Nifty new context aware packet filters in Unsniff Network Analyzer

We observed a very common pattern among users of Unsniff and well as Wireshark. A majority of the time display filters were being used on a combination of the 5-tuples of a TCP or a UDP packet. This was over 90% of the cases. We decided to work on a nifty solution.

A context aware packet filter.

  • Right click on any packet to bring up a “Pull out packets” menu with automatic filter choices.
  • Select a choice to pull out only matching packets into a new capture file window.
  • Unsniff also has “invert” choices. Use them if you want to only select packets NOT matching the selected criteria.

Now, you can zip through capture files effortlessly and narrow down your analysis data.

 

Start saving time and energy while perusing packet captures. Download the latest version of Unsniff Network Analyzer

 

Some screenshots follow.
Automatic filters based on currently selected packet

and the inverted filter

Pull out packets NOT matching these criteria into a new capture window

More exciting news about Unsniff Network Analyzer coming soon.

Trisul Automation : How to save packet context for all IDS alerts

One of the key challenges in an alert centric deployment of NSM (Network Security Monitoring) is to get a context around an alert. The current crop of tools allow you to click around and accomplish the task, but only with human intervention.  In this quick post, we will see how you can automate Trisul to do this by machine. Of course, you need a human to write the script, but once the script is written it is let loose on the existing data stores mechanically. Over time, the scripts are refined to include other kinds of context. This represents the intellectual property  of your security team.

So the problem is this :

Write a script that gives me a single PCAP containing all packets in all flows that generated a Snort or Suricata IDS alert of Priority 1 today.

In this simple example, the context of the alert is the whole flow that generated that alert.

Flow Tagging

The trick is to create a Trisul flow tagger that marks each flow with the priority of the alert.  Refer to the documentation for how to create flow taggers. Once you have the flow taggers setup, each flow is marked with the text tags IDS and the priority tags sn-1, sn-2, .. (The prefix  “sn-” stands for Snort but is also used for Suricata priority). Once this is done flows with alerts look like the following

See tags on right side

Retrieving the alert context

By clicking on Alerts -> IDS you can view alerts by signature. In the screenshot below, we have about 477 Priority 1 (Red) alerts.  Our challenge is to retrieve the PCAPs of entire flows that generated these 477 alerts.

Overview of alerts ; colored by Priority

The Ruby script

We use the Ruby language and the Trisul Remote Protocol for our little script. The entire script save_pcap.rb  (about 80 lines mostly comments) can be found on the Trisul Scripts Github Sample page.  The script is well documented but let us see the main parts.

1. Open a SSL connection to the Trisul server using a client cert

2. Retrieve all flows in past 24 hours with tag “sn-1”

The TRP Command QUERY_SESSIONS_REQUEST is used to find flows by any attributes such as IP, port, subnet, tags, etc. [Documentation]

3. Use a FilteredDatagrams command to get all packets in matching flows

Finally, collect all the session ids and ask for a single PCAP.

Extend this for more context?

You can easily extend these scripts to retrieve “surrounding context”. For example, after you have the session ids from the Query Sessions (Step 2). You can ask for PCAPs from  all flows from those IPs in a 3 minute window. You would then fire off additional QuerySessions and collect them all.

 

Even though packets are retrieved by flow, the Trisul engine interleaves the packets correctly in time order.  So what you are left with is a usable PCAP file that you can run a deeper analysis on. We are running this script as a CRON every night in our office environment. They take about 10-12 minutes to run, but the results are amazing.

 

Everyone of the flows in the resultant PCAP file will generate a Priority 1 Alert when run through snort/suricata.  <

Now, that’s a pretty evil PCAP file  !!

TLS 1.2 support in new build of Unsniff Network Analyzer

TLS1.2 support available in Unsniff Network Analyzer

We are pleased to announce the availability to TLS 1.2 analysis and decryption in the latest builds of Unsniff Network Analyzer.

The main changes are :

  • Change in the way the PRF (Pseudo Random Function) works in TLS1.2
  • Addition of SHA256
  • Change in the way the IV (Initialization Vector) is derived for block ciphers such as AES-256-CBC
  • Currently we support the AES suites like   TLS_RSA_WITH_AES_256_CBC_SHA256
  • DHE ciphers are also supported by directly entering the master secret
TLS 1.2 support in Unsniff Network Analyzer 1.8.1542

Other changes

  • The Session ID is shown differently, we show first and last digits so it is easier for you to search in application logs for the master secret
  • A help dialog box is added that helps you convert between PKCS12 – PEM – PCKS8 formats

We will be adding other ciphers such as the AES-GCM  mode soon.  We encourage users to give feedback about how they are using Unsniff. Specifically we’d like to know the following when working with DHE aided by application logging the master secrets.

  • It is extremely tedious to search for SessionID matches against the master secret. How do you log the master secrets ?
  • Would you like the ability for Unsniff to automatically match the master secrets with the Session ID ? This could take some work. Is this useful ?

 

Stay tuned as we announce the next build which will have the AES-GCM support.

Head on over to the Downloads page to get the latest Unsniff Network Analyzer free download.