topology
More information soon.
tools
To accomplish the tasks in this Project we use several tools.
virtualbox
All the captures are made inside a Virtualbox VM. The packet capture is made by Virtualbox directly.
ARgus
Our main analysis tool for dealing with the traffic is Argus. This nice suite of programs let us store, analyze and process the network information.
cacti
For monitoring the network in real time we use the Cacti software.
real time plotting of network features in cacti
To plot in real time the information we want in the Cacti web page we made two custom tools. A python script that reads the pcap file and a bash script to send the data to Cacti.
botsummarizer
(Download)
This tools reads a pcap file and outputs a set of features that are suited to be sent to an RRD file. It computes the features in time windows, so every X minutes you can have some values that help you visualize the traffic. By default the time window is 1 minute. The features computed by this tool are:
The advantage of this program is that it actually computes the features using NetFlows and the state of the NetFlows. So it does not count packets, but established connections.
Usage:
The main usage of this tool is within the following bash script.
This tools reads a pcap file and outputs a set of features that are suited to be sent to an RRD file. It computes the features in time windows, so every X minutes you can have some values that help you visualize the traffic. By default the time window is 1 minute. The features computed by this tool are:
- Amount of established DNS flows (DNS)
- Amount of established flows to the destination port 25. (SPAM)
- Amount of established flows to port 80. (WEB)
- Amount of established flows to port 443. (HTTPS)
- Amount of established flows to port 22. (SSH)
- Amount of TCP flows.
- Amount of UDP flows.
- Amoount of IPv6 flows.
The advantage of this program is that it actually computes the features using NetFlows and the state of the NetFlows. So it does not count packets, but established connections.
Usage:
The main usage of this tool is within the following bash script.
running_argus_graph.sh
(Download)
This bash script is meant to read a pcap file and create an RRD file.
To do this, the script creates an RRD file for our purposes, runs Argus on the pcap file and then uses the BotSummarizer.py to print the features of the traffic. Finally it send everything to the RRD file using rrdtool. The file can be plot with Cacti for example.
Usage is like this:
First start your pcap capture in test.pcap (for example).
Then:
$ running_argus_graph.sh test.pcap
The advantage of these tools is that the pcap file can be continually growing in a live capture. This is useful to monitor live botnet traffic. This feature is working thanks to the work of Carter Bullard in Argus.
Once the RRD file is being filled you can plot it with cacti or with the following tool graph_rrd.sh
This bash script is meant to read a pcap file and create an RRD file.
To do this, the script creates an RRD file for our purposes, runs Argus on the pcap file and then uses the BotSummarizer.py to print the features of the traffic. Finally it send everything to the RRD file using rrdtool. The file can be plot with Cacti for example.
Usage is like this:
First start your pcap capture in test.pcap (for example).
Then:
$ running_argus_graph.sh test.pcap
The advantage of these tools is that the pcap file can be continually growing in a live capture. This is useful to monitor live botnet traffic. This feature is working thanks to the work of Carter Bullard in Argus.
Once the RRD file is being filled you can plot it with cacti or with the following tool graph_rrd.sh
graph_rrd.sh
(Download)
The purpose of this tool is to take a RRD file (created with the running_argus_graph.sh script) and create a PNG image of the features in the traffic. The main use is to analyze already finished pcap files very quickly.
The usage is like this:
graph_rrd.sh <rrd-file>
The purpose of this tool is to take a RRD file (created with the running_argus_graph.sh script) and create a PNG image of the features in the traffic. The main use is to analyze already finished pcap files very quickly.
The usage is like this:
graph_rrd.sh <rrd-file>
