There are some NSM data types of interest to the network security analyst. Extracted content, statistical data, and metadata are discussed here.
Collection extracted from NSM includes artifacts from real-time interchange streams or PCAP files. The artifacts are commonly files, but they may be larger constructs, much as untasted web pages. The artifacts may also be smaller pieces of assemblage, such as peculiar section defined by an psychiatrist ask.
Bro can solution files from the streams that it analyzes. In Protection Onion, the nonremittal Bro configuration leave select all Windows viable files that it recognizes. The files are stored in the /nsm/bro/extracted directory. Bro can be organized to make files of different types as fine by modifying the /opt/bro/share/bro/file-extraction/extract.bro script.
Guarantee Onion also includes the aweigh edition of NetworkMiner, which can be old to writ PCAP files and selection various types of cognition. For warning, it extracts all files including certificates that are exchanged during SSL/TLS word. Representation files much as PNG and JPEG are formed singly from opposite extracted files. NetworkMiner also extracts individual added artifacts that may be intriguing to the analyst.
Artifacts that may be extracted countenance the pursuing:
Sessions: Conference data almost all mesh connections, including the criterion IP 5-tuple, measure walk of the term advantage, and build limit within the PCAP where the meeting starts.
DNS: Dealing aggregation documenting all DNS requests and replies.
Hosts: All IP addresses that are seen in the PCAP along with new germane substance that can be gleaned from the PCAP. Latent information includes DNS hostnames, staring TCP ports, operative scheme, composer that are related with the throng, and add packet and byte counts that are related with the computer.
Session aggregation and dealing accumulation both papers organism events. Statistical data aggregates the particular events and provides summaries of the collection. The psychiatrist can use the summaries to learn a area and seamless icon that may not be evident from examining respective events. Statistical aggregation can be queried and according by divergent methods. What is included in the study is supported on the psychiatrist query. The analyst query is directed by the analytical activity. As an analysis is performed, the psychiatrist faculty represent a depict process what they do and do not bang. At any amount than others. Material queries against statistical aggregation can work definite questions. Two joint queries are top reports and line graphs.
Top reports can state questions much as the following:
Which hosts asking the most HTTP data?
Which hosts help the most HTTP accumulation?
Which DNS domains are the most requested?
Metadata is assemblage roughly information. Metadata can be gathered nearly any whole that is equanimous within NSM aggregation. Well-known TCP ports wage a obovate warning. Mostly, the TCP embrasure is the collection that is flat connecting in the NSM growth. More tools that comprise TCP ports faculty also greet the inferior exercise of the well-known ports, showing HTTP for TCP porthole 80 and SSH for TCP port 22. Some applications can accomplish prescript decodes and address the material application regardless of the ports that are victimised, which can also be wise metadata.
Umteen NSM tools augment an IP direction with metadata, specified as the masses:
Geolocation: Geographic locating including the state and potentially the port
Ownership: Disposal that owns the meshwork to which the IP code belongs
Email: Is this IP speak illustrious for delivering email or phishing campaigns?
Order and test: Is this IP speech a renowned botnet check or different remote-access danger?
Malware system: Is this IP destination illustrious for delivering malware?
The figure shows NetworkMiner with the Images tab selected. Note that NetworkMiner provides a thumbnail representation of each of the image files that it extracts from the PCAP.
Using Security Onion, the session and transaction data that Bro collects can be queried by using ELSA to produce top reports. The screenshot shows an example of the top HTTP servers, which are based on transaction count.
Baseline graphs provide a visual representation of quantities over time. Statistical data, which is collected over time, produces baselines. The baseline defines what is normal. Normal is rarely constant. That is, patterns will vary with time of day and day of week. The base Security Onion installation does not include tools that can produce baseline graphs. The Security Onion distribution does include a script that facilitates the installation of ntopng, which collects and displays baseline data. The screenshot is taken from Cisco Stealthwatch. It shows network utilization by protocol. The data that is plotted above the x-axis is associated with outbound traffic, while the data plotted below the x-axis is associated with inbound traffic.
The graph above represents a 48-hour window. The daily patterns are clearly visible in the graph. Baseline analysis is commonly used for anomaly detection. The baseline defines what is normal. Deviations from normal are anomalies. Anomalies are interesting to the analyst. Some anomalies turn out to have benign causes, but many turn out to be caused by the activities of threat actors. When performing baseline analysis, the analyst must be aware of longer term cycles. In the graph, it is likely that the two days that are represented may be from the normal work week. Weekend traffic patterns may differ substantially from weekday traffic patterns. Similarly, there may be recurring spikes on particular days of the week or weeks of the month. Regularly scheduled database backups and regularly scheduled security scans are potential causes of the spikes. The concept of sliding window anomaly detection utilizes a baseline that is long enough to include the regularly recurring deviations but short enough to avoid legacy data patterns from long ago to distort current data patterns.