A Framework for Packe Trace Manipulation
description
Transcript of A Framework for Packe Trace Manipulation
Motivation
Say you need to solve a problem that involves manipulating network traffic:complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization)visualization (e.g. behavioural analysis)
What do you do?
Motivation II
Try to find a tool that does itwhere? does it build? maintained? If so, lucky you!
Motivation II
Try to find a tool that does itwhere? does it build? maintained? If so, lucky you!
Mhmm ... write your own ... again.Okay, pcap.Now you typically need infrastructure:
data types conn. state tracking protocol header lookup
Lots of duplicated effortCut’n’paste sucks
Motivation III
Ewww.
Introducing ...
Netdude — NETwork DUmp Data Editor Framework for packet inspection and manipulation Multiple usage paradigms: GUI + command line Scalable to arbitrary trace sizes Reusable at all levels Extensible
Architecture
Architecture
Architecture
Architecture
Architecture
Experience
Fine-grained header field modifications: M. Handley, C. Kreibich, V. Paxson: Network Intrusion Detection:
Evasion, Traffic Normalization, end End-to-End Protocol Semantics, 9th USENIX Security Symposium, 2001.
Large-scale filtering and reassembly: A. Moore, J. Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a
Network Monitor, Passive and Active Measurement Workshop, 2003
Fine-grained payload editing: C. Kreibich, J. Crowcroft: Honeycomb - Creating Intrusion
Detection Signatures Using Honeypots, HotNets II, 2003
Future Work
hehe
Don’t get me wrong ...
I
Summary
System detects patterns in network traffic Using honeypots, the system can create useful
signatures Good at worm detection Todo list
Ability to control LCS algorithm (whitelisting?)Tests with higher traffic volumeExperiment with approximate matchingBetter signature reporting scheme
Thanks!
Shoutouts to all contributors! Debian packagers needed ... Questions?