-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
capture server implementation #12
Comments
This can be done easily by setting the destination port to the port of the server in a UDP send. If we just throw it at our firewall we will be able to sniff it off the wire.. The only gotcha is that we will need gatekeeper to send the packets in order or we will end up ass backwards. |
I think Zach brings up some good points in his comment c0b9dac#commitcomment-11515283 , and I think this is worth discussing, even for my own clarity. I'm confused on the role of |
…o the supplied log server. also fixed parsing of the log server string.
It doesn't matter where the data gets turned into PCAPs, as long as it gets turned into PCAPs and preserves the original source and destination tuples. I realize we don't have access to the raw IP and TCP headers, but we can forge them well enough. We don't want to invent a brand new data format that's hard to work with and requires new parsing tools. PCAP is bog-standard and there's nice libraries for everything. My original expectation was that the network-traffic-filtering-and-regex portion of Gatekeeper does not run on the game box. It's going to be too slow. We can just forward all traffic off-box for inspection, and then feed it to the application. The regex does not need to know anything at all about inotify or any of the other defense mechanisms, so this should work fine. The only thing that needs to be on-box is the inotify bit. |
There are a few points going on here, I'll break them out and give my thoughts:
The purpose of the capture server is give us a 15 minute lead on the pcap's we are already getting and to give us coverage on teams redirecting through other services on our box. For example if we are exploited on wdub and then the shellcode running there redirects to atmail on 127.0.0.1 the attacking team can skip the span port on the switch and hide their atmail exploit from our pcaps. The 15 minute lead time on pcaps means 1 or 2 rounds of faster exploit replay. The redirection capture may prove crucial if we're expecting to see more advanced shellcode this year. As far as formatting, it doesn't matter to me what format we use for this. I was planning to log CONNECT , RECV: SENT: , DISCONNECT and nothing more. Simple, human readable without additional tools, and easily grepable. Drop the logs to a file that had a datetime stamp for when the connection was first received with a unique capture server per service. Most of what we're doing with pcaps is following tcp streams to reassemble data to pull out an exploit once it triggeres on an inotify hit. Well, gatekeeper already has the data reassembled without the headers. I didn't see the need to add faked information about the IP and TCP headers only so that we could remove it again. Zach said something about a pcap raw format that might not require headers? That could be an option. Again, it really doesn't matter which format we use so long as we can view and search the log files with each side of the conversation broken down. It would be a very cool exercise to take these files and automatically generate a replayable exploit too.
I think this is a bad idea. It adds complexity that makes our services block on other network communications. Other teams have abandoned similar setups (Routards @ DC 21) due to latency and associated SLA hits. However, they may have been doing more than pcre on the back end. I agree that we do need to test the performing impacts for gatekeeper redirection and pcre matching. I don't think we are going to have anything slower than the odroids this year so we can performance test on those. A review of last years pcaps will hopefully tell us how fast we need to be. Hopefully that helps to clarify some of what I was thinking when putting together the initial design of gatekeeper. |
This won't work for bi-directional communication unless you have two separate logs. It's also impossible to find out exactly which packets arrived at exactly which millisecond. |
Here is an example that might be in one file. It will show both sides of the conversation. CONNECTED: 10.5.5.8 You are correct that we won't be able to know which packet arrived with which timing but the ordering will be correct. We could add a timestamp but do we need to know that information with a 15 minute lead time or can it wait until we get the pcaps? I could see it helping if we were automating things but knowing when the connection started by the timestamp in the capture filename will be enough to match with inotify. |
getting complex here is going to burn us IMHO.. we should focus on gatekeeper stopping attacks, and notifying us of an attack by simply telling us a key read happened at a given time. if we can flag a key read and dump a hexdump like above, that is very easy to implement a replay |
This is ~completely solved with my |
As data comes in send it off to our capture server, we will lose context but we will have a realtime view of data coming into our services, log to file for each new connection.
The text was updated successfully, but these errors were encountered: