Presentation on theme: "F3 Collecting Network Based Evidence (NBE) Dr. John P. Abraham Professor UTPA."— Presentation transcript:
F3 Collecting Network Based Evidence (NBE) Dr. John P. Abraham Professor UTPA
NBE Proactive –To prevent attacks Reactive –Attack already happened. Collect –Full content data –Session data –Alert data –Statistical data
Full Content Data Similar to recording all conversations of suspects. Collecting all computer activities. Intercept all packets and record. Takes a lot of disk space. Takes a lot of time for analysis Beyond the means of most organizations to collect full content data. Usually this is not done.
Session Data Similar to recording one conversation between suspects. Also retrieve phone company records for a summary of all conversations. You can get a summary of sessions with date and time, from source and destination addresses and how it was terminated.
Alert Data Analyzing NBE for a predefined items of interest. For example, when a particular pair of source/destination addresses are encountered. Programmed to recognize bit patterns. It might trigger a precursor to an attack. Similar to a red light going off when a particular word is heard, such as OSAMA.
Statistical data Similar to time of the day of the regular calls between subjects, duration, etc. Most active IP addresses, ports, data length, etc.
A standard Intrusion scenario Example –Reconnaissance. Preliminary examination before an attack. Validate address and connectivity, enumerate services, and check for vulnerable versions of software. –Reinforcement. Download attack tools. Attempt to elevate privileges at the target, perhaps using a backdoor. –Consolidation. Use someone else’s IP address to connect to the victim. Or have the victim connect to a chat, and enter through that. –Pillage. Steal info. Damage computer, etc.
Using full content data Data collected using network security monitoring. By collecting every packet you could have a complete record of intruder’s actions, unless the intruder used encryption. The following questions could be answered: –Is the web server compromised? –What info was lost. –Where did the intruder go to get the info. –Find the backdoor
Using session data Sessions data is a summary of conversations. Easiest form of data to understand and manipulate because packets are not collected nor examined. Scanmap3d is a visualization software for session data, available:http://scanmap3d.sourceforge.net/ –Scanmap3d is a JAVA program, written as a concept demonstration for visualisation of network intrusion detection information. The program reads information from a MySQL database and produces a 3D map of network traffic. The visualisation is very useful for intrusion detection or network troubleshooting. The code is now in a stable enough state to be useful in analysing tcpdump/snort data within a mysql database.
Session data provides answers Is the web server compromised? You can view suspicious connections. Usual web requests are inbound connections. Suspicious are outbound connections. Also using ports other than 80. Did the intruder visit other machines using the webserver? You can get this information from the sessions data. Is the intruder present now? How frequent are the visits?
Using Alert Data Intrusion detection system is a device or application used to inspect all network traffic and alert the user or administrator when there has been unauthorized attempts or access. The two primary methods of monitoring are signature-based and anomaly-based. Depending on the device or application used, the IDS can either simply alert the user or administrator or it could be set up to block specific traffic or automatically respond in some way. Signature-based detection relies on comparison of traffic to a database containing signatures of known attack methods. –Good to determine if the system was scanned.
Using Statistical Data Information on unusual ports or protocols, amount of traffic, etc.
Data Collection Hubs. Forwards to all ports, a monitoring station can detect all packets. Operates under half duplex, so the speed suffers, perhaps can get about 60Mbps. Place it between the router and the next device (switch, firewall, etc). Taps. More expensive. Works the same way, with improved speed. Bridges. You can use a computer with two network ports, bridged to do the same as a tap. Switched port analyzer. Set a port as a mirror port
Collecting and Storing Traffic Full content data tools: is the standard packet capture program. Use the program libpcap to make copies of traffic. For PCs may use wincap.org/windump or winPcap.orgwww.tcpdump.org For analyzing, use and to view graphically, use There are freeware available to search in a dump.
Session Data tools Download argus from several versions available. –Operates in live or batch mode. is designed to interpret traffic in batch mode.www.tcptrace.org Tcpflow from circlemud can work with full content data and it can rebuild the contents of individual sessions.