Network Forensics

Network Incident Response and Forensics with NST

Posted on January 2, 2010. Filed under: Computer Virus and Malware, Gateway Antivirus, Linux, Network Forensics, Network Incident Response |

A Systems Engineer’s job isn’t just designing systems, but to also be proactive and think about weaknesses in the system and prevent the next big outage.

One day at the office recently, I started hearing reports of the internet connection running very slowly. Our firewall shows us overall stats, but doesn’t do a good job of showing “Top Talkers”. Actually, that feature is completely missing from it.

I was looking for a quick way to implement a monitoring system to show me who was using up the bandwidth. I also saw a need for a network forensics system to troubleshoot everything from network latency, to stopping the spread of malware. I remembered that I stumbled upon the Network Security Toolkit a while back. I was planning on evaluating it but never got around to it until now. This minor problem was the perfect thing to present to management to hopefully convince them of a need for a network monitoring system. You know how difficult it can be to get funding for anything that doesn’t contribute to the bottom line. I always look for an opening to get my company to use open source software whenever possible. This was a great opportunity.

By the time I had downloaded and burned a disc with NST, the internet latency issue was already over. Still, I went ahead with my evaluation. For the sake of brevity, I am leaving out the steps I took to create a monitor, or SPAN port on the switch. Without a monitor port on your switch, you can’t see all network traffic, only that which is addressed to your IP or MAC address, or broadcasts.

The ISO image was over a gigabyte, so it had to be burned to DVD (It can be used from a bootable USB drive as well). I used a spare laptop to boot the disc, and chose the graphical desktop from the menu options. After startup, I attempted to access the UI at URL https://<ip or domain name>/nstwui. The page wasn’t found. I realized that there weren’t any interfaces available besides lo. I ran the command “ifup eth0” and got a DHCP IP address.  I tried to access the URL again but didn’t get a response. I checked the service status and found that httpd wasn’t started. I ran the command “service httpd start” and got an ok response.  I was then able to access the admin UI.

NST Boot Screen

After logging in, I took the time to fully explore the web interface. I have to admit I was very impressed. It isn’t newbie simple, but this was meant to be a network analyst’s toolkit, not a newbie system. After familiarizing myself with the menus, I started up ntop and browsed to the management URL. I was able to easily drill down to see who was using up the most bandwidth and which services were running on the target computer.

While thinking about what other network issues I could solve with NST, I realized that we need to be prepared for the next big virus or worm outbreak and run an Intrusion Detection System (IDS). Fortunately, Snort is installed on NST, and was a snap to setup, but I already had some experience with Snort to start with. I recommend you try out NST in advance and get familiar with the tools BEFORE you are acting in a state of emergency. If you plan on using Snort, be sure to research how to create your own rules before the need arises. For those not already familiar with Snort, it can double as a gateway antivirus appliance if you configure it “inline”.

Snort Setup

Network Security Toolkit has many other tools installed that can be controlled in the excellent but very busy web interface. A complete list of tools included can be found here.

Read Full Post | Make a Comment ( 4 so far )

Liked it here?
Why not try sites on the blogroll...