Month: June 2007

Finally, we got some spare time to analyze a few traces available on the LBL-ICSI project website. We would like to extend a big thank you to these guys for making such a valuable resource publicly available.

The traces are available at http://bro-ids.org/enterprise-traces/hdr-traces05/

Tao Security has analyzed them at http://taosecurity.blogspot.com/2007/05/lbnlicsi-enterprise-tracing-project.html

This is a huge collection of 11GB of traces. Ideally, I would have liked to swallow in the whole set – but bandwidth and time issues stopped me. I picked a few traces –

• The first one (~6MB) lbl-internal.20041004-1303.port001.dump.anon
• A certain “port 16” on Dec 15 04 (~23MB)  lbl-internal.20041215-0711.port016.dump.anon
• A “port 16” on Oct 04 04 (~11MB)  lbl-internal.20041004-1438.port016.dump.anon

First thing to note is that these traces have their payloads stripped, only the first 54 bytes are captured. This precludes some of the advanced features like PDU, Stream, and User Objects, from working.  Secondly, we are better off doing “traffic analysis” rather than “protocol analysis” on this huge glob of data.

Ok enough talking, lets start.

Lets get our tools ready. There are open source tools (pretty good ones too) such as capinfos , ntop , Wireshark can draw some IO graphs. You are welcome to try those, but we are going to put Unsniff R 1.5 Beta to the task here.

Before we begin, lets first convert Unsniff into a traffic monitor. We dont have full packet data anyway, so it makes sense cut the “protocol analysis” fat and in the process gain some speed and save memory. You can easily load several million packets into Unsniff in this mode.

• Go to Tools->Customize->Advanced
• Scroll down to the Advanced Capture item and set the “Do not store any packets” option to True.

Let look at the first trace output (Import the file and switch to the Traffic tab)

A real quick tour of the screen; the dashboard is completely configurable (via an XML file in the installation/Cfg directory) – the whole thing updates in “real time” but we dont care because we are just importing existing captures. In the above configuration, we see top hosts, subnets, protocols, mac-pairs, and total bandwidth.  Lets see what the capture tell us :

Subnets

Ok, so its seems like 128.3.47.0, followed by 128.3.193.0 are the two most active subnets in this time period. Is this interesting information ? Probably, but since we dont know much about those subnets – lets move on.

Protocols

Whats going on here ?

We see that the capture is 91.19% netbios-ssn. What is that ? We know from experience that it is nothing but Microsoft SMB. Unfortunately, Unsniff was not able to label it as “SMB” because the packets were truncated before the SMB header began. Ok, it seems we have a Microsoft shop here. ‘0’ (the second item) means non IP protocols (we ought to elaborate that).

Lets move to the other traces

Trace from port 16 – Dec 15 04 (23MB)  lbl-internal.20041215-0711.port016.dump.anon

This one contains about a 350,000 packets 

First the bandwidth strip. It seems like we have a lightly loaded, bursty link here.

The subnets and other charts dont seem to be too interesting, so lets go straight to the protocols.

We again have netbios-ssn (which we are sure is SMB), followed by HTTP and ncp (Novell). We can also see something on port 11001. Perhaps, that would be something to investigate further. From my experience, this is a fairly typical enterprise setup (except I havent seen much of Novell NCP )

Ok next,

Trace from port 16 – Oct 04 04 (11MB)  lbl-internal.20041004-1438.port016.dump.anon

About 170K packets 

So what kind of port is this ? Lets look at the bandwidth chart.

We have a sustained usage of about 3 Mbps, sometimes peaking upto 14Mbps. Allright, lets see what applications are running on that port.

Whoa ! Didnt expect terabase and c1222-acse.  So, we look turn to google and find that “ANSI C12.22 is used in the electric energy industry“ and terabase provides “high speed search engine and database solutions”

There are worms reported for port 4000 (the terabase port), but we dont know for sure without looking at the full data. Perhaps the network admin knows from experience whether these constitute legitimate traffic, but from a security standpoint we may have reached a dead end. Experts like Richard Bejtlich have been making a strong case for capturing the maximum amount of data that your resources can handle.

Interesting stuff indeed.

Note : These features are available only in the Unsniff Network Analyzer R1.5 Beta. If you would like to join the few who are participating – please send email to

 

[tags] network analysis, enterprise network analysis, unsniff [/tags]

Thanks to a user request, we just released a new build of Unbrowse SNMP with some advanced SNMPv3 features. Now, you can –

• Run an authentication check on all SNMPv3 traps
• Work as a “normal” trap receiver (see end of post)

Why authenticate ?

Out of the box, Unbrowse SNMP will show you all traps that fly past it. It does not care if the traps are ‘real’ or ‘forged’. This allows you to see all trap activity on the network. While, this behavior is favored in a large number of cases, sometimes you want to flag them as being authentic or not.

Yellow – Not authenticated (You must enter the required passphrases for the agent + username)   Green – Authenticated OK Red – Authentication FAIL (The signatures dont match, you can get some more detail in the details window) The auth check is not run for noAuthNoPriv and SNMPv2 traps.

How this works ?

When the authentication check is turned on, a HMAC signature is calculated for each received trap. This computation is based on the authentication protocol (MD5/SHA), and auth password available with Unbrowse SNMP. If the computed signature matches the one carried in the trap message, we declare the trap authenticated.
 

Using the feature

• First enable this feature via Tools->Customize->Authenticate Incoming Traps.
• Enter agent information IP address, user name, auth protocol, and auth password using Agents->Manage
• Run the trap receiver as usual. Unbrowse will now run an auth check for all agents + users for which it has the required passphrases available.

For advanced users

A major part of running the authentication check is the key localization algorithm. This is the process of converting a pass phrase to a key that is unique for every engine ID. You can speed things up by having Unbrowse SNMP use the key instead of the passphrase.

To do this :

• Open the Agent Manager via Agent->Manage
• Enter name, address, and select SNMPv3
• Enter the User Name, select auth protocol, and enter the auth password
• Now click on Advanced
• Uncheck the Discover Engine ID box and click Discover Now !

Unbrowse will discover the engine ID and localize the password for that agent. See screenshot.

Now, continue to use the Trap Receiver as usual.

Operate as a normal trap receiver

First – a secret! Unbrowse is fundamentally different from other trap receivers out there – it doesnt actually listen for traps on a specific UDP port. It is designed to work as a Zero Configuration Passive Trap Receiver. What that means is that you can stick Unbrowse SNMP in front of a troublesome router or management station and immediately start seeing traps. No messy addition of trap targets.  All vendors, all boxes are supported right out of the box. You can listen to traps on many UDP ports (not just one). It makes it very easy for a network admin to plugin and plugout with ease and safety.

The downside is that if you are using Unbrowse as your primary trap receiver, then you may get an ICMP Destination Unreachable / Port Unreachable packet back.  This is because no one is listening on the standard SNMP Trap port 162.

We had a user request this feature earlier (how can we see loopback traps?). So, we have added an option that makes Unbrowse SNMP listen to a UDP port, like all the rest.

To use this :

1. Go to Tools – Customize – Advanced – Trap Console

2. Select “Normal UDP Socket” as the Preferred Provider

If you want to change the default port 162, edit the TBCFG.xml file in %APPDATA%/Unbrowse/Cfg folder.

These are FREE FEATURES (thats right !) Download your copy of Unbrowse SNMP today.

 

[tags] SNMP traps, SNMPv3 trap receiver, Unbrowse SNMP, authentication [/tags]