Network Incident Response and Forensics with NST

Posted on January 2, 2010. Filed under: Computer Virus and Malware, Gateway Antivirus, Linux, Network Forensics, Network Incident Response |

A Systems Engineer’s job isn’t just designing systems, but to also be proactive and think about weaknesses in the system and prevent the next big outage.

One day at the office recently, I started hearing reports of the internet connection running very slowly. Our firewall shows us overall stats, but doesn’t do a good job of showing “Top Talkers”. Actually, that feature is completely missing from it.

I was looking for a quick way to implement a monitoring system to show me who was using up the bandwidth. I also saw a need for a network forensics system to troubleshoot everything from network latency, to stopping the spread of malware. I remembered that I stumbled upon the Network Security Toolkit a while back. I was planning on evaluating it but never got around to it until now. This minor problem was the perfect thing to present to management to hopefully convince them of a need for a network monitoring system. You know how difficult it can be to get funding for anything that doesn’t contribute to the bottom line. I always look for an opening to get my company to use open source software whenever possible. This was a great opportunity.

By the time I had downloaded and burned a disc with NST, the internet latency issue was already over. Still, I went ahead with my evaluation. For the sake of brevity, I am leaving out the steps I took to create a monitor, or SPAN port on the switch. Without a monitor port on your switch, you can’t see all network traffic, only that which is addressed to your IP or MAC address, or broadcasts.

The ISO image was over a gigabyte, so it had to be burned to DVD (It can be used from a bootable USB drive as well). I used a spare laptop to boot the disc, and chose the graphical desktop from the menu options. After startup, I attempted to access the UI at URL https://<ip or domain name>/nstwui. The page wasn’t found. I realized that there weren’t any interfaces available besides lo. I ran the command “ifup eth0” and got a DHCP IP address.  I tried to access the URL again but didn’t get a response. I checked the service status and found that httpd wasn’t started. I ran the command “service httpd start” and got an ok response.  I was then able to access the admin UI.

NST Boot Screen

After logging in, I took the time to fully explore the web interface. I have to admit I was very impressed. It isn’t newbie simple, but this was meant to be a network analyst’s toolkit, not a newbie system. After familiarizing myself with the menus, I started up ntop and browsed to the management URL. I was able to easily drill down to see who was using up the most bandwidth and which services were running on the target computer.

While thinking about what other network issues I could solve with NST, I realized that we need to be prepared for the next big virus or worm outbreak and run an Intrusion Detection System (IDS). Fortunately, Snort is installed on NST, and was a snap to setup, but I already had some experience with Snort to start with. I recommend you try out NST in advance and get familiar with the tools BEFORE you are acting in a state of emergency. If you plan on using Snort, be sure to research how to create your own rules before the need arises. For those not already familiar with Snort, it can double as a gateway antivirus appliance if you configure it “inline”.

Snort Setup

Network Security Toolkit has many other tools installed that can be controlled in the excellent but very busy web interface. A complete list of tools included can be found here.

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

4 Responses to “Network Incident Response and Forensics with NST”

RSS Feed for Systems Engineer's Blog Comments RSS Feed

Thanks for pointing that out. I have corrected the link.

[…] Network Incident Response and Forensics with NST […]

I’m glad to hear that you found the NST toolkit useful and took the time to post some feedback (thanks).

We disable both the httpd and sshd service by default on a Live boot as the ISO ships with a default password. If you run the “nstpasswd” script after logging in (it sets the various system passwords), it will not only change the default system passwords, but enable the httpd and sshd services for you.


Where's The Comment Form?

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: