CybserSecurity News

Tag: Network Monitoring

  • WhoYouCalling: Effortless Process Network Monitoring with ETW and BPF

    WhoYouCalling

    Monitors network activity made by a process through the use of Windows Event Tracing (ETW) and Full Packet Capture (FPC). Filters a generated .pcap file with BPF based on the detected network activity made by the process. This application makes process network monitoring hella’ easy.

    “Why not just use ProcMon+Wireshark??”??

    One of the best methods of monitoring activities by a process in Windows is with the Sysinternal tool ProcMon. However, there are some downsides:

    1. Manual Work: To get a Full Packet Capture per process you need to manually start a packet capture with a tool like Wireshark/Tshark, and create a filter for endpoints based on the results of ProcMon, which can be timeconsuming and potential endpoints may be missed due to human error if the process is not automated.
    2. Child processes: It can be tedious to maintain a track record of all of the child processes that may spawn and the endpoints they’re communicating with.
    3. DNS queries: (AFAIK) ProcMon doesn’t support capturing DNS queries. It does provide with UDP/TCP sent to port 53, but no information of the actual domain name that’s queried nor the given address response.

    Feature

    • Can start and monitor an executable.
    • Can monitor an already running process.
    • Can monitor additional related processes based on executable names.
    • Executables can be run as other users and in elevated and unelevated states.
    • Creates a full packet capture .pcap file per process.
    • Records TCPIP activities made by a processes, netflow style.
    • Records DNS requests and responses made and retrieved by applications.
    • Creates Wireshark filter for domains queried via DNS with the DNS responses
    • Can specify pcap filtering to only record TCPIP activity being sent from the process. This is applied to the recorded .pcap.
    • Can be automated with a timer.
    • By default all monitoring is applied to all spawned child processes.
    • Can kill spawned process and its childprocesses on stop.
    • Process and DNS results can be exported to JSON.
    • Can generate a Wireshark DFL filter per process.
    • Can generate a BPF filter per process.

    Install & Use

  • pcap-did-what: Analyze pcaps with Zeek and a Grafana Dashboard

    Zeek & Grafana Integration for Network Monitoring

    This repository provides a quick way to get started using Zeek with a practical use case. The focus is to analyse a network pcap and enable easy visual analysis using Grafana Charts.
    The mini project consists of three parts.

    1. Custom Zeek Docker build that generates zeek log files with GeoIP, ASN and JA3 / JA4 fingerprints.

    2. Python Script to convert zeek log files to an SQLite database.

    3. Custom Grafana Docker build with a pre-configured dashboard for analysing Zeek Data.

    Keeping this project simple and broken up into three parts should help both Zeek newcomers and those with more experience get up and running quickly. Working from these base images it would be an easy task to add other packages, and extend the dashboard to suit your own environment or use case.

    Overview

    The project is structured to use Docker containers for easy setup and portability. It includes a customized Zeek container for log generation and a Grafana container for data visualization.

    File Structure

    • Dockerfile: Located at ./pcap-did-what/zeek-docker/Dockerfile, this file creates a Docker container based on the official Zeek image. It includes the installation of necessary packages for JA3 / JA4 fingerprinting and GeoIP, with a custom script for ASN enrichment.
    • local_asn.zeek./pcap-did-what/zeek-docker/local_asn.zeek, a small zeek script to add ASN information to the conn.log. The script uses the builtin zeek function (lookup_autonomous_system).
    • docker-compose.yml: Found in ./pcap-did-what/grafana-docker/docker-compose.yml, this Docker Compose file sets up the Grafana container, configuring it to use a custom SQLite datasource and including volumes for persistent storage and configuration.
    • dashboard.yml: Located at ./pcap-did-what/grafana-docker/dashboards/dashboard.yml, this configuration file specifies the dashboard provider settings for Grafana.
    • datasource.yml: Found in ./pcap-did-what/grafana-docker/datasources/datasource.yml, this file configures Grafana to use an SQLite database as the data source, pointing to the Zeek logs stored in SQLite format.
    • GeoLite2-ASN.mmdb: Place in ./pcap-did-what/zeek-docker/ – required file needed to be downloaded from MaxMind.
    • GeoLite2-City.mmdb: Another required file from MaxMind. Register Free and Download file to zeek-docker.

    Install & Use

    Copyright (c) Hacker Target Pty Ltd.