Using scapy, it is trivial to decode the traffic used for protocol tunneling. All data is Base64 encoded to make it less visible to an analyst. In this case, the protocol tunneling uses the cookie value in requests and the data of responses to exchange information.
MONITOR NETWORK TRAFFIC PYTHON CODE
The code sample above (available here ) is designed to decode commands and control traffic that is tunneled over HTTP. Python is an ideal tool for protocol decoding. With knowledge of a particular type of malicious traffic (such as malware command and control traffic), it is possible to monitor and automatically decode the traffic for analysis. Protocol decoders can be invaluable for active defense, especially custom ones.
These make it possible to easily understand the purpose and field values of the packet. One of the reasons that Wireshark is such a popular tool for network traffic analysis is its powerful array of built-in protocol decoders. If so it extracts the port numbers, compares them to the list of decoy ports, and if there is a match, prints the packet to a packet capture file for future analysis. If traffic has an IP layer, the code checks if the source or destination IP is in the packet. The sniff function at the bottom calls analyzePackets for each packet. The code uses the built-in capabilities of scapy to easily parse network traffic. This is ideal for monitoring traffic to decoy applications that are running on a honeypot or other system. The code sample above (available on Github ) is designed to look for network traffic to particular ports at certain IP addresses. Python’s scapy library makes it easy to monitor and analyze network traffic. After setting up decoy systems and applications on the network, an organization can monitor the traffic to these decoys to detect and monitor attack traffic. Analyzing network traffic at an enterprise scale can enable a company to detect known threats or identify anomalies within an organization’s network.Īlternatively, network traffic collection can be used as part of a deceptive strategy for active defense. This makes visibility into the network level essential for active defense.Īn organization might want to collect network traffic data for a variety of different purposes. Initial access is often gained over the network, and network traffic is created when an attacker is exploring and expanding their foothold within an organization’s environment. Many of an attacker’s activities during a campaign are performed over the network.
0 kommentar(er)
