A study in detecting network intruders
What to Look For?
The art of network analysis involves sorting out the known and intended traffic so that detailed investigations focus on connections of interest. At the end of the day, you are looking for the unusual – true to the Sherlock Holmes motto: "Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth." At the network level, there may be traffic that should not normally exist. This unusual traffic may manifest itself in systems communicating (or attempting to communicate) with unusual targets on unusual ports.
The other axis for detecting unusual behavior is the time axis. Malware can repeatedly be identified by its tendency to phone home very regularly. A heartbeat pattern on the time axis is a good indicator. If the employees work in the office from 9 a.m. to 5 p.m., the desktops should only update around midnight at the most. If there is a local update server, traffic to the outside should be completely absent.
The geographical distribution of traffic directed to the Internet is also interesting. If there are no business relations to former Soviet Union countries and no employees, the traffic can be interpreted as a warning sign.
If a web proxy is used, admins can also use its logs as a data source. In addition to the analysis of unknown domain names and target IPs in unusual countries, the HTTP return code also helps to clarify the situation. Command and control servers often disappear again without the malware noticing. Access via the proxy then fails but leaves a trace. An unknown host causes error code 503 on a Squid proxy:
1541025318.775 32 10.10.10.10 TCP_MISS/503 4040 GET http://www.skjhskshdf.sfkhskfshf/ - HIER_NONE/- text/html
The code alone is not yet an indicator, but it reduces the number of logs you'll need to search to find an answer.
If one of the methods presented in this article reveals an anomaly, be it a domain name, a network area on the Internet, or something similar, you should check all the sources after the occurrence of the indicator. Not infrequently, only one indicator remains unchanged (e.g., only the port if addresses or domain names change).
To make your work easier, solutions like ELK prove very useful. Common sense, paired with knowledge of what is considered normal on your own network, will help you filter out normal traffic with the data sources in order to find that needle in the haystack.
Infos
- tcpdump: http://www.tcpdump.org
- Wireshark: http://www.wireshark.org
- ELK Stack: https://www.elastic.co/elk-stack
- Splunk: https://www.splunk.com
- Dumpcap: https://www.wireshark.org/docs/man-pages/dumpcap.html
- TShark: https://www.wireshark.org/docs/man-pages/tshark.html
- NetFlow: https://en.wikipedia.org/wiki/Netflow
- NetFlow module for Logstash: https://www.elastic.co/guide/en/logstash/current/netflow-module.html
- Open vSwitch: http://www.openvswitch.org
- ipt_netflow kernel module: https://github.com/aabc/ipt-netflow
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.