Flowinspect - A Network Inspection Tool
0 likes2,022 views
The document presents FlowInspect, a network inspection tool designed to address incident response needs, particularly in malware detection and data extraction. It outlines the tool's architecture, which includes input, inspection, and output modules, and proposes features like shellcode detection and flow dumping. Future goals involve enhancing protocol decoders and integrating with online scanners to improve functionality.
Flowinspect - A Network Inspection Tool
- 1. Flowinspect - A Network Inspection Tool Ankur Tyagi (@7h3rAm)
- 2. Outline ● Understanding Incident Response Requirements ● Vision for an Ideal Inspection Tool ● Introducing Flowinspect as a Viable Solution ● Flowinspect: Architecture ● Real-World Usecase Scenarios ● Future Goals
- 3. Understanding Incident Response Requirements ● ● ● You have been called to investigate an incident You analyze evidence and find traces of a malware You want to know: – Who were the actors? – What did they talk about? – What secrets did they share? – Which other hosts were compromised?
- 4. Understanding Incident Response Requirements ● ● ● ● ● Immediate response requires data Data from the exploit, payload delivered, C&C channel, etc. Tools like Wireshark, tcpdump, ngrep and flowgrep are helpful But they all have a few shortcomings Many are flow/stream agnostic and lack inspection features
- 5. Understanding Incident Response Requirements ● ● ● ● ● Tcpdump/Wireshark – Packet sniffing and comprehensive protocol decoding Ngrep/Flowgrep – Packet sniffing and regex matching over L4 packets and streams resp. How about network shellcode detection? How about malware identification and extraction from network flows? None of above tools address these requirements
- 6. Vision for an Ideal Inspection Tool ● Malware identification via signatures ● Shellcode emulation/detection ● Extraction of matching flows to files ● Match statistics (direction, offset, depth, size, packet #) ● Snort like Content Modifiers (offset/depth) ● Pcap generation for matching flows ● TCP reset for matching flows
- 7. Introducing Flowinspect as a Viable Solution
- 8. Introducing Flowinspect as a Viable Solution ● ● ● ● IP defragmentation and TCP reassembly extract data into stream buffers Multiple inspection modes – regex, fuzzy string, Yara, shellcode detection Inspection happens over layer 4 payload and as such is immune to fragmentation attacks Matching flows dumped via (a combination of) output modes for lateral analysis
- 9. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
- 10. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
- 11. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
- 15. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
- 19. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
- 21. Flowinspect: Architecture ● Has 3 modules: input, inspection, and output – Input: libnids, BPF expressions, offset/depth, max flow/packet inspection counters – Inspection: regex, fuzzy, yara, shellcode – Output: match statistics, outmodes (meta, print, hex, raw), file writing, pcap generation
- 26. Future Goals ● Protocol decoders for HTTP, SMTP, POP3, IMAP, etc. ● File extraction and hash based inspection ● ● ● ● Javascript deobfuscation using SpiderMonkey or/and v8 File format characterization for Jar/PDF/Flash/MS Office/ELF/PE/... Integration with online scanners like VirusTotal, Wepawet, Anubis, Jsunpack, etc. Opensource - New ideas, suggestions, bugfixes are all equally welcome
- 27. Credits ● Many thanks to the following projects: – The Python Community – Libnids and Pynids – Fuzzywuzzy – Yara – Libemu and pyLibemu • FOSS community in general • Juniper Networks
- 28. Q&A
- 29. Thanks for your attention