Traffic visualization is a really important part of the network security analysis. Without a proper graphical representation you will miss a lot of information that can not be captured in any other way.
In the case of botnets, I'm interested in the synchronization patterns between bots and in the network behavior of infected hosts.
I have tried several different visualization tools for this task, using live traffic, pcaps and NetFlows, and by far the most useful to me was oip. Did you ever heard about it? No? I had not heard of it neither. This simple and powerful tool was created by the Utah State University some time ago, you can find the original version in https://it.wiki.usu.edu/OIP. Unfortunately, it seems to be abandoned. The author is unknown to me and the svn repository is down (https://svn.usu.edu/repos/organicips). The odp presentation was made by someone cane Rian in 2008, but that's all. Fortunately, the tar file and videos are still available. Thanks a lot USU!
However, when I tried to use it, it was broken. Probable because it was created for older systems. So I modified it to suit my needs. Now the oip sniffer is working again and with new features. You can find the new code here https://github.com/eldraco/oip.
These are some screenshots of the oip sniffer:
You can also see some videos I have made of oip here:
The modifications I have done are:
- Now it is running in Linux without problems.
- Enlarge the size of the packets-balls so you can see them better.
- Change the blue balls to white balls, to see them better with dark backgrounds.
- Add the -e argument to speed up the analysis of pcap files. A value of 1000 menas normal speed, 100 means 10x faster and a value of 10 means 100x faster.
- Add the -c argument to give the pcap file name in the command line.
- If you give a pcap file name, the analysis starts right away!
- Fix the code to add the network device to the oip server.
So with the new oip working I set up my Virtual Machines and start infecting them. Usually I also run other tools in parallel to see what is going on on the network (wireshark, tcpdump, ngrep, iftop, etc) but oip is my preferred tool to see the packets.
Start the server like this for your wlan0 device
./oipd wlan0
And then start the gui like this:
./oipgui
On the gui you should go to the blue button on the top left, select "Connection" and then fill the Server with localhost if you are running oip in your own machine, or the IP address of the remote server if you are running it in other computer. Then hit "Connect" and you should see the packets.
I also recommend to store the traffic in pcap format at the same time, so you can "replay" it again later if you need.
With this incredible tool we can now see how the hosts are behaving, how and when they are connecting to other host and find strange connection patterns.
If you have stored a pcap file, you can replay it with the gui like this:
./oipgui -c capture.pcap -e 10
The -e in the example means replay 100x faster. So you don't have to wait too long in huge captures!
I'm planning to add some sort of "rewind" and "forward" options to the gui, so you can see again some behavior if you just spot it on the window.
With oip I'm able to see more clearly which botnets characteristics I should study and which features are most useful for detection.
Hope that you like the new oip, and if you have any problem, just tell me.
No hay comentarios.:
Publicar un comentario