Flowinspect - A Network Inspection Tool

1,576 views

Published on

Flowinspect is a network traffic inspection utility. It uses pynids to defragment IP and reassemble TCP packets (UDP is inspected on a per-packet basis). Resulting flows are then inspected using the "re2" module that supports PCRE-like patterns, case-insensitive, invert and multiline matches, etc. In case re2 is not installed, Python's re module is used as a fallback. Match scope could be limited through BPF expressions or via Snort-like offset-depth content modifiers or packets/streams inspection limit flags. Flows could be logged to files in addition to being dumped on stdout. A few useful output modes help with further analysis.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,576
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Flowinspect - A Network Inspection Tool

  1. 1. Flowinspect - A Network Inspection Tool Ankur Tyagi (@7h3rAm)
  2. 2. Outline ● Understanding Incident Response Requirements ● Vision for an Ideal Inspection Tool ● Introducing Flowinspect as a Viable Solution ● Flowinspect: Architecture ● Real-World Usecase Scenarios ● Future Goals
  3. 3. Understanding Incident Response Requirements ● ● ● You have been called to investigate an incident You analyze evidence and find traces of a malware You want to know: – Who were the actors? – What did they talk about? – What secrets did they share? – Which other hosts were compromised?
  4. 4. Understanding Incident Response Requirements ● ● ● ● ● Immediate response requires data Data from the exploit, payload delivered, C&C channel, etc. Tools like Wireshark, tcpdump, ngrep and flowgrep are helpful But they all have a few shortcomings Many are flow/stream agnostic and lack inspection features
  5. 5. Understanding Incident Response Requirements ● ● ● ● ● Tcpdump/Wireshark – Packet sniffing and comprehensive protocol decoding Ngrep/Flowgrep – Packet sniffing and regex matching over L4 packets and streams resp. How about network shellcode detection? How about malware identification and extraction from network flows? None of above tools address these requirements
  6. 6. Vision for an Ideal Inspection Tool ● Malware identification via signatures ● Shellcode emulation/detection ● Extraction of matching flows to files ● Match statistics (direction, offset, depth, size, packet #) ● Snort like Content Modifiers (offset/depth) ● Pcap generation for matching flows ● TCP reset for matching flows
  7. 7. Introducing Flowinspect as a Viable Solution
  8. 8. Introducing Flowinspect as a Viable Solution ● ● ● ● IP defragmentation and TCP reassembly extract data into stream buffers Multiple inspection modes – regex, fuzzy string, Yara, shellcode detection Inspection happens over layer 4 payload and as such is immune to fragmentation attacks Matching flows dumped via (a combination of) output modes for lateral analysis
  9. 9. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  10. 10. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  11. 11. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  12. 12. Flowinspect: Architecture
  13. 13. Flowinspect: Architecture
  14. 14. Flowinspect: Architecture
  15. 15. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  16. 16. Flowinspect: Architecture
  17. 17. Flowinspect: Architecture
  18. 18. Flowinspect: Architecture
  19. 19. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  20. 20. Flowinspect: Architecture
  21. 21. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  22. 22. Flowinspect: Architecture
  23. 23. Flowinspect: Architecture
  24. 24. Flowinspect: Architecture
  25. 25. Real-World Usecase Scenarios/ Demo
  26. 26. Future Goals ● Protocol decoders for HTTP, SMTP, POP3, IMAP, etc. ● File extraction and hash based inspection ● ● ● ● Javascript deobfuscation using SpiderMonkey or/and v8 File format characterization for Jar/PDF/Flash/MS Office/ELF/PE/... Integration with online scanners like VirusTotal, Wepawet, Anubis, Jsunpack, etc. Opensource - New ideas, suggestions, bugfixes are all equally welcome
  27. 27. Credits ● Many thanks to the following projects: – The Python Community – Libnids and Pynids – Fuzzywuzzy – Yara – Libemu and pyLibemu • FOSS community in general • Juniper Networks
  28. 28. Q&A
  29. 29. Thanks for your attention

×