Common Interface to Packets

Recently a blog reader asked me an interesting question. He wanted to know if it would be possible to replace the variety of network traffic inspection and analysis products with a single box running multiple applications. He was interested in some sort of common interface to packets that could perform the collection function and make traffic available to other products.

There are several ways to look at this issue. First, one can do that already using a commodity hardware platform. It is possible to run multiple traffic inspection applications against a single interface now, but one has to be careful as the number of applications increases. We use this approach with Sguil, where Snort listens to generate alerts, SANCP listens to create session records, Daemonlogger listens to log full content data, PADS listens to generate host records, and so on.

Second, one could buy a fairly open packet capture box and create virtual interfaces which provide a traffic stream to applications. Options which come to mind include Solera Networks capture appliances and Endace Ninja platforms. These typically run Linux and act as a high-end option for packet capture.

Third, one could think of a network tap (like a Net Optics regeneration tap or a Gigamon GigaVUE as that common interface to packet data. The tap collects traffic and then sends it to multiple products. This is a very common scenario for a simple reason: few vendors are willing to accept the decisions made by another vendor regarding packet capture. Everyone wants to collect data themselves, using their own NICs, or drivers, or libraries. That's perfectly understandable but it makes it tough for users who end up managing so many separate boxes.

What do you think?

Comments

Martin Roesch said…
Snort 3 is architected to do exactly this. The Snort 3.0 framework is a common platform for implementing network traffic analysis engines. If you look at my blog post on the Snort 3 architecture you'll see that the area denoted as "analytic modules" can accept arbitrary traffic analysis engines. My intention is to enable just what your reader was asking for, a common platform for traffic inspection. Bonus points: it's designed to be hardware accelerated too!
10:48 AM
Anonymous said…
I didn't know you were using daemonlogger. Have you ever run into the bug I documented at http://www.atarininja.org/index.py/entries/geek/daemonlogger-deleting-wrong-files.1024px? I'm not sure if Marty ever fixed it or not - I pinged him a few months ago but he's probably still insanely busy. It could very well be a nasty bug if you're using it in scripts on automated boxes.

-- WXS
10:56 AM
Richard Bejtlich said…
We don't use Daemonlogger's native rotation capacity -- we wrap it with our own script. However, I didn't see that bug. Thanks!
11:08 AM
Scott Burch said…
The Gigamon GigaVUE is fantastic! I love these, plug these into your taps for near limitless flexibility and expandability. Why are these so useful?

1) Scalability: Up to 10 Gigamons can be stacked (for a total of 202 ports (any port can be tool or network) functioning in one logical unit) via 10 gigabit Infiniband connectors. There are 8 gigabit copper connectors in the base unit. The unit is expanded using GigaPORT and GigaTap modules. An additional 3 GigaPORT modules can be added to each chassis (this provides an additional 12 ports (are UTP and SFP)
2) Nearly limitless possibilities when it comes to aggregation (many to any), multicasting (any to many), and filtering (vlans, networks, protocols, etc.).
3) Support for 10 Gigabit Ethernet.

I keep running into the situation where all the existing monitor ports are used up. Having the Gigamon basically eliminates this problem.

Also consider the situation where you have many taps and you need to inspect traffic on particular ports from these taps. You can pass all these taps into a Gigamon, then tell the Gigamon to filter the output (so only the traffic on ports you want to see is sent) and send it to one tool port to inspect with one monitoring box.

I've deployed several recently and deploying a couple more in the near future.
10:41 PM
James said…
If we take a step back, what do all these devices have in common, including routers and switches? A packet arrives, a process or logic is applied to that packet and based upon the results is egressed or dropped. Now why cant all these funtions be merged into a commom platform
11:35 PM
Unknown said…
If you are already running daemonlogger, I wonder if there would be any performance benefit in having additional tools like sancp and pads 'tail' the daemonlogger spool files.. Probably not ideal for Snort to that as you likely want it to be a little more real time, but pads and sancp wouldn't be affected that much.

Note that said tools would probably need modification to do this.
11:45 PM
Anonymous said…
Marty, have any 3rd party vendors picked up on this architecture to provide add-in modules? Or are there plans to develop such partnerships?
5:19 PM
Martin Roesch said…
Hi g,

Several vendors have expressed interest, can't say much more at this time. :)
11:41 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more