4. Types of Network Monitoring
1. Event-based alert
s
2. Packet capture
s
3. Session informatio
n
4. High-level statistics
5. Types of Network Monitoring
1. Event-based alert
s
• Snort, Suricata, SourceFire, RSA NetWitnes
s
• Require rule set
s
• Provides real-time noti
fi
cation
6. Types of Network Monitoring
2. Full Packet Capture
s
•Can reconstruct everything sent on the
networ
k
•Helps to identify scope of data thef
t
•Capture actions done with interactive shell
s
•Closely monitor malware communicating with
remote sites
7. Types of Network Monitoring
3. Session informatio
n
•Header loggin
g
•Can identify connections and addresse
s
•Cannot reconstruct data transmitted
8. Types of Network Monitoring
4. High-level statistics
• Showing type and number of packet
s
• Can reveal suspicious patterns, such as
abnormally high volumes of traf
fi
c
9. Event-Based Alert
Monitoring
• Most common typ
e
• Based on rules or threshold
s
• Events are generated by Network Intrusion
Detection Systems (NIDS
)
• Or by software that monitors traf
fi
c patterns
and
fl
ow
s
• Standard tools: Snort and Suricata
10. Indicators (or Signatures)
• Matched against traf
fi
c observed by the network
senso
r
• Simple indicator
s
• Such as IP address + por
t
• "Cheap" (small load on sensor)
• Complex indicator
s
• Session reconstruction or string matchin
g
• Can burden the sensor so much it drops
packets
11. Example Snort Rule
• This rule detects SSH Brute Force attack
s
• Depth: how many bytes of packet to rea
d
• Links Ch 9a, 9b
alert tcp $EXTERNAL_NET any -> $HOME_NET 22
(msg:"INDICATOR-SCAN SS
H
brute force login attempt";
flow:to_server,established; content:"SSH-"
;
depth:4; detection_filter:track by_src, count 5,
seconds 60
;
metadata:service ssh; classtype:misc-activity;
sid:19559; rev:5;
)
12. alert_fast
• Put this in Snort con
fi
guration
fi
l
e
• output alert_fast alerts.tx
t
• Simplest output module for Snor
t
• Puts text into a
fi
le
13. Detect Fake SSL Certi
fi
cate
• Detects a speci
fi
c fake certi
fi
cate used by the
APT 1 group identi
fi
ed by Mandiant in 200
3
• Written by Emerging Threat
s
• Matches serial number and Issuer strin
g
• Link Ch 9h
14. Header and Full Packet
Logging
• Two distinct purpose
s
• To help IR team generate signatures, monitor
activity, or identify stolen dat
a
• Collect evidence for an administrative or legal
matte
r
• Consider whether to treat packet captures as
evidence and generate a chain of custody
15. Thoroughness
• IDS systems can retain the full session that
generated an aler
t
• But for targeted collection against speci
fi
c
subjects, use tcpdump or Wireshark
16. tcpdump
• Complete packet capture of an HTTP reques
t
• Limiting capture to 64 bytes captures only the
headers (called "trap and trace" by law
enforcement)
19. fl
ow-tools and argus
• Open-source
• Convert pcap
fi
le (from tcpdump) to Argus forma
t
• Graph all packets > 68 bytes from server1 by port
number
24. Simple Method
• Deploy laptops or 1U servers
with hardware network tap
s
• Snort + tcpdump work
s
• Best if you are setting up
monitoring after an incident
is detected--fast & easy
25. IDS Limitations
• IDS platforms cannot reliably perform both
intrusion detection and network surveillance
simultaneousl
y
• If you set an IDS to capture full-content, its
effectiveness as a sensor will diminish
27. Hardware
• Dif
fi
cult to collect and store every packet
traversing high-speed link
s
• Recommended
:
• 1U servers from large manufacturers
• Linux-based network monitoring distribution
s
• Linux now outperforms FreeBS
D
• For best performance, use NTOP's PF_RING
network socket, not the default AF_PACKET
interface
28. Before an Incident
• If your organization plans ahea
d
• Commercial solutions combine Snort-style
alerting with storage
29. • From 2021 https://www.esecurityplanet.com/products/best-network-security-tools/
30. Security Onion
• Free Linux distribution, with kernel patches
installed (securityonion.net
)
• Includes analysis tools
32. Major Network Changes
• May facilitate network surveillanc
e
• Ex: route all company locations through a
single Internet connection with MPLS
(Multiprotocol Label Switching), not a
separate ISP for each of
fi
ce
33. Secure Sensor Deployment
• Place network sensor in a locked room, to
maintain chain of custod
y
• Patch the OS, keep it up to dat
e
• Protect it from unauthorized acces
s
• Document everythin
g
• Review log
s
• Use Tripwire to ensure integrity of OS
34. Evaluating Your Network
Monitor
• Is it receiving the traf
fi
c you want to monitor
?
• Is the hardware responsive enough to
achieve your goals
?
• Create signatures to detect test traf
fi
c and
test your monito
r
• Such as a nonexistent UR
L
• Performance metrics in logs will tell you if the
sensor is dropping packets
36. General Principles
• Wireshark is excellen
t
• Especially with custom decoders, written in
Lua or
C
• Don't hunt through large packet captures
looking for something ne
w
• Limit the scop
e
• Use targeted queries that follow your leads and
answer investigative questions
41. Network-Based Logs
• Server-based logs are
fi
les on the individual
system
s
• May be altered or deleted by the attacke
r
• Network-based logs may be more reliabl
e
• Especially if network devices are physically
and electronically secured
42. Log Aggregation
• Log aggregation is dif
fi
cult because
:
• Logs are in different format
s
• Originate from different operating system
s
• May require special software to access and
rea
d
• May have inaccurate timestamps