Recently I installed a Savvius Insight appliance in bridge mode between my firewall and the outside world. I was curious about what was going on out there in the “wild west” and tapping into that traffic in a secure manner with the Savvius Insight was too good an opportunity to pass up.
I was not disappointed – I left the Insight running overnight in capture to disk mode and 10
million packets later came back to see what it had found:
Using the ELK dashboard feature of Insight I viewed the Event Map dashboard and quickly saw that I (or at least my IP) was of interest to many different countries around the world. My first thought was that countries with large amounts of bytes sent and received represented mostly normal traffic, albeit with some malicious packets undoubtedly lurking within. Countries with smaller amounts of bytes were probably not packets of congratulations and welcome from friendly net citizens. Clicking through the multiple pages of countries I
started to see sections where countries had sent packets to me, but I had not sent packets to them. This is in fact a good thing, as it likely means that my firewall was dropping this traffic without reply:
All of this information made me curious. Why was I talking to Ireland and why were China, Russia, North Korea, Ukraine, and even Albania interested enough to send packets my way.
It was a simple matter to click on Ireland in the Country by Bytes and Packets table to create
a filter that looks like this:
Then hover over the filter entry to reveal the option menu and click on the pin icon so that it points down – this pins the filter setting so that it will stay active as I switch between views.
Click on the Discover menu to see all of the relevant details for the packets from Ireland:
Looking at the graph of packets over time I see that the activity occurred during my normal business hours, this was actually a pretty good sign.But I still needed to answer the question: were the packets safe or dangerous?
The field list on the left hand side has an entry for geoid.ip, clicking on this reveals the top 5 IP addresses from the traffic displayed via my filter (which identifies traffic from Ireland):
A quick copy paste of the displayed IPs and a small bit of editing created a comma separated list like this: 220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52
Now over to Omnipeek where my capture is still active and all 10 million packets are waiting
Selecting the active Auto Capture – Analysis tab I create a filter that includes the IPs from the
list I just created:
I execute the filter and choose to copy selected packets to new window:
Before I do anything else I right-click the newly created tab and rename it to something more
Selecting the Application dashboard I see that the traffic is related to Facebook, including the
SSL/HTTPS data transfer going to Facebook.
It was a bit of surprise to me that my Facebook traffic was going to Ireland, but they did build a datacenter there in 2016 so the traffic flows are legitimate. The packets from China and Russia are another matter.
The technique to narrow down on these packets is the same as for Ireland so I won’t repeat the setup, let’s jump right to the details in Omnipeek. Looking at the traffic from China I see that it consists of attempts to connect via telnet and MS SQL calls. So I’m being probed.
Clicking on the Capture> Packets option and drilling down to one of the individual packets I see that it is a TCP SYN packet, effectively a connection establishment request. Since it was dropped by my firewall there is no response (remember that this capture is being conducted on the outside of the firewall). Only the most insecure systems would be affected by these types of attacks, but unfortunately enough exist to make it worthwhile to try.
Jumping over to traffic from Russia we can see it is a little more diverse with TCP and UDP port scans in addition to what is becoming the traditional telnet attempt:
Clicking on the Capture> Packets option I drill down to a UDP packet because the port number looked vaguely familiar:
There are a few interesting items here. The destination port number is famous from a few years ago when a Chinese router manufacturer hardcoded backdoor access into all of the equipment sold under the Netcore/Netis brand name. This packet represents an attempt to connect to this port to determine if I am one of the unlucky ones still operating this type of device.
The second item to note is that the Length field is not properly set in this packet. The 8 byte UDP header overhead combined with the 18 byte payload should have resulted in a 26 byte length value. The fact that the length value does not reflect the actual length is a conditionthat Omnipeek flags as suspicious.
The code to exploit Netcore/Netis is freely available on GitHub, the relevant login section is
Clicking on the data area of the UDP packet and looking at the hex decode in Omnipeek we can clearly see the same login credentials being used:
I was intrigued that this attack was still being used so I searched for the login attempt throughout the entire capture with a simple filter:
In my case it revealed the exact same packet I had stumbled on from Russia, which is fine by me…
Hopefully this simple security workflow has shown how you can go from a high level view of traffic, to drilling down into traffic of interest, to drilling down to individual packet details, to using that information in an actionable way. Savvius is one of the few companies that provides such an easy way to do this.
Unlike many other approaches that take huge amounts of time to gather similar insights, Savvius allows very fast execution. The elapsed time from thinking of something that you need to know to the moment that you are looking at the related data is just a few minutes. If you find yourself spending hours with Savvius products, it’s not because they are hard to use, but rather that the visibility and detail they provide is so fascinating and useful that you can’t take your eyes off of it…
Let us know how you use Savvius products in your daily work!