We have finished up our first round of testing against the modified version of the Sguil client (we have modified the 0.7.0 CVS version). Using the alert information displayed in the Sguil client we create a query and feed it into the NetWitness API through a vbscript which calls explorer.exe and passes it a NetWitness URL. When you install NetWitness Investigator, it registers the nw://<url> as a protocol within the OS. This URL is the API/method by which you can use alerting from other products to find specific sessions, ip’s or timeframes of traffic to review in any combination.
To do this, we first modified the Xscript section of sguil.tk and removed the transcript and wireshark options as we are now relying upon NetWitness for pcap capture instead of daemonlogger/sancp/tcpdump etc:
# Xscript Menu set eventIDMenut [ menu .eventIDMenut -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND \ -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND -tearoff 0 ] $eventIDMenut add command -label "Event History" -command "GetEventHistory" $eventIDMenut add command -label "NetWitness Src -> Dst" -command "NetWitnessEvent from" $eventIDMenut add command -label "NetWitness Dst -> Src" -command "NetWitnessEvent to"
You can see that we are calling the command NetWitnessEvent and passing it a value of from or to. The reason for this is that events that are triggered list the source and destination IP address for the particular packet that caused the alert. However, NetWitness is session aware, so you may need to query using the source address as the destination and vice versa. This is calling the NetWitnessEvent function that we have added to lib/extdata.tcl:
proc NetWitnessEvent { direction } {
global ACTIVE_EVENT SERVERHOST XSCRIPT_SERVER_PORT DEBUG CUR_SEL_PANE XSCRIPTDATARCVD
global socketWinName SESSION_STATE WIRESHARK_STORE_DIR WIRESHARK_PATH
if {!$ACTIVE_EVENT} {return}
set selectedIndex [$CUR_SEL_PANE(name) curselection]
set sidcidList [split [$CUR_SEL_PANE(name) getcells $selectedIndex,alertID] .]
set cnxID [lindex $sidcidList 1]
set sensorID [lindex $sidcidList 0]
set proto [$CUR_SEL_PANE(name) getcells $selectedIndex,ipproto]
set srcIP [$CUR_SEL_PANE(name) getcells $selectedIndex,srcip]
set srcPort [$CUR_SEL_PANE(name) getcells $selectedIndex,srcport]
set dstIP [$CUR_SEL_PANE(name) getcells $selectedIndex,dstip]
set dstPort [$CUR_SEL_PANE(name) getcells $selectedIndex,dstport]
if { $CUR_SEL_PANE(format) == "SSN" } {
set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,starttime]
} else {
set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,date]
}
set future [clock scan "2 minute" -base [clock scan $timestamp -gmt 1]]
set past [clock scan "-2 minute" -base [clock scan $timestamp -gmt 1]]
set future [clock format $future -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
set past [clock format $past -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
set future [regsub -all -expanded {[\:]} $future {%3A}]
set past [regsub -all -expanded {[\:]} $past {%3A}]
if { $proto == "6" } {
if { $direction == "from" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=TCP+%7C%7C+$srcIP%3A$srcPort+-%3E+$dstIP%3A$dstPort&time=$past+to+$future&view=session&where=ip.src%3D$srcIP+%26%26+tcp.srcport%3D$srcPort+%26%26+ip.dst%3D$dstIP+%26%26+tcp.dstport%3D$dstPort"
}
if { $direction == "to" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=TCP+%7C%7C+$dstIP%3A$dstPort+-%3E+$srcIP%3A$srcPort&time=$past+to+$future&view=session&where=ip.src%3D$dstIP+%26%26+tcp.srcport%3D$dstPort+%26%26+ip.dst%3D$srcIP+%26%26+tcp.dstport%3D$srcPort"
}
}
if { $proto == "17" } {
if { $direction == "from" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=UDP+%7C%7C+$srcIP%3A$srcPort+-%3E+$dstIP+%3A+$dstPort&time=$past+to+$future&view=session&where=ip.src%3D$srcIP+%26%26+udp.srcport%3D$srcPort+%26%26+ip.dst%3D$dstIP+%26%26+udp.dstport%3D$dstPort"
}
if { $direction == "to" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=UDP+%7C%7C+$dstIP%3A$dstPort+-%3E+$srcIP+%3A+$srcPort&time=$past+to+$future&view=session&where=ip.src%3D$dstIP+%26%26+udp.srcport%3D$dstPort+%26%26+ip.dst%3D$srcIP+%26%26+udp.dstport%3D$srcPort"
}
}
if { $proto == "1" } {
if { $direction == "from" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ICMP+%7C%7C+$srcIP+-%3E+$dstIP&time=$past+to+$future&view=session&where=ip.src%3D$srcIP+%26%26+ip.dst%3D$dstIP+%26%26+ip.proto%3D1"
}
if { $direction == "to" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ICMP+%7C%7C+$dstIP+-%3E+$srcIP&time=$past+to+$future&view=session&where=ip.src%3D$dstIP+%26%26+ip.dst%3D$srcIP+%26%26+ip.proto%3D1"
}
}
}
This function will create different queries based upon protocol type (TCP/UDP/ICMP only currently) and use the source/destination address and source/destination port. It will look for sessions that match those specific values and then automatically open them in NetWitness Investigator:
To replicate the SANCP session type queries, we again modify sguil.tk but this time we modify the IPQuery Menu section:
# IPQuery Menu
set ipQueryMenu [ menu .ipQueryMenu -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND \
-activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND -tearoff 0 ]
.ipQueryMenu add cascade -label "Quick Query" -menu $ipQueryMenu.quickMenu
.ipQueryMenu add cascade -label "Advanced Query" -menu $ipQueryMenu.advancedMenu
.ipQueryMenu add cascade -label "Dshield IP Lookup" -menu $ipQueryMenu.dshieldIPMenu
.ipQueryMenu add cascade -label "Nessus Report Lookup" -menu $ipQueryMenu.nessusMenu
.ipQueryMenu add cascade -label "NetWitness Query" -menu $ipQueryMenu.netwitnessMenu
menu $ipQueryMenu.quickMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.advancedMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.dshieldIPMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.nessusMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
menu $ipQueryMenu.netwitnessMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
$ipQueryMenu.netwitnessMenu add command -label "SrcIP/1 Hour" -command "NetWitness Src 1"
$ipQueryMenu.netwitnessMenu add command -label "SrcIP(as Dst)/1 Hour" -command "NetWitness SrcAsDst 1"
$ipQueryMenu.netwitnessMenu add command -label "SrcIP/24 Hours" -command "NetWitness Src 24"
$ipQueryMenu.netwitnessMenu add command -label "SrcIP(as Dst)/24 Hours" -command "NetWitness SrcAsDst 24"
$ipQueryMenu.netwitnessMenu add command -label "DstIP/1 Hour" -command "NetWitness Dst 1"
$ipQueryMenu.netwitnessMenu add command -label "DstIP(as Src)/1 Hour" -command "NetWitness DstAsSrc 1"
$ipQueryMenu.netwitnessMenu add command -label "DstIP/24 Hours" -command "NetWitness Dst 24"
$ipQueryMenu.netwitnessMenu add command -label "DstIP(as Src)/24 Hours" -command "NetWitness DstAsSrc 24"
$ipQueryMenu.netwitnessMenu add command -label "Src To Dst/1 Hour" -command "NetWitness SrcToDst 1"
$ipQueryMenu.netwitnessMenu add command -label "Dst To Src/1 Hour" -command "NetWitness DstToSrc 1"
$ipQueryMenu.netwitnessMenu add command -label "Src To Dst/24 Hours" -command "NetWitness SrcToDst 24"
$ipQueryMenu.netwitnessMenu add command -label "Dst To Src/24 Hours" -command "NetWitness DstToSrc 24"
$ipQueryMenu.netwitnessMenu add command -label "Src To Dst/5 Days" -command "NetWitness SrcToDst 120"
$ipQueryMenu.netwitnessMenu add command -label "Dst To Src/5 Days" -command "NetWitness DstToSrc 120"
foreach { currentMenu subcommand } { .ipQueryMenu.quickMenu "quick" .ipQueryMenu.advancedMenu "build" } {
....truncated for brevity, everything below is should be as it was when you checked it out of CVS...
You can see we are calling a proc/function called NetWitness and are passing it a variable for which address(es) we are interested in (and if they are source or destination addresses) along with some predefined time periods. You have much better flexibility and control if you actually create these queries within NetWitness directly, but just being able to right click makes for greater ease of use for analysts. This is calling the NetWitnessEvent function that we have added to lib/extdata.tcl:
proc NetWitness { direction hours } {
global ACTIVE_EVENT SERVERHOST XSCRIPT_SERVER_PORT DEBUG CUR_SEL_PANE XSCRIPTDATARCVD
global socketWinName SESSION_STATE WIRESHARK_STORE_DIR WIRESHARK_PATH
if {!$ACTIVE_EVENT} {return}
set selectedIndex [$CUR_SEL_PANE(name) curselection]
set sidcidList [split [$CUR_SEL_PANE(name) getcells $selectedIndex,alertID] .]
set cnxID [lindex $sidcidList 1]
set sensorID [lindex $sidcidList 0]
set proto [$CUR_SEL_PANE(name) getcells $selectedIndex,ipproto]
set srcIP [$CUR_SEL_PANE(name) getcells $selectedIndex,srcip]
set srcPort [$CUR_SEL_PANE(name) getcells $selectedIndex,srcport]
set dstIP [$CUR_SEL_PANE(name) getcells $selectedIndex,dstip]
set dstPort [$CUR_SEL_PANE(name) getcells $selectedIndex,dstport]
if { $CUR_SEL_PANE(format) == "SSN" } {
set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,starttime]
} else {
set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,date]
}
if {$hours == 1} {
set future [clock scan "30 minute" -base [clock scan $timestamp -gmt 1]]
set past [clock scan "-30 minute" -base [clock scan $timestamp -gmt 1]]
} else {
set hours [expr $hours / 2]
set future [clock scan "$hours hour" -base [clock scan $timestamp -gmt 1]]
set past [clock scan "-$hours hour" -base [clock scan $timestamp -gmt 1]]
}
set future [clock format $future -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
set past [clock format $past -format {%Y-%m-%d+%H:%M:%S} -gmt 1]
set future [regsub -all -expanded {[\:]} $future {%3A}]
set past [regsub -all -expanded {[\:]} $past {%3A}]
if { $direction == "Src" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.src%3D$srcIP&time=$past+to+$future&where=ip.src%3D$srcIP"
}
if { $direction == "SrcAsDst" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.dst%3D$srcIP&time=$past+to+$future&where=ip.dst%3D$srcIP"
}
if { $direction == "Dst" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.dst%3D$dstIP&time=$past+to+$future&where=ip.dst%3D$dstIP"
}
if { $direction == "DstAsSrc" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=ip.src%3D$dstIP&time=$past+to+$future&where=ip.src%3D$dstIP"
}
if { $direction == "SrcToDst" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=$srcIP+-%3E+$dstIP&time=$past+to+$future&where=ip.src%3D$srcIP+%26%26+ip.dst%3D$dstIP"
}
if { $direction == "DstToSrc" } {
exec wscript c:/users/analyst/nw.vbs "nw://broker/?name=$dstIP+-%3E+$srcIP&time=$past+to+$future&where=ip.src%3D$dstIP+%26%26+ip.dst%3D$srcIP"
}
}
Now we can right click on IP’s within Sguil and use the alert data to perform these SANCP queries into NetWitness as shown below:
You may have noticed that the nw://<url>’s are being passed to a visual basic script entitled nw.vbs within the analyst accounts home directory. We had some issues with executing long length commands from within TCL and ran into 8.3 filename limitations as well. The vbscript is very simple and uses the run method to execute explorer.exe while passing it the URL we have formed to perform the query in NetWitness Investigator. If NetWitness Investigator is not running, it will open up and prompt you for your authentication credentials. Additionally, if is already open it will just create a tab in the investigator and display you the sessions/reports. The contents of the nw.vbs file are as follows, it may look weird butyou have to escape quotes with quotes when you do vb scripting so it looks like you have gone quote crazy:
Set objShell = Wscript.CreateObject("Wscript.Shell")
Set ArgObj = WScript.Arguments
Cmd = """" & "c:\windows\system32\explorer.exe" & """" & " " & """" & WScript.Arguments.Item(0) & """"
objShell.Run Cmd