[email protected] a framework for packe trace manipulation christian kreibich
TRANSCRIPT
Motivation
Say you need to solve a problem that involves manipulating network traffic:complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization)visualization (e.g. behavioural analysis)
What do you do?
Motivation II
Find a tool that does itwhere? does it build? maintained? If so, lucky you!
Motivation II
Find a tool that does itwhere? does it build? maintained? If so, lucky you!
Mhmm ... invent here ... again.Okay, pcap.Now you typically need infrastructure:
data types conn. state tracking protocol header lookup
Lots of duplicated effortCut’n’paste is bad
Motivation III
Current practice:
Introducing ...
Netdude — NETwork DUmp Data Editor Framework for packet inspection and manipulation Multiple usage paradigms: GUI + command line Scalable to arbitrary trace sizes Reusable at all levels Extensible
Architecture
Architecture
Architecture
Architecture
Architecture
Experience
Fine-grained header field modifications: M. Handley, C. Kreibich, V. Paxson: Network Intrusion Detection:
Evasion, Traffic Normalization, and End-to-End Protocol Semantics, 9th USENIX Security Symposium, 2001
Large-scale filtering and reassembly: A. Moore, J. Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a
Network Monitor, PAM Workshop, 2003
Fine-grained payload editing: C. Kreibich, J. Crowcroft: Honeycomb - Creating Intrusion
Detection Signatures Using Honeypots, HotNets II, 2003
Future Work
Perceived length (normalized)
Vis
ual i
nter
pre
tatio
n
Progress Chart
0 1
Future Work
Perceived length (normalized)
Vis
ual i
nter
pre
tatio
n
Progress Chart
0 1
Future Work
Perceived length (normalized)
Vis
ual i
nter
pre
tatio
n
Progress Chart
0 1
Future Work
Lots to do:Packet resizing Less coding Scriptability
Perceived length (normalized)
Vis
ual i
nter
pre
tatio
n
Progress Chart
0 1
Don’t get me wrong ...
I
Summary
System detects patterns in network traffic Using honeypots, the system can create useful
signatures Good at worm detection Todo list
Ability to control LCS algorithm (whitelisting?)Tests with higher traffic volumeExperiment with approximate matchingBetter signature reporting scheme
Thanks!
Shoutouts to all contributors! Debian packagers needed ... Questions?