Thoughts on Network and Security Monitoring
Of late I have been seeing a good number of Unbrowse SNMP customers using SNMPv3 INFORM messages. This is pleasantly surprising because I had written off this baby as being too complex to setup.
Here is an article explaining how to set up Unbrowse SNMP to receive and respond to SNMPv3 INFORM messages. It covers both the cases of provisioned Engine ID (like Cisco) and Engine ID discovery.
—
The following software updates are also available for download
So what is Trisul Network Metering and Forensics ?
Here is the Trisul login screen, I especially liked it because it captured the zen of network security monitoring so effectively.
We observe
Now imagine, we are asked to keep tabs on what types of cars went by, which semi trucks are suspiciously overloaded, which cars make unusual trips ? This is roughly what we are asking of network security monitoring.
Trisul approaches NSM from a traffic monitoring centric position. You can contrast that with Sguil that approaches from an alert centric position.
Lets deep dive into Trisul in the next few posts.
Lately, we are working with Netflow quite a bit for our upcoming release of Trisul Network Metering. Here is a tiny script we find invaluable while looking at network captures containing Netflow traffic.
Often while troubleshooting issues we need to look at the raw Netflow records.
For example : You may want to see all the Netflow records sent for IP = 10.22.1.29
Display filters wont get you far because you will still be left with individual packets. These packets themselves can contain dozens of records of which only one or two match.
We turned to Unsniff Scripting and wrote a simple Ruby script that allows you to query for netflow records matching any field value. We use this script heavily for our internal testing and wish to share it on the blog.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
# ------------------------------------------------------------------ # nfquery Print matching netflow records # ------------------------------------------------------------------ require 'win32ole' USAGE = "nfquery <capture-filename> <fieldname>=<value>" EXAMPLE = "nfquery c:\temp\nfcap.usnf SrcAddress=209.209.1.200" if ARGV.length != 2 puts USAGE exit 1 end # Set up input InputFile = ARGV[0] UnsniffDB = WIN32OLE.new("Unsniff.Database") QueryFieldName = ARGV[1].split('=')[0] QueryFieldValue = ARGV[1].split('=')[1] # Open capfile and get packet index UnsniffDB.OpenForRead(InputFile) PacketIndex = UnsniffDB.PacketIndex # Scan each packet looking for netflow protocol id (0..PacketIndex.Count-1).each do |idx| pkt = PacketIndex.Item(idx) nf_layer = pkt.FindLayerByGUID("{DF2428E1-4843-48CF-B7DD-CCC9E5AE4BC1}") next if nf_layer.nil? pdu_count=nf_layer.FindField("Count").Value.to_i (0..pdu_count-1).each do |pduidx| nf_pdu = nf_layer.FindField(">NetflowRecord>pdu[#{pduidx}]") next if nf_pdu.nil? target_field=nf_pdu.FindField(QueryFieldName) if target_field.Value == QueryFieldValue duration_ms = nf_pdu.FindField("End Time").Value.to_i - nf_pdu.FindField("Start Time").Value.to_i s_ip = nf_pdu.FindField("SrcAddress").Value d_ip = nf_pdu.FindField("DstAddress").Value s_port = nf_pdu.FindField("SrcPort").Value d_port = nf_pdu.FindField("DstPort").Value octets = nf_pdu.FindField("Octets").Value proto = nf_pdu.FindField("Protocol").Value print pkt.ID.to_s.ljust(6) + " " [s_ip,d_ip,s_port,d_port,octets,proto,duration_ms].each do |item| print item.to_s.ljust(16) + " " end print "\n" end end end UnsniffDB.Close() |
To use this script.
1. Import the capture file in tcpdump format into Unsniff (or capture off a live interface)
2. Save the file as USNF format
3. Start querying using the script
More :