Hi, I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output. It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc. We would like to decrease time to investigate the cause for an unusual network behaviour. Best Stefan -- Stefan Hegger Internet System Engineer Stefan.Hegger@lycos-europe.com Tel: +49 5241 8071 334 Lycos Europe GmbH Carl-Bertelsmann Str. 29 Postfach 315 33311 Gütersloh
On 11/22/06, Stefan Hegger <Stefan.Hegger@lycos-europe.com> wrote:
Hi,
I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output.
It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc.
We would like to decrease time to investigate the cause for an unusual network behaviour.
Best Stefan -- Stefan Hegger Internet System Engineer Stefan.Hegger@lycos-europe.com Tel: +49 5241 8071 334
Lycos Europe GmbH Carl-Bertelsmann Str. 29 Postfach 315 33311 Gütersloh
http://www.wireshark.org -- Rodrick R. Brown http://groups.yahoo.com/group/wallstandtech
-----Original Message----- I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output.
It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc.
For anomaly detection there is Ourmon. It can be downloaded at: http://jerry.cat.pdx.edu/ourmon/download.html You can preview it running at Portland State University at: http://jerry.cat.pdx.edu/ourmon/ However, I believe this isn't as detailed or low-level as what you're looking for. In any case, it's a great tool for seeing unusual patterns or strange behavior on your network. Tony
Do people still use snort for this? snort -r filename, IIRC -w Le mercredi 22 novembre 2006 à 16:34 +0100, Stefan Hegger a écrit :
Hi,
I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output.
It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc.
We would like to decrease time to investigate the cause for an unusual network behaviour.
Best Stefan
On Wednesday 22 November 2006 09:34, Stefan Hegger wrote:
Hi,
I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output.
It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc.
We would like to decrease time to investigate the cause for an unusual network behaviour.
Best Stefan
Here are my suggestions: 1. [NOTE: I am biased toward this one, for some personal reasons ;)] I would highly recommend you to read some of the papers of the gold certified SANS people - start here: http://www.giac.org/certified_professionals/listing/gcia_100_781.php 2. Another option is getting Richard Bejtlich's books "Intrusion Detection ..." & "Extrusion Detection ..." and getting some ideas from that material. Regards, [another] Stefan
On Nov 22, 2006, at 12:37 PM, Netfortius wrote:
I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output.
For this sort of thing, you can do it far more scalably with NetFlow. There are several good commercial NetFlow-based anomaly- detection systems (Arbor, Lancope, Narus, Q1, etc.) and even an open- source project (currently fallow) called Panoptis. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice All battles are perpetual. -- Milton Friedman
--On November 22, 2006 4:34:13 PM +0100 Stefan Hegger <Stefan.Hegger@lycos-europe.com> wrote:
Hi,
I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output.
Check out Argus, <http://www.qosient.com/argus/>. (I recommend still using version 2, version 3 is not quite production quality yet...) Argus is a stream analyzer, instead of a packet analyzer. You can search argus data by tcp flags, by regular expression on the data (if you enable stream data logging, which is optional), or several other options. See the argus site for more information. -David
On Nov 22, 2006, at 7:34 AM, Stefan Hegger wrote:
Hi,
I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output.
SiLK is a powerful toolset for analyzing netflow and pcap data generated from TCPDUMP. It's a slight learning curve, but worth it IMHO. Fairly good documentation too. http://tools.netsa.cert.org/silk/silk_docs.html http://tools.netsa.cert.org/silk/analysis-handbook.pdf From that toolset, you can use "rwptoflow" to generate flow records from TCPDUMP to SiLK format. http://tools.netsa.cert.org/silk/rwptoflow.html You might also look at "softflowd" [1] or similar tool to export netflow records from whatever box your using TCPDUMP to capture data. Then you can output netflow records directly to most of the aforementioned netflow packages. Having the actual packet data is useful later once you've found something suspicious, or for snort.. etc. [1] http://www.mindrot.org/projects/softflowd/ --Jason
Hey Everyone, I've noticed an increased interest for Panoptis so I thought id send this email out: Panoptis has been updated so that it compiles/runs with newer systems. It works on Debian Sarge for sure, should do the same on any system with GCC 3.3.5 and CommonC++2 1.5.3 at the very least. It is still rough around the edges and no new features; Just an update to get it working. http://panoptis.sourceforge.net/ Cheers, --Payam Jason Chambers wrote:
On Nov 25, 2006, at 6:17 AM, Jason Chambers wrote:
You might also look at "softflowd" [1] or similar tool to export netflow records from whatever box your using TCPDUMP to capture data.
Of course exporting flow records from routers is preferable..
--Jason
participants (9)
-
Brock, Anthony - NET
-
David Nolan
-
Jason Chambers
-
Netfortius
-
Payam
-
Rodrick Brown
-
Roland Dobbins
-
Stefan Hegger
-
William Waites