This document discusses types of network monitoring including event-based alerts, packet captures, session information, and high-level statistics. It provides details on each type, such as common tools used and the information that can be obtained. It also covers topics like deploying a network monitoring system, analyzing network data, and collecting logs generated from network events.

1. CNIT 152:
Incident
Response
9 Network Evidence
Updated 10-7-21

2. The Case for Network
Monitoring

3. Types of Network Monitoring

4. Types of Network Monitoring
1. Event-based alert
s
2. Packet capture
s
3. Session informatio
n
4. High-level statistics

5. Types of Network Monitoring
1. Event-based alert
s
• Snort, Suricata, SourceFire, RSA NetWitnes
s
• Require rule set
s
• Provides real-time noti
fi
cation

6. Types of Network Monitoring
2. Full Packet Capture
s
•Can reconstruct everything sent on the
networ
k
•Helps to identify scope of data thef
t
•Capture actions done with interactive shell
s
•Closely monitor malware communicating with
remote sites

7. Types of Network Monitoring
3. Session informatio
n
•Header loggin
g
•Can identify connections and addresse
s
•Cannot reconstruct data transmitted

8. Types of Network Monitoring
4. High-level statistics
• Showing type and number of packet
s
• Can reveal suspicious patterns, such as
abnormally high volumes of traf
fi
c

9. Event-Based Alert
Monitoring
• Most common typ
e
• Based on rules or threshold
s
• Events are generated by Network Intrusion
Detection Systems (NIDS
)
• Or by software that monitors traf
fi
c patterns
and
fl
ow
s
• Standard tools: Snort and Suricata

10. Indicators (or Signatures)
• Matched against traf
fi
c observed by the network
senso
r
• Simple indicator
s
• Such as IP address + por
t
• "Cheap" (small load on sensor)
• Complex indicator
s
• Session reconstruction or string matchin
g
• Can burden the sensor so much it drops
packets

11. Example Snort Rule
• This rule detects SSH Brute Force attack
s
• Depth: how many bytes of packet to rea
d
• Links Ch 9a, 9b
alert tcp $EXTERNAL_NET any -> $HOME_NET 22
(msg:"INDICATOR-SCAN SS
H
brute force login attempt";
flow:to_server,established; content:"SSH-"
;
depth:4; detection_filter:track by_src, count 5,
seconds 60
;
metadata:service ssh; classtype:misc-activity;
sid:19559; rev:5;
)

12. alert_fast
• Put this in Snort con
fi
guration
fi
l
e
• output alert_fast alerts.tx
t
• Simplest output module for Snor
t
• Puts text into a
fi
le

13. Detect Fake SSL Certi
fi
cate
• Detects a speci
fi
c fake certi
fi
cate used by the
APT 1 group identi
fi
ed by Mandiant in 200
3
• Written by Emerging Threat
s
• Matches serial number and Issuer strin
g
• Link Ch 9h

14. Header and Full Packet
Logging
• Two distinct purpose
s
• To help IR team generate signatures, monitor
activity, or identify stolen dat
a
• Collect evidence for an administrative or legal
matte
r
• Consider whether to treat packet captures as
evidence and generate a chain of custody

15. Thoroughness
• IDS systems can retain the full session that
generated an aler
t
• But for targeted collection against speci
fi
c
subjects, use tcpdump or Wireshark

16. tcpdump
• Complete packet capture of an HTTP reques
t
• Limiting capture to 64 bytes captures only the
headers (called "trap and trace" by law
enforcement)

17. Statistical Monitoring
• Cisco NetFlo
w
• Number of packets & bytes in each "
fl
ow" (session)

18. Statistical Monitoring
Commercial
visualization
products
available from
Fluke, HP,
Solarwinds, and
IB
M
Link Ch 9c

19. fl
ow-tools and argus
• Open-source
• Convert pcap
fi
le (from tcpdump) to Argus forma
t
• Graph all packets > 68 bytes from server1 by port
number

22. 9a

23. Setting Up a Network
Monitoring System

24. Simple Method
• Deploy laptops or 1U servers
with hardware network tap
s
• Snort + tcpdump work
s
• Best if you are setting up
monitoring after an incident
is detected--fast & easy

25. IDS Limitations
• IDS platforms cannot reliably perform both
intrusion detection and network surveillance
simultaneousl
y
• If you set an IDS to capture full-content, its
effectiveness as a sensor will diminish

26. Effective Network
Surveillance

27. Hardware
• Dif
fi
cult to collect and store every packet
traversing high-speed link
s
• Recommended
:
• 1U servers from large manufacturers
• Linux-based network monitoring distribution
s
• Linux now outperforms FreeBS
D
• For best performance, use NTOP's PF_RING
network socket, not the default AF_PACKET
interface

28. Before an Incident
• If your organization plans ahea
d
• Commercial solutions combine Snort-style
alerting with storage

29. • From 2021 https://www.esecurityplanet.com/products/best-network-security-tools/

30. Security Onion
• Free Linux distribution, with kernel patches
installed (securityonion.net
)
• Includes analysis tools

31. Deploying the Network
Sensor

32. Major Network Changes
• May facilitate network surveillanc
e
• Ex: route all company locations through a
single Internet connection with MPLS
(Multiprotocol Label Switching), not a
separate ISP for each of
fi
ce

33. Secure Sensor Deployment
• Place network sensor in a locked room, to
maintain chain of custod
y
• Patch the OS, keep it up to dat
e
• Protect it from unauthorized acces
s
• Document everythin
g
• Review log
s
• Use Tripwire to ensure integrity of OS

34. Evaluating Your Network
Monitor
• Is it receiving the traf
fi
c you want to monitor
?
• Is the hardware responsive enough to
achieve your goals
?
• Create signatures to detect test traf
fi
c and
test your monito
r
• Such as a nonexistent UR
L
• Performance metrics in logs will tell you if the
sensor is dropping packets

35. Network Data Analysis

36. General Principles
• Wireshark is excellen
t
• Especially with custom decoders, written in
Lua or
C
• Don't hunt through large packet captures
looking for something ne
w
• Limit the scop
e
• Use targeted queries that follow your leads and
answer investigative questions

37. NetWitness Investigator
• Sorts traf
fi
c
by protoco
l
• 32-bit
version
seems to be
gone

38. Collect Logs Generated
from Network Events

39. Examples

40. Examples

41. Network-Based Logs
• Server-based logs are
fi
les on the individual
system
s
• May be altered or deleted by the attacke
r
• Network-based logs may be more reliabl
e
• Especially if network devices are physically
and electronically secured

42. Log Aggregation
• Log aggregation is dif
fi
cult because
:
• Logs are in different format
s
• Originate from different operating system
s
• May require special software to access and
rea
d
• May have inaccurate timestamps

43. 9b