.0-192.168.255.255): 16bit mask and 16bit address space. CIDR (subnet mask) 192.168.0.0/16 (255.255.0.0)

IPv4 Addresses Reserved for Documentation

• 192.0.2.0/24 (TEST-NET-1)
• 198.51.100.0/24 (TEST-NET-2)
• 203.0.113.0/24 (TEST-NET-3)

Test Web Reputation

To test the web reputation service you need a test web site that will simulate various scores. I use these winshipway sites provided by Trend Micro. for that purpose.

• https://wrs21.winshipway.com/with WRS score 21
• https://wrs31.winshipway.com/ with WRS score 31 
  
• https://wrs41.winshipway.com/ with WRS score 41
• https://wrs51.winshipway.com/ with WRS score 51
• https://wrs61.winshipway.com/ with WRS score 61
• https://wrs71.winshipway.com/ with WRS score 71
• https://wrs81.winshipway.com/ with WRS score 81
• https://wrs91.winshipway.com/ with WRS score 91

Trend Micro products block sites if its score is equal or less than the threshold values (High, Medium, Low).

• High - 80 
• Medium - 65 
• Low - 50 

URLs with a score of 80 or above are considered safe sites. URLs with a score of 50-79 are either unrated and/or suspicious. URLs with a score of 49 or below are known malicious sites.

A new player in web reputation testing is  https://wicar.org.  There you will find samples files to download that will test your client's ability to block certain threats.

C&C Callback

A URL, provided by Trend Micro, used to simulate a Command and Control callback. https://ca91-1.winshipway.com

Test Virus Scanning Tools

A Knowledge Base article from Trend Micro on available anti-malware tools and a brief description. KB article on free anti-malware tools

Trend Micro provided a good article on the definition of Ransomware.

Testing Outbreak Prevetion

A former co-working provide me this PowerShell script to simulate a malware outbreak. It generates 500 Eicar files in a C:\test directory. It may be useful to someone. Just pop this in powershell to generate outbreak alerts and 500 detections at once!

• What is my IP?
• MX Toolbox
• VeraCrypt personal file/directory encryption software.

Testing Data Loss Prevention

The data loss prevention test site, listed below, provides some good test files in various formats: PDF, XLS, and CSV, and is various sizes in order to test your DLP engine. The test data includes files containing the following data types:

• Name
• U.S. Social Security Number
• Data of Birth (mm/dd/CCYY format)
• Credit Card Numbers
• U.S. Postal Codes
• Email Addresses.

Perl Regular Expressions

• Perl Compatible Regular Expressions man page
• REGEX101 a REGEX tutorial and testing site

Compromise Indicators

• IOC Bucket
• MITRE ATT&CK
• Writing STIX content
• Homeland Security Systems Engineering and Development Institute HS SEDI STIX XML Tutorial