Cover story Security Visualization Tools tasosk, 123RF tasosk, Tools for visualizing IDS output PICTURES Spot intruders with these easy security visualization tools. BY RUSS MCREE he flood of raw data generated by In this article, I'll also explore the Net- standing of intrusion detection systems intrusion detection systems (IDS) Grok, AfterGlow, Rumint, TNV, and in general and Snort in particular. If you tis often overwhelming for secu- EtherApe visualization tools. Most of are new to Snort, see the Snort user’s rity specialists, and telltale signs of intru- these tools are available through the manual, which you will find at the Snort sion are sometimes overlooked in all the DAVIX Live CD [2], a SLAX-based Linux website [4]. Other excellent Snort tutori- noise. Security visualization tools pro- pre-loaded with several free analysis and als are available online and in print. (See vide an easy, intuitive means for sorting visualization applications. the box titled Further Reading.) through the dizzying data and spotting The easiest way to patterns that might indicate intrusion. explore the tools in Certain analysis and detection tools this article is to down- use PCAP, the Packet Capture library, to load DAVIX. If you capture traffic. Several PCAP-enabled ap- prefer to put these plications are capable of saving the data apps on your own na- collected during a listening session into tive Linux, see the a PCAP file, which is then read and ana- project websites for lyzed with other tools. PCAP files offer a installation informa- convenient means for preserving and re- tion. playing intrusion data. You’ll find the PCAP In this article, I'll use PCAPs to explore files described in this a few popular free visualization tools. article at the Linux For each scenario, I’ll show you how the Magazine/Linux Pro attack looks to the Snort intrusion detec- Magazine website [3]. tion system [1], then I’ll describe how The following dis- the same incident would appear through cussion assumes you a security visualization application. have a basic under- Figure 1: Kraken.pcap in NetGrok’s Graph View. 26 ISSUE 106 SEPTEMBER 2009 Security Visualization Tools Cover story In this article, I'll describe some each requires additional installation You might then need to tune the packet captures I’ve taken while analyz- steps. The package includes an older groups.ini file found in the NetGrok root. ing a variety of malware samples. version of libpcap, but you can opt to In particular, I removed wireless from I also used a packet capture from sudo apt-get install libpcap0.8 on an the Private1 reference. OpenPacket.org, an excellent source for Ubuntu/ Debian system. NetGrok also re- To test NetGrok, I'll use the PCAP a variety of captures, as well as two quires libjpcap. called Kraken.pcap, found on Open- from EvilFingers.com, another fine Unpack NetGrok and then cd /Net- Packet.org, listed in the Malicious cate- PCAP repository. grok/lib/linux. gory [7]. The file was originally named The wiki for NetworkMiner [5], a On my system, I copied libjpcap files 12b0c78f05f33fe25e08addc60bd9b7c.pcap Windows PCAP analysis tool, includes as follows: for the MD5 hash of the binary that gen- an excellent list of PCAP sites. The erated the traffic. I simplified the name to PCAPs used with this article were then sudo cp libjpcap.so U match the name of the malware. Kraken read by the venerable Snort 2.7 on an /usr/lib/jvm/java6openjdk/U is a spam bot; this variant made use of Ubuntu 9.04 system with emerging-all. jre/lib/i386/ TCP/ UDP port 447 for command and rules from EmergingThreats.net en- sudo cp jpcap.jar U control. gaged. /usr/lib/jvm/java6openjdkU After copying emerging-all.rules from If you feel like experimenting with /jre/lib/ext/ Matt Jonkman’s EmergingThreats.net to DAVIX, run it in KDE graphic mode with 1GB minimum assigned to a virtual ma- Listing 1: Kraken.pcap in Snort chine. Assigning a minimum of 1GB will 01 [**] [1:2008105:3] ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial give you enough memory to ensure Packet Inbound [**] good Snort performance at the com- 02 [Classification: A Network Trojan was detected] [Priority: 1] mand-line and provide enough horse- 03 02/22-04:20:53.112408 66.29.87.159:447 -> 192.168.2.5:1052 power for the resource-hungry visual- 04 UDP TTL:48 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ization tools. 05 Len: 24 06 [Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_ NetGrok Bobax] NetGrok [6] is an OS-agnostic Java- 07 [Xref => http://doc.emergingthreats.net/bin/view/Main/OdeRoor] based visualization tool that reads PCAP 08 files directly and can listen on an avail- 09 [**] [1:2008108:3] ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel able interface. Specifically, NetGrok de- Inbound [**] scribes itself as “…an excellent real-time 10 [Classification: A Network Trojan was detected] [Priority: 1] diagnostic tool, enabling fast under- 11 02/22-04:20:53.806447 66.29.87.159:447 -> 192.168.2.5:1054 standing of network traffic and easy 12 TCP TTL:48 TOS:0x0 ID:23263 IpLen:20 DgmLen:1500 DF problem detection.” 13 ***A**** Seq: 0xC6815265 Ack: 0x1D12B7D Win: 0x16D0 TcpLen: 20 NetGrok is the result of an effort dur- 14 [Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_ ing the Spring 2008 Information Visual- Bobax] ization course taught by Ben Shneider- 15 [Xref => http://doc.emergingthreats.net/bin/view/Main/OdeRoor] man at the University of Maryland, Col- 16 lege Park. The team recently announced 17 [**] [1:2008110:3] ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel that NetGrok will be incorporated into Outbound [**] the DAVIX Live CD. 18 [Classification: A Network Trojan was detected] [Priority: 1] The NetGrok visualization tool has 19 02/22-04:20:53.810649 192.168.2.5:1054 -> 66.29.87.159:447 two dependencies, both of which are 20 TCP TTL:128 TOS:0x0 ID:459 IpLen:20 DgmLen:40 DF met in the download archive, although 21 ***A**** Seq: 0x1D12B7D Ack: 0xC6815DCD Win: 0x4470 TcpLen: 20 22 [Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_ Further Reading Bobax] If you are interested in security visualiza- 23 [Xref => http://doc.emergingthreats.net/bin/view/Main/OdeRoor] tion, two books to consider for your li- 24 brary are Greg Conti’s Security Data Vi- 25 [**] [1:2008103:3] ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial sualization and Raffael Marty’s Applied Packet Outbound [**] Security Visualization. Both books are 26 [Classification: A Network Trojan was detected] [Priority: 1] remarkable in their beauty and content. Chapter 8 of Conti’s book is dedicated to 27 02/22-04:20:54.367395 192.168.2.5:1055 -> 66.29.87.159:447 intrusion detection log visualization with 28 TCP TTL:128 TOS:0x0 ID:475 IpLen:20 DgmLen:64 DF special attention to TreeMaps. Two web- 29 ***AP*** Seq: 0x95E9CBD1 Ack: 0xC63DF5FA Win: 0x4470 TcpLen: 20 sites with samples and tips on security 30 [Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_ visualization are http:// www. secviz. org/ Bobax] and http:// vizsec. org/. 31 [Xref => http://doc.emergingthreats.net/bin/view/Main/OdeRoor] SEPTEMBER 2009 ISSUE 106 27 Cover story Security Visualization Tools Figure 2: Camda.pcap in AfterGlow. Figure 3: Korgo.pcap in Rumint’s Parallel Coordinate Plot. my Snort rules directory and enabling it while analyzing Storm malware. This host conversed in 106- to 212- byte in snort.conf, I ran kraken.pcap through malware chatters incessantly with its chunks. Snort as follows: peers over encrypted UDP and creates NetGrok also includes useful filtering massive log clutter. The resulting Snort mechanisms to allow host isolation by sudo snort -c U alert is shown in Listing 2. IP, bandwidth, and degree (ingress vs. /etc/snort/snort.conf -r U The resulting NetGrok TreeMap view egress). kraken.pcap -l output/kraken defines two clear facts. 192.168.248.105 is clearly the top talker (507043 bytes – AfterGlow See Listing 1 for the resulting alerts. denoted as a large red cube), and it is on AfterGlow [9], which is the brainchild of The Snort alerts clearly indicate a con- the local network, indicated by the Applied Security Visualization author versation between the victim, thicker black line separating it from ex- Raffael Marty, is one of the many visual- 192.168.2.5, and the command and con- ternal hosts. ization tools included on the DAVIX dis- trol server, 66.29.87.159. Given this in- The other obvious finding is the pleth- tribution, where it is easily reached formation, how can NetGrok provide ora of peer hosts with which the local through the Visualize menu. The After- corollary findings? Initialize NetGrok via java -jar net- Listing 2: ecard.pcap in Snort grok20080928.jar . An elegant and simple 01 [**] [1:2007701:4] ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1) [**] UI will appear; next, click File then Open 02 [Classification: A Network Trojan was detected] [Priority: 1] PCAP File and select kraken.pcap. You 03 05/03-15:07:28.722225 79.115.64.162:22149 -> 192.168.248.105:22724 will see visual representations to match 04 UDP TTL:116 TOS:0x0 ID:28417 IpLen:20 DgmLen:53 data generated by Snort (Figure 1). 05 Len: 25 Nodes in red are the nodes that utilize the most bandwidth, green utilize the 06 [Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_ Storm] least, and clear nodes mark zero-byte 07 [Xref => http://doc.emergingthreats.net/2007701] hosts.