Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.
We observed a very common pattern among users of Unsniff and well as Wireshark. A majority of the time display filters were being used on a combination of the 5-tuples of a TCP or a UDP packet. This was over 90% of the cases. We decided to work on a nifty solution.
A context aware packet filter.
Right click on any packet to bring up a “Pull out packets” menu with automatic filter choices.
Select a choice to pull out only matching packets into a new capture file window.
Unsniff also has “invert” choices. Use them if you want to only select packets NOT matching the selected criteria.
Now, you can zip through capture files effortlessly and narrow down your analysis data.
One of the key challenges in an alert centric deployment of NSM (Network Security Monitoring) is to get a context around an alert. The current crop of tools allow you to click around and accomplish the task, but only with human intervention. In this quick post, we will see how you can automate Trisul to do this by machine. Of course, you need a human to write the script, but once the script is written it is let loose on the existing data stores mechanically. Over time, the scripts are refined to include other kinds of context. This represents the intellectual property of your security team.
So the problem is this :
Write a script that gives me a single PCAP containing all packets in all flows that generated a Snort or Suricata IDS alert of Priority 1 today.
In this simple example, the context of the alert is the whole flow that generated that alert.
The trick is to create a Trisul flow tagger that marks each flow with the priority of the alert. Refer to the documentation for how to create flow taggers. Once you have the flow taggers setup, each flow is marked with the text tags IDS and the priority tags sn-1, sn-2, .. (The prefix “sn-” stands for Snort but is also used for Suricata priority). Once this is done flows with alerts look like the following
Retrieving the alert context
By clicking on Alerts -> IDS you can view alerts by signature. In the screenshot below, we have about 477 Priority 1 (Red) alerts. Our challenge is to retrieve the PCAPs of entire flows that generated these 477 alerts.
You can easily extend these scripts to retrieve “surrounding context”. For example, after you have the session ids from the Query Sessions (Step 2). You can ask for PCAPs from all flows from those IPs in a 3 minute window. You would then fire off additional QuerySessions and collect them all.
Even though packets are retrieved by flow, the Trisul engine interleaves the packets correctly in time order. So what you are left with is a usable PCAP file that you can run a deeper analysis on. We are running this script as a CRON every night in our office environment. They take about 10-12 minutes to run, but the results are amazing.
Everyone of the flows in the resultant PCAP file will generate a Priority 1 Alert when run through snort/suricata. <
TLS1.2 support available in Unsniff Network Analyzer
We are pleased to announce the availability to TLS 1.2 analysis and decryption in the latest builds of Unsniff Network Analyzer.
The main changes are :
Change in the way the PRF (Pseudo Random Function) works in TLS1.2
Addition of SHA256
Change in the way the IV (Initialization Vector) is derived for block ciphers such as AES-256-CBC
Currently we support the AES suites like TLS_RSA_WITH_AES_256_CBC_SHA256
DHE ciphers are also supported by directly entering the master secret
The Session ID is shown differently, we show first and last digits so it is easier for you to search in application logs for the master secret
A help dialog box is added that helps you convert between PKCS12 – PEM – PCKS8 formats
We will be adding other ciphers such as the AES-GCM mode soon. We encourage users to give feedback about how they are using Unsniff. Specifically we’d like to know the following when working with DHE aided by application logging the master secrets.
It is extremely tedious to search for SessionID matches against the master secret. How do you log the master secrets ?
Would you like the ability for Unsniff to automatically match the master secrets with the Session ID ? This could take some work. Is this useful ?
Stay tuned as we announce the next build which will have the AES-GCM support.