Chapter 17 - Network Monitoring for Suspicious Traffic PDF

Summary

This document details network monitoring techniques for identifying suspicious traffic. It covers fundamental concepts and tools for network security professionals. The focus is on examining HTTP traffic for malicious activities and security policy violations.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Monitoring and Analyzing HTTP Traff...

Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Monitoring and Analyzing HTTP Traffic Capturing from etho O The HTTP sends information in plain File Edit View Go Capture Analyre Statistics Telephony Wireless Yools Melp text AlJJd ee m m[ XNE X QeuwEFLE Qe BEFLE_(EQAQql S AQAQALL [[ [http contains contains hixurytroats huxurytreats O Monitor and analyze HTTP traffic for No, : Tim Source s Destnation 1 \ Protocol L Lengtt Info 1 P¥ brevi the following purposes: 5000 4.4. 10,30.10,19 10, 103 4 10.10.10.79 103 4. 10, 0,10.10,16 10,10.10.10 10, 16 10.1 *® Check whether any sensitive 10.1¢ ™ information is sent using HTTP = Detect malicious traffic = Check the traffic against a policy violation File Data: 075 bytes = Detect applications using w« NTAL Form URL Enceded: Encoded: application/x-www-forn-urlencoded application/x-ww-forn-urlencoded ARGET® =» *% b» Form item: “_. ENTTARGET® EVENTTARGE =" unnecessary/restricted services b» b Form 1tem: 1tom: Form ften: ftem: "* ™* EVENTARGUMENT® « ** VIEWSTATE® Y =oE */wEPDWULLTEDNTUYODQINJARZBYCZGORF AEPDVULLTEONTUYODQINIARZBYCZg 00 F glgl CANIKFGICBNIKE CANORFg I CRWOKE §ICANEPF I CANEPF gToB1Zpc2 gToBIZpc2 LIDGYVAZGQYAQUe LIbGYAZGQYAQUe b item: Form ftenm: "* VIEWSTATEGENERATOR" == “00050007" VIEWSTATEGENERATOR" "9005¢ 059907 O Use the http filter to check the »b Form 1tem: ™" EVENTVALIDATION® »= "/wEOAAVIAHQ __EVENTVALIDATION® "/wE 2 X II Saat SAAL e ee ZSIMEQ ZSINEQ 0N M e 1 ZTCTu ZTCTUZ SQBADY vr v XXYB YD ) XEAYp1usUXX1GBIONLA XGAYPLusUXX1GBIONLA » Form 1ten: iten: “ct100SBogyContentPlaceholder Stxt lenail™ « “hon" “ctl00SBocyContentPlaceholderStxt “bod" » Form iten: 1tem: “ct100SBocyContentPlaceholder “ctl00SBocyContentPlaceholder$txt $txt [passwora” [password® = *PasswOra” specific HTTP traffic »» Form Form 1ten: b Form 1tem: item: item: “ctl00SBooyContentPlacenoldersutnllogin® “ct1005RooyContentPlaceholderSutn “emailt = ** “email® % [login® = “Login®. Farm A0nmi A 0ami Mansnedt Mane sasnedt. All Rights Reserved. Reproduction Reproduction Is Strictly Prohibited. Monitoring and Analyzing HTTP Traffic Applications implementing HTTP send data in cleartext. Implementing HTTP can pose security risks to the organization as sensitive information such as usernames and passwords are sent over as HTTP requests. The attacker can easily sniff the traffic and steal sensitive information for malicious use. Therefore, security professionals must ensure that their HTTP traffic is sent over an encrypted protocol such as HTTP Secure (HTTPS). Simultaneously, they should monitor applications and ensure that they do not send data over HTTP. Monitoring the HTTP traffic also helps detect the volume of HTTP traffic in the network. It also helps detecting malicious traffic, policy violation attempts, applications using unnecessary/restricted services. Use the http filter to check the specific HTTP traffic. Module 17 Page 2056 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Capturing from eth0 etho File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help ARZIZ®Ao AR m R mNRE Qe EFES EF = QQaQIif S -_ EQQQI http contains luxurytreats [(I Thttp No. Tim Source Destination Destination Protocol Lengtt Info 6b H p f 100 4. 100 18 10 10.79 10 0.16 644 GET /UserMain.aspx HTTP/1.1 103 4. 10.10.10.79 10.10.10.16 559 GET /img/main-bg44.jpg HTTP/ HTTP/1.1 1CP | { File Data: 675 bytes v HTML Form URL Encoded: application/x-www-form-urlencoded » Form item: “__EVENTTARGET" = "" » Form item: “__EVENTARGUMENT" = "" » Form item: "_ VIEWSTATE" = "/wEPDWULLTEONTUyODQ2NjAPZBYCZg9kFgICAWIKFgICBWOkFgICAWBPFgIeB1Zpc211bGVnZGQYAQUe "/wEPDWULLTEONTUyODQ2NjAPZBYCZg9kFgICAWIKFgICBWOKFgICAWBPFgIeB1Zpc211bGVnZGQYAQUe » Form item: "__ VIEWSTATEGENERATOR" = "90059987" » Form item: "__EVENTVALIDATION" = "/wEdAAVhG6HJizxjhxSdafrtOxZSIMEQYw/Bx1ZTC7uzSQBAbYvrXYB)X6BYpiusUxX1GB3oNtA "/wEdAAVhGH( Ix1ZTC7uzSQBAbYVrXYBjX6BYpiusUxX1GB3oNtA » Form item: "ctl00$BodyContentPlaceholderStxt|email™ = “bob" » Form item: "ctl00$BodyContentPlaceholderStxt |password” = "PasswOrd" » Form item: "ctl0@$BodyContentPlaceholderSbtnjlogin™ = “"Login" » Form item: "email" = "" Farm Farm itam:- Stam- "naccwnrd! "naccwnrd? -- nn nn Figure 17.10: Cleartext credential in HTTP traffic Module 17 Page 2057 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Network Sniffers for Network Monitoring tcpdump is a command-line network analyzer or a ° tcpdump packet sniffer that helps in capturing and analyzing Riverbed Packet Analyzer Plus https://www.riverbed.com network traffic (o] Q root@ubuntu: /home/ubuntu /home/ubunty oot@ubuntu: oot@ubuntu: /home /home/ubuntu# /ubuntu# || tcpdump -1 any OmniPeek tcpdump: verbose output suppressed, use -v or -vv for full protocol decode j https://www.liveaction.com Listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes | 0:11:47.080445 IP localhost.mdns > 224.0.0.251.mdns: 0 [2q] PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. (45) | 47.106072 IP localhost.33784 > localhost.domaln: 44936+ [1au) $11:47.106072 [1lau] PTR? 251.0.0 251.0.0] -addr.arpa. {n-addr.arpa. (53) :147.106763 47.106763 IP ubuntu.43582 > _gateway.domain: 54303+ [1lau] PTR? 251.0.0.224 Observer Analyzer r.arpa. (53) ddr.arpa. (53) | https://www.viavisolutions.com 147.109566 109566 IP _gateway.domaln > ubuntu.43582: 54303 NXDomain 0/1/1 (110) 147.111851 111851 IP ubuntu.43582 > _gateway.domailn: _gateway.domaln: 54303+ PTR? 251.0.0.224.1in-2d 251.0.0.224.1n-ad pa. (42) (42) 117485 7.117485 IP _gateway.domaln > ubuntu.43582: ubuntu,43582: 54303 NXDomaln NXDomailn 0/1/0 ©0/1/0 (99) 119111 IP localhost.35287 > localhost.domaln: localhost.domain: 61525+ [lau] [1au] PTR? 53.0.0. SolarWinds Deep Packet 12 addr.arpa. (52) Inspection and Analysis 00:11:47.909735 00:11:47.909735 IP6 ubuntu.ndns IP6 ubuntu.ndns >> ffO2::fb.mdns: ffO2::fb.mndns: ©0 [2q] [2q] PTR PTR (QM)? (QM)? _ipps._tcp.loc _ipps._tcp.loc https://www.solarwinds.com pl.L. PTR (QM)? _ipp._tcp.local. (45) P0:11:47.910452 IP localhost.42133 > localhost.domaln: 27298+ [1au] PTR? b.f.0.0 00:11:47.910452 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.\{p6.arpa. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.1.f.{p6.arpa. (101) 7.911456 IP ubuntu.36331 > _gateway.domaln: 20696+ [1au] PTR? b.f.0.0.0.0 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.1p6.arpa. (101) (101) Xplico E 147.914304 1P _gateway.domaln > ubuntu.36331: 20696 NXDomain ©/1/1 ©0/1/1 (165) https://www.xplico.org 7.915164 IP 147.915164 IP ubuntu.36331 ubuntu.36331 >> _gateway.domain: _gateway.domain: 20696+ 20696+ PTR? b.f.0.0.0.0.0.0.0 PTR? b.f.0.0.0.0.0.0.0 0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.0.2.0.1.7.1p6.arpa.3. https://www.tcpdump.org https://www.tcpdump.org |i Copyright ©© byb yEC-Council Copyright ghts Reserved. Reproductionlsis Sricty EC-Council.AAllAN Rights Rights Reserved. Reserved. Reproduction Reproductior Srictly Prohibited. : Network Sniffers for Network Monitoring = tcpdump Source: https://www.tcpdump.org tcpdump is a command-line network analyzer or a packet sniffer. Security professionals can use this utility for network monitoring and analysis. Q root@ubuntu: /home/ubuntu root@ubuntu: /home/ubuntu#|tcpdump -i any cpdump: verbose output suppressed, use -v or -vv for full protocol decode istening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 00:11:47.080445 IP localhost.mdns > 224.0.0.251.mdns: © [2q] PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. (45) ! 00:11:47.106072 IP localhost.33784 > localhost.domain: 44936+ [1au] PTR? 251.0.0} 251.0.0.224.1in-addr.arpa. (53).224.in-addr.arpa. 00:11:47.106763 IP ubuntu.43582 > _gateway.domain: 54303+ [1au] PTR? 251.0.0.224.in-addr.arpa. (53) \ 00:11:47.109566 IP _gateway.domain > ubuntu.43582: 54303 NXDomain ©/1/1 0/1/1 (110) 00:11:47.111851 IP ubuntu.43582 > _gateway.domain: 54303+ PTR? 251.0.0.224.1in-ad dr.arpa. (42) 00:11:47.117485 1:47.117485 IP _gateway.domain > ubuntu.43582: 54303 NXDomain ©/1/0 (99) 00:11:47.119111 IP localhost.35287 > localhost.domain: 61525+ [1au] PTR? 53.0.60. 53.0.0. 127.1in-addr.arpa. (52) 00:11:47.909735 IP6 ubuntu.mdns > ffe2::fb.mdns: © [2q] PTR (QM)? _ipps._tcp.loc 1. PTR (QM)? _ipp._tcp.local. (45) 00:11:47.910452 IP localhost.42133 > localhost.domain: 27298+ [1au] PTR? b.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2. 0.f.f.ip6.arpa..0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa. (101) 00:11:47.911456 IP ubuntu.36331 > _gateway.domain: 20696+ [1au] PTR? b.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f. f.ip6.arpa. (101).0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.1p6.arpa. 00:11:47.914304 IP _gateway.domain > ubuntu.36331: 20696 NXDomain ©/1/1 (165) 00:11:47.915164 IP ubuntu.36331 > _gateway.domain: 20696+ PTR? b.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.1p6. Figure 17.11: Screenshot of tcpdump Module 17 Page 2058 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Some additional network sniffing tools are as follows: = Riverbed Packet Analyzer Plus (https://www.riverbed.com) * OmniPeek (https://www.liveaction.com) = QObserver Analyzer (https://www.viavisolutions.com) = SolarWinds Deep Packet Inspection and Analysis (https://www.solarwinds.com) = Xplico (https://www.xplico.org) Module 17 Page 2059 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Network Monitoring Tools N!PRTG RI GI A network monitoring software that supports remote Network.e i Monitor management using any web browser or smartphone, SolarWinds Network various notification methods, and the monitoring of Performance Monitor multiple locations https://www.solarwinds.com https://www.solarwinds. com ManageEngine OpManager https://www.manageengine.com )a} @] ‘{ / 'b @} [a] p Capsa Free Network Analyzer —- - S https://www.colasoft.com Monitis Network Monitoring Solution https://www.monitis.com Nagios Network Analyzer https://www.nagios.com https//www poessler.com Mttps//www Ld4 Network Monitoring Tools * PRTG Network Monitor Source: https://www.paessler.com PRTG Network Monitor is a network monitoring software that supports remote management using any web browser or smartphone, various notification methods, and the monitoring of multiple locations. A security professional can use this utility for availability, usage, and activity monitoring, and it covers the entire range from website monitoring to database performance monitoring. It helps in the following: o Avoid bandwidth and performance bottlenecks. o ldentify applications or servers using up the available bandwidth. o Instantly identify sudden spikes caused by malicious code. o Reduce the costs of purchasing additional hardware and bandwidth. PRTG can collect data for almost anything of interest on the network. It supports multiple protocols for collecting data: o Simple Network Management Protocol (SNMP) and Windows Management Instrumentation (WMI) o Packet sniffing o NetFlow, IP Flow Information Export (IPFIX), jFlow, and sFlow Module 17 Page 2060 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring — Downtime s 4 2 o f '. (1= - |‘| ] -yt. 1]}o Marom maec © maec 5 maec 12 maec EdL s T t ul 1 l ] 1' |.E 0..1 ¥. [y Mrarom 1 © e maec 3e maec 1 maee maec B4» -s = Um EEEEETE EEEEE Pachet Loss Lows ’] o 0N o N CEY o ¢gassEsERRANY S EEEEEREEREERE Prg TemTew g Tem [2 0[ 0 rsec 0 rec mec ee Irrsec »o -: '’12 2 days days _n; om ny o L fa st = isead ene * 1 P AN 2e o o tm IE %.8 ,t NI E _ %.8.2 S 5% 8 9¢ 55 ¥g 5s 5s 5u 55 3gBg §g¥g Bs Ba Similar Sensors 2: 2 -.« 9 22 2 B£ _. 130 days o Serelarsy Channel Sevelar Chanrel o wa e 1 It -- ) M| en o B an % PR Figure 17.12: Screenshot of PRTG Network Monitor Sniffer ® ***%= Sensor Packet Sniffer ***== OK O) Overview ) Live Data 2 days 30 days 365 days & Historic Data 3 Log & sett Top Talkers Top Connections Top Protocols o L ea Figure 17.13: Performance monitoring using PRTG Network Monitor Some additional network monitoring tools are as follows: SolarWinds Network Performance Monitor (https.//www.solarwinds.com) ManageEngine OpManager (https://www.manageengine.com) Capsa Free Network Analyzer (https://www.colasoft.com) Monitis Network Monitoring Solution (https://www.monitis.com) Nagios Network Analyzer (https://www.nagios.com) Module 17 Page 2061 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser