# Network Black Box



## Phishfry (Jul 5, 2017)

I read security researchers use a black box to rewind attacks.

What would it take to build an Open Source version. A network sniffer with alerts.
I guess you would have to retain packets as well for 'rewind'?
Some sort of transparent bridge behind the firewall?

Is this just security researchers with honeypots or does industry use them as well?

What kind of programs would you use for a homebrew version. Tools like Tripwire?


----------



## leebrown66 (Jul 5, 2017)

Speaking to your last point, I would employ net/tcpdump and either net-mgmt/tcpreplay or net/bittwist (I have not personally used the last two).

Put a host in between your two points of interest, bridge two NIC's and capture all network traffic on that bridge.  Stop capture, replay capture file (I'm sure it's not really going to be that easy though).


----------



## Phishfry (Jul 6, 2017)

I wonder what the ntop solution costs:
http://www.ntop.org/products/traffic-recording-replay/n2disk/


----------



## leebrown66 (Jul 6, 2017)

Phishfry said:


> I wonder what the ntop Ubuntu 12.02(?) solution costs:
> http://www.ntop.org/products/traffic-recording-replay/n2disk/


https://shop.ntop.org/cart.php
(I am not in any way affiliated, etc.)


----------



## SirDice (Jul 6, 2017)

Phishfry said:


> Tools like Tripwire?


Tripwire only works on files. It basically keeps a database of hashes of all files and compares them at set times. Any file that has a different hash than the one stored in the database has been modified and Tripwire alerts you to this.


----------



## Phishfry (Jul 6, 2017)

Sorry about the ntop.org link. I did not realize it was more a commercial site. It seems their hardware specs are outdated using xeonV2.
Still nice to see what they are using network wise.

So it looks like I need to read up on net/wireshark,security/snort and security/nmap along with net-mgmt/tcpreplay and net/bittwist
security/suricata also seems like a popular package on pfSense.


----------

