Visualizing, Analyzing and Filtering Zeek Events · > tcpreplay -v -i feth1 SWaT_plc_test.pcapng...

Visualizing, Analyzing and Filtering Zeek Events

Nick Skelsey

ZeekWeek 2019Seattle, WA

11 October, 2019

AGENDA

Motivation

State of the art

Monopticon

Related research

2

1.

2.

3.

4.

3

> ping google.com> ping 8.8.8.8> ip a> ping 192.168.1.0> dhcp -4 iface_name

*check cable**check unpaid bills**check news for regional disaster*

CONNECTIVITY ISSUES: do not suffer in silence

Graphics can have high information density.

No certifications required.

Develop intuition.

4

MOTIVATION

1.

2.

3.

5

IVRE

Lalet, Pierre, Florent Monjalet, and Camille Mougey. "IVRE, a network recon framework." ivre.rocks (2017).

RadialNet: An Interactive Network Topology Visualization Tool with Visual Auditing Support, CRITIS 2008João P. S. Medeiros, Selan R. dos Santos at Federal University of Rio Grande do Norte – UFRN

6

ZENMAP & RADIALNET

A GPLv3 application built with C++, zeek and Mangum for POSIX systems.

7

MONOPTICON

8

minicps WATER TREATMENT

> ip link add name feth1 type dummy> ip link set dev feth1 up> tcpreplay -v -i feth1 SWaT_plc_test.pcapng

Antonioli, Daniele, and Nils Ole Tippenhauer. "MiniCPS: A toolkit for security research on CPS networks." Proceedings of the First ACM workshop on cyber-physical systems-security and/or privacy. ACM, 2015.

9

Bettercap ARP Spoofing

> set arp.spoof.internal true;> set arp.spoof.targets 192.168.1.20,192.168.1.30;> set arp.spoof.full_duplex on;> arp.spoof on;

10

OBSERVATIONS

Limit scope: Ethernet and IPv4

Must be modular: Represent the OSI stack as a stack

Must be passive: offline packet analysis

Must be quick: native or web assembly

Should be extensible: zeek and bash scripts

10

1.

2.

3.

4.

5.

11

DESIGN

11

IEEE 802.1* defines ethernet

38:30:f9:61:97:6f

12

MODELING DEVICES IN A BROADCAST DOMAIN

13

MAGNUM.GRAPHICS

14

THE GRAPHICS PIPELINE

14

15

OBJECT SELECTION

1

2

3

16

OBJECT LAYOUT

16

17

LIMITATIONS

All devices addressable by their MAC.

Frames traverse switches based on:

- Destination address- The type of address- The switches (routing) tables- Structure of the spanning tree- Optimizations like 802.1aq

18

802.1 BROADCAST DOMAINS

Fedyk, D., et al. "IS-IS extensions supporting IEEE 802.1 aq shortest path bridging." Internet Engineering Task Force (IETF), RFC 6329 (2012): 2070-1721.

zeek package that passively infers the structure of an IPv4 network over Ethernet

19

AAALM

20

INFERRING NETWORK STRUCTURE

21

A HOSPITAL NETWORK

22

DRAWING A BROADCAST DOMAIN

23

PORT MANIFOLDS

24

FUTURE WORK

Extensible event monitoring

Sane packaging

L2 & L3 model to identify network security policy violations.

1.

2.

3.

Check out:

Monopticon on github or in the AUR

aaalm zeek package

25

THANK YOU

Bibliography:nskelsey.com/zweek

securenetwork.itbvtech.it