Netwitness Manual

| Copyright 2010 All rights reserved.
NetWitness Corporation
1
NetWitness Investigator
Freeware
Network Intelligence, Threat Indicators
and Session Exploitation
Brian Girardi
Director, Product Management
NetWitness Corporation
brian@netwitness.com
| Copyright 2010 All rights reserved. NetWitness Corporation
2
Agenda
Investigator Freeware Introduction/Review
Advanced Features
Integration via custom actions
Intelligence via feeds
Indicators via rules
Protocol/Session exploitation via parsers
Implementation Scenarios
3
Investigator Freeware Core Concepts
Its free! requires annual registration
What makes Investigator different?
Designed from an analysts perspective to answer complex
questions from large amounts of raw network data
Designed to analyze advanced threats, applications, content,
incident response, <insert problem here>
Empowers novice analysts AND accelerates experts
Models network traffic, and exposes syntax to expand the
model
Session-based NOT packet-based
4
Session Processing Step 1
Packet Collection & Reassembly before anything else
putting the pieces back together
data packetized out of order fragmented
Mixed with other traffic Retransmitted
x
Session
5
Session Processing steps 2 & 3
Application Identification, Meta Extraction, and Modeling
Dont rely on port for true service type
Extract pertinent network and application data
Model and organize data for human consumption
HTTP !=port 80
6
Standard Features
Real-time, patented layer 7 analytics
Effectively analyze data starting from
application layer entities like
users, email, address, files ,
and actions.
Infinite, free-form analysis paths
Content starting points
Captures raw packets live from wired or
802.11 wireless networks
Imports packets from any open-source,
home-grown and commercial packet capture
system (e.g. .pcapfile import)
Extensive network and application layer
filtering (e.g. MAC, IP, User, Keywords,
Etc.)
IPv6 support
Full content search, with Regexsupport
Bookmarking & history tracking
Integrated GeoIP for resolving IP addresses
to city/county, supporting GoogleEarth
visualization
SSL Decryption (with server certificate)
Interactive time charts, and summary view
Interactive packet view and decode
Hash data on capture and export
Integrated Org, Domain, and ISP
databases
Supports VLAN meta tagging
Supports IP Tunnel (i.e. GRE) meta tagging
And More.
Now lets discuss advanced features
7
Apply Your Own Intelligence & Needs
Custom Actions
Right-click query actions for context
Feeds
Means for creating meta data based on a list of values
Ex. IP Reputation Feed
Rules
Evaluation of meta elements to alert, filter, stop/change processing or create
more metadata
Ex. If ip.dst=1.2.3.4 AND user=bob then alert
Parsers (aka FlexParse)
Exploitation of sessions and full payload to create metadata
Ex. Identify packed executables/malware, interpret identify and profile
protocols.. Etc.
8
Aggregating Indicators
Rules Parsing
Feeds
Aggregation of these
methods help profile
actual threatening activity
Advanced Threat
Insider Threat
Policy/Compliance
Etc.
9
Custom Actions
10
Custom Actions
Configurable right-click actions out of Investigator to external tools
URL-based
Local Scripts
Examples
11
Example: right-click hostname into Google
Other options
12
Feeds
13
Feeds
Means for creating meta data based on external lists
IP Address
Hostnames
Any metadata element
Typical Uses
Intelligence Feeds ( Internet Storm Center/Dshield Top 10000 for
example)
Define Physical or Logical mappings for metadata
Campus, Department
User Identity via Active Directory
Network-specific maps
DHCP mappings
Etc
14
Real-world feed uses
Large Bank
17,000 known Home User IPs cross-referenced with botnet membership list
DOD
4000+subnets, largely model after base locations
Financial Services Firm
Buildings
Functional Area ie: Network Infrastructure
System Area ie: Firewall, VPN, Critical Servers
15
Department & Location Feed
Enterprise-specific context
IP Ranges that correlate to
Company Department
Physical Location
Lat/Long Override
Feed File Example
#networks#
172.16.60.1,172.16.60.254,NW-Wireless
172.16.70.1,172.16.70.254,NW-GuestNet
10.21.1.1,10.21.1.255,NW Infrastructure,38.967490,-77.379533
10.21.2.30,10.21.2.111,NW Users Net,38.967490,-77.379533
10.21.3.30,10.21.3.111,NW Dev Workstations,38.967490,-77.379533
10.21.4.1,10.21.4.255,NW Dev Servers,38.967490,-77.379533
10.21.5.1,10.21.5.111,NW VPN Users,38.967490,-77.379533
10.21.6.30,10.21.6.111,NW Wireless,38.967490,-77.379533
67.10.149.25,67.10.149.25,Nw TXGW,29.7296,-98.1001
172.16.55.0,172.16.55.255,NW-TX,29.7296,-98.1001
172.16.55.0,172.16.55.255,NW-TX,29.7296,-98.1001
192.168.1.1,192.168.1.255,NW Lab,38.742641,-77.199997
16
Feed Definition File
<FlatFileFeedname="NetName" path="networks.txt" separator="," comment="#">
<LanguageKeys>
<LanguageKey name="netname" valuetype="Text"
srcname="netname.src" destname="netname.dst"/>
</LanguageKeys>
<Fields>
<Field index="1" type="index" range="low"/>
<Field index="2" type="index" range="high"/>
<Field index="3" type="value" key="netname"/>
</Fields>
</FlatFileFeed>
17
Netname Feed Classification
18
Analysis with Threat Feeds
19
Loading Internet Storm Center Feed
Load feeds
20
Feed Category Hits
Found hits on SANS feed
21
Session Details Review
HTTP put
Likely C&C querystring
IP Found in SANS feed
Encoded/Encrypted payload
22
Rules
23
Rules
Rules can be used to
filter in/out data
truncate packets
alert/flag
Rules span
network elements
application layer elements
Control depth of processing
24
Network Layer Rules
25
Application Layer Rules
26
Rule Examples
Filter
Advertisements (ends in doubleclick.net)
Software Updates (ends in liveupdate.symantec.com)
Media (ends in player.xmradio.com)
Backup servers (192.168.1.54etc)
Filter *(All), Keep email =scott4323@hotmail.com
Truncate
Drop packet payload for port SSH and SSL
Alert
Non-standard port activity (non-HTTP over port 80)
DynDNS Domains
BOT Profiles
Clear text passwords
Tunneling services ( gotomypc, anonymizers, etc. )
Specific threat profiles
Etcetcetc
27
Rule Example
Tip: faster to check
range than !=
28
Non-standard HTTP
29
Nonstandard HTTP Details
30
Facebook Koobface Malware Example
Basic Rule:
Service = HTTP(80) && alias.host = locator.getconnected.be
Better Rule:
Service = HTTP(80) && alias.host exists && (query contains 'action='
&& query contains 'c_fb=' && query contains 'c_ms=' && query contains
'c_hi=' && query contains 'c_tw=' && query contains 'c_be=' && query
contains 'c_tg=' && query contains 'c_nl=)
Based on the url parameters koobface passes when it checks in
Ref: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf
31
Parsers
32
FlexParse
FlexParse exposes the network session parsing and metadata model
Configure how to identify applications and extract data
XML parser definitions
Register search tokens
Perform logic operations
Register metadata for the NetWitness system
Why?
Instantly customize and expand processing and modeling behavior
Processing flexibility for networks with:
heavy application profiles
proprietary protocols
and threats that dont fall into common intrusion detection methods
What's possible
Expand baseline parsers, fast flux identification, social networking
profiling, mainframe exploitation, SCADA, file object identification,
complex threat identification, Etc.
Copyright 2007 NetWitness Corporation
33
SCADA MODBUS Parser
34
Simple MODBUS Parser
Why?
Need insight into SCADA over IP to correlate with other network activity
critical infrastructure monitoring
Demonstrate
Create new Service type for MODBUS
Simple text based protocol has numeric tokens that map to actions:
Read Coil Status
Read Input Status
Read Hold Registers
Read Input Registers
Force Single Coil
Force Multiple Coils
Etc
35
MODBUS Protocol
If port 502 AND tokens exist then classify and extract actions ---
Request
MODBUS
PROTOCOL
ACTION
36
Simple MODBUS protocol FlexParser Syntax
<?xml version="1.0" encoding="utf-8"?>
<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="parsers.xsd>
<parser name="MODBUS" desc="MODBUS SCADA Protocol" service="502">
<declaration>
<number name="vTemp" />
<number name="vState" />
<number name="vID"/>
<port name=" server-port" value=" 502" />
<meta name="action" format="Text" key="action"/>
</declaration>
<match name=" server-port >
<assign name="vTemp" value="1" />
<while name="vTemp" equal="1>
<move value=" 2 >
<read name=" vState" length=" 2 >
<if name=" vState" equal=" 0 >
<assign name="vID" value="1" />
<move value=" 3 >
<read name="vState" length="1>
<if name="vState" equal="1>
<register name="action" value="Read Coil Status"/>
</if>
<register name="action" value="Read Input Status"/>
</if>
<if name=" vState" equal=" 3 >
<register name=" action" value=" Read Hold Registers" />
</if>
<register name="action" value="Read Input Register"/>
</if>
.
37
Detecting Malicious PDF Parser
38
Detecting Malicious PDFs
Why?
One of the most pervasive exploitation techniques used currently
Very effective exploitation technique that can be difficult to detect
Demonstrate
Combined existence of PDF tokens, including javascript that classifies
potentially malicious objects
Use flags to keep state between several different <match>
statements
39
Parser Logic
Find the following token:
HTTP/1.1 200 OK
If above is found, then find token:
Content-Type: application/pdf
If above is found, then find token:
%PDF-1.
If above is found, then alert if the following is found:
/S/JavaScript
40
Parser Syntax
<decl ar at i on>

<t oken name=" t oken_ht t p_header " val ue=" HTTP/ 1. 1 200 OK"
opt i ons=" l i nest ar t " / >
<t oken name=" t oken_cont ent _t ype" val ue=" Cont ent - Type: appl i cat i on/ pdf "
opt i ons=" l i nest ar t " / >
<t oken name=" t oken_pdf _header " val ue=" %PDF- 1. " / >
<t oken name=" t oken_open_br acket s" val ue=" < < " / >

<number name=" f l ag_st at e_t r aker " scope=" sessi on" / >
<st r i ng name=" st r _hol di ng" / >
<number name=" num_of f set " / >

<met a name=" event " key=" al er t " f or mat =" Text " / >

</ decl ar at i on>
Declare tokens
41
Parser Syntax
<mat ch name=" t oken_ht t p_header " >
<assi gn name=" f l ag_st at e_t r aker " val ue=" 1" / >
</ mat ch>

<mat ch name=" t oken_cont ent _t ype" >
<i f name=" f l ag_st at e_t r aker " equal =" 1" >
</ i f >
</ mat ch>

<mat ch name=" t oken_pdf _header " >
</ i f >
</ mat ch>
Maintain state
of token identification
42
Parser Syntax
<mat ch name=" t oken_open_br acket s" >
<f i nd val ue=" > > " l engt h=" 50" name=" num_of f set " >
<r ead l engt h=" $num_of f set " name=" st r _hol di ng" >
<f i nd i n=" $st r _hol di ng" name=" num_of f set " val ue=" S/ J avaScr i pt " >
<r egi st er name=" event "
val ue=" l ab_advanced_pdf _wi t h_j avascr i pt " / >
</ f i nd>
</ r ead>
</ f i nd>
</ i f >
</ mat ch>
Find javascript in PDF
43
Suspicious Trigger
Parser
alert
44
PDF with J avascript
Matched
tokens
45
J RE 0day Analysis the short version
Using Feeds, Rules & Parsers to Investigate & Profile
46
Background
April 9
th
2010 Tavis Ormandy of Google
Security identifies J ava Deployment Toolkit
flaw
Affects all versions of J ava
April 11
th
Active exploitation via Rogue
Advertisements on nytimes.com,
foxnews.com, oprah.com, ufc.com and
others
Malicious .jar file
Referrers contains
nytimes.com,foxnews.com,
oprah.com,ufc.com
How do we leverage feeds, rules and
parsers to profile? Do I have a problem?
0day, feeds may not provide intelligence
47
Hunting for Anomalous Traffic
Profile HTTP for java-archives (potential deployment toolkit)
Rule: service = HTTP(80) && content = application/java-archive
Dig more on this
48
Internal host being referred to what?
Use IP from anomalous traffic analysis
Rule: ip.src =156.145.x.x && referrer contains
nytimes.com,foxnews.com,etc..
Redirection to 95.211.14.21
Netherlands Hosting Provider
95.211.14.21/measure/ad.php
Inspect php
Rule to profile & find ad.php querystring:
service =HTTP(80) && (query contains 'pl=' &&
query contains 'ce=' && query contains 'hb=' &&
query contains 'av=' && query contains 'jv=)
49
Ad.php behavior
Really?
.gif?
Downloads p.gif from referred location
How many times have I seen this .gif?
50
Compromised Hosts
Rule: service = HTTP(80) && filename=p.gif && content =
application/octet-stream
3 Sessions
3 Unique hosts
51
Deeper Analysis
p.gif (exe) appears corrupt
Does that mean no one was infected?
Lets have a look at the .jar
.jar modifies the first two bytes of the binary to subvert MZ token
signatures
FlexParse profile the malware
MZ
Huh?
52
Flex Parser for Obfuscated Exe in Image
<parser name="non_matching_app_content_type" desc="non_matching_app_content_type">
<declaration>
<meta name="alert" key="alert" format="Text"/>
<token name="get" value="GET " options="linestart"/>
<token name="content" value="This program cannot be run in DOS mode"/>
<token name="content" value="This program must be run under Win32"/>
<token name="named_types" value=".jpg HTTP/1.1" options="linestop"/>
<token name="named_types" value=".gif HTTP/1.1" options="linestop"/>
<token name="named_types" value=".png.....<snip>
<number name="session_flag" scope="session"/>
</declaration>
<match name="get">
<assign name="session_flag" value="0"/>
</match>
<match name="named_types">
<if name="session_flag" equal="0">
</if>
</match>
<match name="content">
<if name="session_flag" equal="2">
<register name="alert" value="non_matching_app_content_type"/>
</if>
</match>
If GET image & content contains
run in DOS mode
under Win32
53
Summary
Investigator Free!
Custom actions, Feeds, Rules and Parsers expand to expand analytical
capabilities
Aggregating advanced indicators and profiling techniques really help
Resources
Community (http://community.netwitness.com)
Rule examples
FlexParser examples
Tips/Tricks
Discussion
YouTube (http://www.youtube.com/netwitness)
Training Webcasts ( www.netwitness.com)
Brian Girardi, brian@netwitness.com
54
Q&A

Netwitness Manual

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Netwitness Manual

Hochgeladen von

Copyright:

Verfügbare Formate

| Copyright 2010 All rights reserved.

Das könnte Ihnen auch gefallen