What is a network tool that collects copies of packets from the network and analyzes them?

Network Monitoring

■

Packet sniffer This tool allows you to collect all the data that is being transmitted to and from the endpoints on the network. The advantage of collecting individual packets is that you will have an insight and detailed inspection of how certain traffic is being transmitted.

Event logs Logs are records of events that have occurred and actions that were taken. Many systems will provide logs that will give automated information on events that have occurred, including accounts that were used to log on, activities performed by users and by the system, and problems that transpired. On many systems, the logs may be simple text files that are saved to a location on the local hard drive or a network server. In other cases, the system will provide a specific tool for viewing the information.

Password lists Password lists should contain all the passwords used to perform administrative or maintenance tasks on the network. This includes passwords for

Administrative and administrator account for servers and workstations.

Setup and configuration utilities on computers and other devices.

Administrative features in software.

Files, such as those containing other passwords or documentation containing procedures.

Notification documentation Notification documentation includes contact information for specific people in an organization, their roles, and when they should be called. The contact information included in notification documentation should provide several methods of contacting the appropriate person. Notification procedures should also include contact information for certain outside parties who are contracted to support specific systems.

Solutions Fast Track

What Is Snort?

Snort is a packet sniffer, a packet logger, and a network IDS.

Snort runs on various operating systems and hardware platforms, including many UNIX systems and Windows. Hardware platforms include Intel-based systems, PA-RISC, PowerPC, and Sparc.

We highly recommended having a large hard disk for data storage. Additionally, it is recommended to have two network interfaces on the system: one to run in promiscuous mode and the other for typical network connectivity (for example, SSH and HTTPS).

Exploring Snort's Features

Snort's major components are the preprocessor, the detection engine, and the alert/logging components. All of Snort's components are implemented as plug-ins to increase flexibility.

The preprocessor is used to take the packet data and process it before the data gets checked against the rules in the detection engine.

The detection engine works by checking the data in each packet against a ruleset. Snort comes with a standard set of rules, but administrators can write their own as well.

The alert/logging component takes the output of the data after it gets checked against the ruleset. The data can go straight into a log file in text or binary (TCPDump data) format. In addition, the data can be stored in SQL databases or be sent over the network through SNMP traps or WinPopup messages.

Using Snort on Your Network

Snort can be used in various ways on your network. You can use it as a packet sniffer or as a packet logger in addition to for network intrusion detection.

Snort can write packets in both text and binary mode. Binary mode is also known as TCPDump data format. This is not human readable, but it is a standard that Snort, TCPDump, and Ethereal all use to read and write network data. In addition to writing data, Snort can also filter the data to human-readable format from the binary format.

Snort as an IDS needs to go on each of the private subnets you plan to monitor. It also helps to be able to place a Snort system behind the screening router as well.

Security Considerations with Snort

Like any other application, Snort is subject to security vulnerabilities, including buffer overflows and DoS attacks.

Snort should be upgraded on a regular basis to keep up-to-date with the latest signatures and the latest bug fixes with the application itself.

In addition to securing the Snort application, you also need to secure the OS. This includes disabling unnecessary services, regularly applying patches, and proper configuration. It also includes encrypting sensitive traffic, such as login sessions with SSH and HTTP traffic with SSL.

Snoop

Snoop is a full packet sniffer. The output of snoop goes into the same memory buffer that debug sends to. The biggest difference between debug and snoop is that snoop can dump the actual contents of the packets to the memory buffer. snoop output is more difficult to read than debug output and is typically used when the contents of the packets need to be analyzed. The following are the commands for using snoop:

snoop Starts the snoop capture.

snoop info Displays current snoop status.

snoop detail Enables full packet logging. This logs the full contents of the packets.

snoop off Turns off the snoop capture.

snoop filter Allows you to filter what gets captured. Employs syntax similar to that used for debug filtering.

clear db Clears the debug memory buffer.

get dbuf stream Displays the output for analysis.

Roles and Rules

You can use Snort as a packet sniffer somewhat comparable to tcpdump (www.tcpdump.org), allowing you to capture and display whole packets or selected header information, or as a packet logger, but its principle attraction is its robust and flexible rule-based intrusion detection. This extends its capabilities far beyond simple logging; its protocol analysis and content-filtering capabilities enable it to detect buffer overflows, port scans, SMB probes, and so on.

Snort rules are by no means rocket science, but most administrators will want to tap into the wider (much wider!) Snort community of security professionals and benefit from their collective input into the development of customized rules, rather than spending 24 hours a day “rolling their own” rules.

The Sourcefire Vulnerability Research Team (VRT) certifies rules for Sourcefire customers and registered Snort users (www.snort.org/rules/), though unregistered users only get a static rule set at the time of each major Snort release. VRT also maintains a community rule set containing rules submitted by the open-source Snort community. These rules are supplied as is, and only basic testing is applied by VRT—that is, sufficient to ensure that they don't break the application. However, community rules are often expertly created and rigorously tested by the community before they are submitted to VRT.

The Bleedingsnort resource at www.bleedingsnort.com is a source of “bleeding-edge” rules and signatures of variable quality. Their usefulness depends, again, on the constructional and testing abilities of their creator.

Packet Sniffers

Of all the network traffic data sources, packet sniffers can collect the most information on network activity. However, sniffers might capture huge volumes of benign data as well.millions or billions of packets.and typically provide no indication as to which packets might contain malicious activity. In most cases, packet sniffers are best used to provide more data on events that other devices or software has identified as possibly malicious. Some organizations record most or all packets for some period of time so that when an incident occurs, the raw network data is available for examination and analysis. Packet sniffer data is best reviewed with a protocol analyzer, which interprets the data for the analyst based on knowledge of protocol standards and common implementations.

2.1.1.1 Packet Analyzing/Sniffing

Packet analyzers, sometimes also referred to as packet sniffers, allow the capturing or monitoring of network traffic through the installation of custom software on a device. Generally, a device's network connection ignores traffic that is not addressed to it, but by making use of sniffing software, the device can pick up everything that is being transmitted over the network. Although this technique may be used in a non-malicious way from a maintenance, monitoring, and troubleshooting perspective [11], it may also be abused to inspect data packets and extract valuable information such as passwords, IP addresses, and so forth. This, in turn, may result in the launching of more sophisticated types of attacks including:

Spoofing Attacks: A spoofing attack occurs when a packet sniffer impersonates another device or user on a network. This is typically done in order to launch attacks against network hosts, steal data, spread malware, or bypass access controls that have been put in place [12]. Furthermore, several different types of spoofing attacks may be utilized in this endeavor, including IP address spoofing attacks, Address Resolution Protocol (ARP) spoofing attacks, and Domain Name System (DNS) server spoofing attacks.

Session Sidejacking: A session sidejacking attack allows packet sniffers to steal session cookies or variables, thereby ultimately hijacking a user's session (on a particular social network for example) and impersonating them.

Man-in-the-Middle Attack: A man-in-the-middle attack, often abbreviated as MITM, MitM, MiM, or MIM, allows a packet sniffer to redirect all traffic between two parties communicating over the same network, without the end parties being aware of it [13]. This ultimately allows the cybercriminal to insert themselves into a conversation between these two parties, impersonating both parties, and gaining access to information that the two parties were trying to send to each other. The information may simply be intercepted and sent along to the intended recipient, or the information may be intercepted and modified, and the modified information may then be sent along.

In general, packet analyzing/sniffing is difficult to detect, which mostly means that in practice, it is rarely done or even attempted [14]. This subsequently makes public Wi-Fi hotspots an ideal target for this kind of attack, with sniffing tools such as Wireshark (https://www.wireshark.org/) being readily available to the general public for download.

Summary

Wiretaps, Pen Registers, Trap and Trace, packet sniffers, and cell site simulators are high-tech and intrusive into an individual’s privacy. Yet when other methods to obtain covert communications fail, these are sometimes the only methods that may work. Because of the intrusiveness of these techniques, it is imperative that investigators consult with their prosecutors to avoid obtaining evidence that could be inadmissible. Jurisdictions vary in this regard, so accordingly the processes to obtain authorization vary as well.

Historical covert communications, such as that recovered on electronic devices, are valuable to any investigation, but real-time communications have pertinent value in the prevention or interruption of planned crimes, results that may not be possible with archived e-mail conversations. Additionally, relying on the recovery of communications from storage devices cannot be depended upon due to data encryption and corruption, and potential destruction of devices.

Packet Sniffers

A network or protocol analyzer, also known as a packet sniffer, or just plain sniffer,1 is a tool that can intercept traffic on a network, commonly referred to as sniffing. Sniffing basically amounts to listening for any traffic that the network interface of our computer or device can see, whether it was intended to be received by us or not.

Alert!

One of the key elements in employing a sniffer is to place it on the network in the proper position to allow us to actually see the traffic we would like to sniff. In most modern networks, the traffic is segmented in such a fashion that we will likely not be able to see much traffic at all, other than what we are generating from our own machine. In order to be able to sniff properly, we will likely need to gain access to one of the higher-level network switches, and may need to use specialized equipment or configurations to allow us access to our target traffic.

Tcpdump is a classic sniffing tool, and it has been around since the late 1980s. Tcpdump is a command-line tool that allows us to monitor the activities of the network to which we are attached, and has only a few other key features, such as filtering of traffic. Tcpdump runs only on UNIX-like operating systems, but a version has been ported to Windows, called WinDump.

Wireshark, previously known as Ethereal, is a fully featured sniffer that is capable of intercepting traffic from a wide variety of wired and wireless sources. It has a graphical interface, shown in Figure 8.3; it includes a large number of filtering, sorting, and analysis tools; and it is one of the more popular sniffers on the market today.

Kismet, which we discussed in the “Wireless” section, is also a specialized sniffer. Although many of the other sniffers are network media agnostic, for the most part, Kismet will only sniff from wireless networks. Owing to this very specific focus, it can provide us with a much more specific set of tools.

We may also see packet sniffers in hardware form, such as the OptiView Portable Network Analyzer from Fluke Networks. Although we can definitely benefit from well-equipped portable analyzers such as this, they often tend to be very expensive and well beyond the budget of the average network or security professional.