SlideShare una empresa de Scribd logo

Flowinspect - A Network Inspection Tool

Ankur Tyagi
Ankur Tyagi

Flowinspect is a network traffic inspection utility. It uses pynids to defragment IP and reassemble TCP packets (UDP is inspected on a per-packet basis). Resulting flows are then inspected using the "re2" module that supports PCRE-like patterns, case-insensitive, invert and multiline matches, etc. In case re2 is not installed, Python's re module is used as a fallback. Match scope could be limited through BPF expressions or via Snort-like offset-depth content modifiers or packets/streams inspection limit flags. Flows could be logged to files in addition to being dumped on stdout. A few useful output modes help with further analysis.

Tecnología
1 de 30
Descargar para leer sin conexión
Flowinspect - A Network Inspection Tool Ankur Tyagi (@7h3rAm)
Outline ● Understanding Incident Response Requirements ● Vision for an Ideal Inspection Tool ● Introducing Flowinspect as a Viable Solution ● Flowinspect: Architecture ● Real-World Usecase Scenarios ● Future Goals
Understanding Incident Response Requirements ● ● ● You have been called to investigate an incident You analyze evidence and find traces of a malware You want to know: – Who were the actors? – What did they talk about? – What secrets did they share? – Which other hosts were compromised?
Understanding Incident Response Requirements ● ● ● ● ● Immediate response requires data Data from the exploit, payload delivered, C&C channel, etc. Tools like Wireshark, tcpdump, ngrep and flowgrep are helpful But they all have a few shortcomings Many are flow/stream agnostic and lack inspection features
Understanding Incident Response Requirements ● ● ● ● ● Tcpdump/Wireshark – Packet sniffing and comprehensive protocol decoding Ngrep/Flowgrep – Packet sniffing and regex matching over L4 packets and streams resp. How about network shellcode detection? How about malware identification and extraction from network flows? None of above tools address these requirements
Vision for an Ideal Inspection Tool ● Malware identification via signatures ● Shellcode emulation/detection ● Extraction of matching flows to files ● Match statistics (direction, offset, depth, size, packet #) ● Snort like Content Modifiers (offset/depth) ● Pcap generation for matching flows ● TCP reset for matching flows
Introducing Flowinspect as a Viable Solution
Introducing Flowinspect as a Viable Solution ● ● ● ● IP defragmentation and TCP reassembly extract data into stream buffers Multiple inspection modes – regex, fuzzy string, Yara, shellcode detection Inspection happens over layer 4 payload and as such is immune to fragmentation attacks Matching flows dumped via (a combination of) output modes for lateral analysis
Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
Flowinspect: Architecture
Flowinspect: Architecture
Flowinspect: Architecture
Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
Flowinspect: Architecture
Flowinspect: Architecture
Flowinspect: Architecture
Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
Flowinspect: Architecture
Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
Flowinspect: Architecture
Flowinspect: Architecture
Flowinspect: Architecture
Real-World Usecase Scenarios/ Demo
Future Goals ● Protocol decoders for HTTP, SMTP, POP3, IMAP, etc. ● File extraction and hash based inspection ● ● ● ● Javascript deobfuscation using SpiderMonkey or/and v8 File format characterization for Jar/PDF/Flash/MS Office/ELF/PE/... Integration with online scanners like VirusTotal, Wepawet, Anubis, Jsunpack, etc. Opensource - New ideas, suggestions, bugfixes are all equally welcome
Credits ● Many thanks to the following projects: – The Python Community – Libnids and Pynids – Fuzzywuzzy – Yara – Libemu and pyLibemu • FOSS community in general • Juniper Networks
Q&A
Thanks for your attention
Flowinspect - A Network Inspection Tool

Recomendados

Network based file carving
Network based file carvingNetwork based file carving
Network based file carvingGTKlondike
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Islam Azeddine Mennouchi
 
Tracer
TracerTracer
TracerSiddharth Singhal
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarLancope, Inc.
 
Lee.stat
Lee.statLee.stat
Lee.statابراهيم العناني
 
Investigating server logs
Investigating server logsInvestigating server logs
Investigating server logsAnimesh Shaw
 
PHP's Filter Module
PHP's Filter ModulePHP's Filter Module
PHP's Filter ModuleChris Tankersley
 
Netmap (by luigi rizzo) простой и удобный opensource фреймворк для обработк...
Netmap (by luigi rizzo) простой и удобный opensource фреймворк для обработк...Netmap (by luigi rizzo) простой и удобный opensource фреймворк для обработк...
Netmap (by luigi rizzo) простой и удобный opensource фреймворк для обработк...Ontico
 

Recomendados

Network based file carving
Network based file carvingNetwork based file carving
Network based file carvingGTKlondike
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Islam Azeddine Mennouchi
 
Tracer
TracerTracer
TracerSiddharth Singhal
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarLancope, Inc.
 
Lee.stat
Lee.statLee.stat
Lee.statابراهيم العناني
 
Investigating server logs
Investigating server logsInvestigating server logs
Investigating server logsAnimesh Shaw
 
PHP's Filter Module
PHP's Filter ModulePHP's Filter Module
PHP's Filter ModuleChris Tankersley
 
Netmap (by luigi rizzo) простой и удобный opensource фреймворк для обработк...
Netmap (by luigi rizzo) простой и удобный opensource фреймворк для обработк...Netmap (by luigi rizzo) простой и удобный opensource фреймворк для обработк...
Netmap (by luigi rizzo) простой и удобный opensource фреймворк для обработк...Ontico
 
DABiS800
DABiS800DABiS800
DABiS800Ralph Andreas
 
Dematic Logistics Review #4
Dematic Logistics Review #4Dematic Logistics Review #4
Dematic Logistics Review #4hagenbucksw
 
Tieto Enator
Tieto EnatorTieto Enator
Tieto Enatorsvatle
 
Optimizing the Virtual Environment
Optimizing the Virtual EnvironmentOptimizing the Virtual Environment
Optimizing the Virtual Environmentuptime software
 
OutSys Company Presentation
OutSys Company PresentationOutSys Company Presentation
OutSys Company PresentationOutSys
 
Safend- DL
Safend- DLSafend- DL
Safend- DLdanilopv
 
Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算
Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算
Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算Bloombase
 
Mapa Mental
Mapa MentalMapa Mental
Mapa Mentaledwinfloresorozco
 
Guide to Investment: Republic of Tatarstan
Guide to Investment: Republic of TatarstanGuide to Investment: Republic of Tatarstan
Guide to Investment: Republic of TatarstanInvestTatarstan
 
30 Band Marks
30 Band Marks30 Band Marks
30 Band MarksBill_Rosner
 
Tranzeo
TranzeoTranzeo
TranzeoShahab Shahid
 
New concepts in human
New concepts in humanNew concepts in human
New concepts in humanbechikmn
 
Catalog Sew-Eurodrive
Catalog Sew-EurodriveCatalog Sew-Eurodrive
Catalog Sew-EurodriveBui Viet Phuong
 
History of the llano estacado
History of the llano estacadoHistory of the llano estacado
History of the llano estacadoMark McGinley
 
Estrategias y recursos i
Estrategias y recursos iEstrategias y recursos i
Estrategias y recursos ijkrls
 
E-group's pitch
E-group's pitchE-group's pitch
E-group's pitchi7
 
Desafios jurídicos de Internet
Desafios jurídicos de InternetDesafios jurídicos de Internet
Desafios jurídicos de InternetLoreto Corredoira
 
Girl, interrupted
Girl, interruptedGirl, interrupted
Girl, interruptedshelbi_jennett
 
Somerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata
 
ABP o PBL
ABP o PBLABP o PBL
ABP o PBLyosoyarual
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisBrendan Gregg
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 

Más contenido relacionado

Destacado

Dematic Logistics Review #4
Dematic Logistics Review #4Dematic Logistics Review #4
Dematic Logistics Review #4hagenbucksw
 
Tieto Enator
Tieto EnatorTieto Enator
Tieto Enatorsvatle
 
Optimizing the Virtual Environment
Optimizing the Virtual EnvironmentOptimizing the Virtual Environment
Optimizing the Virtual Environmentuptime software
 
OutSys Company Presentation
OutSys Company PresentationOutSys Company Presentation
OutSys Company PresentationOutSys
 
Safend- DL
Safend- DLSafend- DL
Safend- DLdanilopv
 
Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算
Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算
Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算Bloombase
 
Guide to Investment: Republic of Tatarstan
Guide to Investment: Republic of TatarstanGuide to Investment: Republic of Tatarstan
Guide to Investment: Republic of TatarstanInvestTatarstan
 
New concepts in human
New concepts in humanNew concepts in human
New concepts in humanbechikmn
 
History of the llano estacado
History of the llano estacadoHistory of the llano estacado
History of the llano estacadoMark McGinley
 
Estrategias y recursos i
Estrategias y recursos iEstrategias y recursos i
Estrategias y recursos ijkrls
 
E-group's pitch
E-group's pitchE-group's pitch
E-group's pitchi7
 
Desafios jurídicos de Internet
Desafios jurídicos de InternetDesafios jurídicos de Internet
Desafios jurídicos de InternetLoreto Corredoira
 
Somerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata
 

Destacado (20)

DABiS800
DABiS800DABiS800
DABiS800
 
Dematic Logistics Review #4
Dematic Logistics Review #4Dematic Logistics Review #4
Dematic Logistics Review #4
 
Tieto Enator
Tieto EnatorTieto Enator
Tieto Enator
 
Optimizing the Virtual Environment
Optimizing the Virtual EnvironmentOptimizing the Virtual Environment
Optimizing the Virtual Environment
 
OutSys Company Presentation
OutSys Company PresentationOutSys Company Presentation
OutSys Company Presentation
 
Safend- DL
Safend- DLSafend- DL
Safend- DL
 
Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算
Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算
Bloombase 为 KVM 企业级虚拟数据中心提供全方位信息安全保护及运算
 
Mapa Mental
Mapa MentalMapa Mental
Mapa Mental
 
Guide to Investment: Republic of Tatarstan
Guide to Investment: Republic of TatarstanGuide to Investment: Republic of Tatarstan
Guide to Investment: Republic of Tatarstan
 
30 Band Marks
30 Band Marks30 Band Marks
30 Band Marks
 
Tranzeo
TranzeoTranzeo
Tranzeo
 
New concepts in human
New concepts in humanNew concepts in human
New concepts in human
 
Catalog Sew-Eurodrive
Catalog Sew-EurodriveCatalog Sew-Eurodrive
Catalog Sew-Eurodrive
 
History of the llano estacado
History of the llano estacadoHistory of the llano estacado
History of the llano estacado
 
Estrategias y recursos i
Estrategias y recursos iEstrategias y recursos i
Estrategias y recursos i
 
E-group's pitch
E-group's pitchE-group's pitch
E-group's pitch
 
Desafios jurídicos de Internet
Desafios jurídicos de InternetDesafios jurídicos de Internet
Desafios jurídicos de Internet
 
Girl, interrupted
Girl, interruptedGirl, interrupted
Girl, interrupted
 
Somerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata AROW Data Diode
Somerdata AROW Data Diode
 
ABP o PBL
ABP o PBLABP o PBL
ABP o PBL
 

Similar a Flowinspect - A Network Inspection Tool

Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisBrendan Gregg
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Snap Telemetry Framework & Plugin Architecture at GrafanaCon 2016
Snap Telemetry Framework & Plugin Architecture at GrafanaCon 2016Snap Telemetry Framework & Plugin Architecture at GrafanaCon 2016
Snap Telemetry Framework & Plugin Architecture at GrafanaCon 2016Matthew Broberg
 
Co se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkCo se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkSecurity Session
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaRicardo Bravo
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laShainaBoling829
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoringRadu Galbenu
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP FRSecure
 

Similar a Flowinspect - A Network Inspection Tool (20)

Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance Analysis
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
Nginx conf.compressed
Nginx conf.compressedNginx conf.compressed
Nginx conf.compressed
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Snap Telemetry Framework & Plugin Architecture at GrafanaCon 2016
Snap Telemetry Framework & Plugin Architecture at GrafanaCon 2016Snap Telemetry Framework & Plugin Architecture at GrafanaCon 2016
Snap Telemetry Framework & Plugin Architecture at GrafanaCon 2016
 
Co se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkCo se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel Minařík
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache Kafka
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Debunking Common Myths in Stream Processing
Debunking Common Myths in Stream ProcessingDebunking Common Myths in Stream Processing
Debunking Common Myths in Stream Processing
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
wireshark.pdf
wireshark.pdfwireshark.pdf
wireshark.pdf
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration tools
 
Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoring
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
 

Último

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Último (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Flowinspect - A Network Inspection Tool

  • 1. Flowinspect - A Network Inspection Tool Ankur Tyagi (@7h3rAm)
  • 2. Outline ● Understanding Incident Response Requirements ● Vision for an Ideal Inspection Tool ● Introducing Flowinspect as a Viable Solution ● Flowinspect: Architecture ● Real-World Usecase Scenarios ● Future Goals
  • 3. Understanding Incident Response Requirements ● ● ● You have been called to investigate an incident You analyze evidence and find traces of a malware You want to know: – Who were the actors? – What did they talk about? – What secrets did they share? – Which other hosts were compromised?
  • 4. Understanding Incident Response Requirements ● ● ● ● ● Immediate response requires data Data from the exploit, payload delivered, C&C channel, etc. Tools like Wireshark, tcpdump, ngrep and flowgrep are helpful But they all have a few shortcomings Many are flow/stream agnostic and lack inspection features
  • 5. Understanding Incident Response Requirements ● ● ● ● ● Tcpdump/Wireshark – Packet sniffing and comprehensive protocol decoding Ngrep/Flowgrep – Packet sniffing and regex matching over L4 packets and streams resp. How about network shellcode detection? How about malware identification and extraction from network flows? None of above tools address these requirements
  • 6. Vision for an Ideal Inspection Tool ● Malware identification via signatures ● Shellcode emulation/detection ● Extraction of matching flows to files ● Match statistics (direction, offset, depth, size, packet #) ● Snort like Content Modifiers (offset/depth) ● Pcap generation for matching flows ● TCP reset for matching flows
  • 7. Introducing Flowinspect as a Viable Solution
  • 8. Introducing Flowinspect as a Viable Solution ● ● ● ● IP defragmentation and TCP reassembly extract data into stream buffers Multiple inspection modes – regex, fuzzy string, Yara, shellcode detection Inspection happens over layer 4 payload and as such is immune to fragmentation attacks Matching flows dumped via (a combination of) output modes for lateral analysis
  • 9. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  • 10. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  • 11. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  • 15. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  • 19. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  • 21. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
  • 26. Future Goals ● Protocol decoders for HTTP, SMTP, POP3, IMAP, etc. ● File extraction and hash based inspection ● ● ● ● Javascript deobfuscation using SpiderMonkey or/and v8 File format characterization for Jar/PDF/Flash/MS Office/ELF/PE/... Integration with online scanners like VirusTotal, Wepawet, Anubis, Jsunpack, etc. Opensource - New ideas, suggestions, bugfixes are all equally welcome
  • 27. Credits ● Many thanks to the following projects: – The Python Community – Libnids and Pynids – Fuzzywuzzy – Yara – Libemu and pyLibemu • FOSS community in general • Juniper Networks
  • 28. Q&A
  • 29. Thanks for your attention