Network Forensics/Analysis

atorvenatorven Member Posts: 319
Hi All,
I'm currently looking for software that will act as a SPAN port destination for an interface and interpret captured data, it should be able to do the below;
  • Integrate with Active Directory to pull up user/source IP information – This isn’t crucial but it would ideal, getting the source IP address would be fine.
  • Must be able to interrogate destination traffic in detail – This is crucial, must be able to provide me with layer 3 and layer 7 detail.
I’ve already got Orion Solarwinds with Netflow and it only gives me the Source/Destination IP address and then I manually have to look up the destination domain which in most cases ends up being one of those hosting companies which doesn’t really help me, I’m looking for something that would tell me that “User/IP address X has been downloading X amount of data from Youtube” or something to that effect.
The more I look at it the more it looks like I need a firewallesque device which I would like to avoid.
Thanks for your suggestions

Comments

  • the_hutchthe_hutch Banned Posts: 827
    Why are you looking up the domains manually? Does Solarwinds/Netflow give you some kind of output format (XML, CSV, TXT, etc...)? If so, it seems like you could pretty easily script this out. Powershell with DNS resolution and AD integration should provide you the info you need for the source (User/IP). The destination domains will probably be no more reliable than what you are already getting from the software...but really, I don't know of any other way to get this info (other than DNS...which is probably what the software is doing).

    Alternatives???

    Snort is pretty good for customizing rules. You could easily log traffic coming from YouTube ip addresses (for example). Though I'm not sure how well snort plays with AD...if at all (to automate linking it to a user). I'm using snort on a Fedora build, that doesn't really touch our AD whatsoever. I usually do manual lookups, but I don't really concern myself with disciplinary issues like youtube. Mostly just security flags, which are less common. If I was to follow up every time someone hit youtube...I don't think I would ever leave.

    There are a lot of different application layer internet monitoring tools if you are mostly looking at stuff like non-productive internet browsing. These would probably be a more effective approach than trying to track this kind of activity via traffic analysis.
  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    MS is dropping it, but TMG would do what you want, you would just have to be sure all your internet traffic is flowing through it, via GPO or some network ACLs / forwarding rules. There are a bunch of other web filters out there, many that work in transparent mode, so you just stick it inline and pull reports. If you need AD users, then you can also have people authenticate to the proxy/filter via their AD credentials, or set up some kind of NAC that is tied to AD.
  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    Sorry, just noticed the SPAN port thing. Is there a reason why you need to do it that way, rather then inline, or just as a standard web proxy?
  • PurpleITPurpleIT Member Posts: 327
    atorven wrote: »
    • Integrate with Active Directory to pull up user/source IP information – This isn’t crucial but it would ideal, getting the source IP address would be fine.
    • Must be able to interrogate destination traffic in detail – This is crucial, must be able to provide me with layer 3 and layer 7 detail.
    ...I’m looking for something that would tell me that “User/IP address X has been downloading X amount of data from Youtube” or something to that effect.

    The more I look at it the more it looks like I need a firewallesque device which I would like to avoid.
    Thanks for your suggestions


    The more I look at this, the more I think you need something like Websense. Although it is designed for filtering, it has some pretty good logging and reporting and it will give you the reports you are looking for. I know it can be integrated into a firewall (ASA in my case), but I do seem to recall the ability to just point it at a SPAN port; although, I imagine you lose some functionality.
    WGU - BS IT: ND&M | Start Date: 12/1/12, End Date 5/7/2013
    What next, what next...
  • atorvenatorven Member Posts: 319
    Thanks for the suggestions guys, much appreciated.
    @ wes allen and PurpleIT – Someone else suggested TMG but as MS is dropping support/maintenance in 2014 it doesn’t seem like a worthwhile investment. The reason I wanted to use a SPAN port is that initially I want the whole process transparent to end users. Websense looks good but I reckon the pricing/licensing would be a problem me.
    @ the_hutch – As I’m pressed for time it looks like application layer monitoring is the way to go, any recommendations from personal use? Ideally something with a quick/easy learning curve.
    I had a quick look at Barracuda’s web filter appliance and from a quick glance it looks it will do what I need and more, do you guys have any experience with it?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Although firewall-ish, Sourcefire, Fortinet, and Palo Alto Networks come to mind as they utilize agents to collect user info and can have a port configuration as a "tap" mode.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Sign In or Register to comment.