NSM tip : Watch out for the quiet ones

Thanks to Richard Bejtlich of Tao Security, I came across the LBL-ICSI Enterprise Tracing project.


One of its key features of the upcoming Unsniff 1.5 release is a real-time, completely customizable traffic dashboard. We will run the LBL traces past Unsniff and post the results on this blog shortly. The first one should appear soon.

Meanwhile, here is something I learned working with some live data at a clients site recently.

Top-Chatters or Top-Sulkers ?

The Unsniff beta build (1.5) we are using at the site has a Top-N feature for a whole set of statistics (IPs, MACs, Conversations, protocols, subnets, interfaces, etc). This is a fairly common feature in many tools. We ran Top-N for a while on one of their key entry points.  It was fine and produced great results from a traffic analysis point of view. Day in and day out, these Top-N feature the same hosts/subnets at the same time of day.

From a Network Security Monitoring (NSM) angle, this kind of data invariably features entities that already have a high trust level. Most Top-N analysis are soon taken over by the “usual guys” like Exchange, company video streaming, training, VoIP and so forth.

I really think we need a Bottom-N or a “Top-Sulkers” analysis to complement the Top-N approach. To repeat a cliche, it is always the quiet ones who do the damage. It takes a lot of effort to send just one packet. Snort may miss these because the packets themselves may not be suspicious.

Specifically, we want to focus on the following.

1. Mr Mix-A-Lot : Talks to a lot of hosts, but says very little to each host.

2. Mr Mono-Syllable : Displays normal behavior, but occasionally blurts out single words to complete strangers. (The single packet case – snort might catch it)

3. Mr Scratchy-Record : Normal on the outside, but speaks the same message at regular intervals. (Beacons, hearbeats, keepalives)

4. Ms Shy : Shows a lot of interest in talking, but stops when the other side shows interest. (Lot of connection attempt, but nothing is said)

5. Ms Language expert : Tries to talk a lot of languages, but rarely says much in any of them. (Tries lot of ports, but not much traffic)

Guess what, a pure Top-N approach is going to miss all of the above cases.

Expect a Top-Sulkers feature in Unsniff 1.5. If you would like to participate in a beta, please send email via the Contact page.

Author: Vivek Rajagopalan

Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.