Data investigation tool
I have written about the use of packet analysis, and data mining over the course of several articles. What those techniques give you is the ability to interpret data, in its absolute format; the packet. This is nothing new to those of us who often have to investigate alarms and alerts as they are generated by various security devices. One thing that we do not see by looking at the packets themselves is the application layer data that it may be transporting. That would certainly be true of any binary transfer that may be taking place, whether it be a picture, or actual program being sent at the packet level. It would certainly be nice to be able to recreate the data stream that we are seeing.
In today’s corporate networks the employee working there pretty much takes Internet access for granted. I have never understood this mindset to be honest, as really we are at work to work, and not surf the Internet for hours. This dovetails nicely into the problems that many corporations are having in their workplace. That problem would be of an employee who spends far too much time wandering the Internet, vice actually doing what they are paid for. Once such an occurrence is noted by a manager a series of events fall into place. The HR (human resources) department is contacted by the manager and advice is sought on how to deal with the situation. This normally takes the form of giving the employee an official reprimand. What happens though if the employee denies the charges? After all you have simply seen what you think to be excessive Internet use. What you need is proof.
There is a tool for every job
It is far easier to deal with a problem like the one mentioned above if you have incontrovertible proof at your disposal. The thing is you can certainly say that the employee has generated X amount of packets during his work day. Problem with that approach is that it isn’t very visual. A visual representation of your data is a far more powerful approach, vice arbitrary numbers. Well this is where the tool Chaosreader comes into play. What this tool allows you to do is take a binary log, and play it through Chaosreader to get a nicely outputted series of HTML pages. Those nicely formatted pages will have a chronicle of pages accessed, and other interesting statistics. Having that kind of output is far more effective when confronting an employee. Rather difficult to deny what is in front of you!
Well seeing as most of us use and work in a Microsoft Windows environment it only makes sense to try and leverage tools that can function in just such an environment. You indeed would be correct in assuming that Chaosreader works in a win32 world. Assuming that you have surfed to the hyperlinked page you will note that it was written in PERL. This is the reason that it will work on not only a win32 platform, but also a Linux one. All you would need to install on either platform is a PERL interpreter. You can get just such an interpreter at ActiveState. Just follow the series of prompts and you will then be able to download an MSI for installation. Now is a good time to point out that, in case you have not noticed, Chaosreader is PERL 5.6 dependant. That means that you will have to download a PERL 5.6.x MSI for installation on your computer.
Let's install Chaosreader
Well we shall assume that you have installed a PERL 5.6.x interpreter on your computer successfully. It comes in an MSI package so all you have to do is click on it and follow the prompts. The second step is to download Chaosreader itself from the hyperlinks seen above, or if you are lazy simply click here. What you now need to do is drag and drop this program into the root of c:\. In other words install it at c:\. This makes it easier to navigate to as all these types of programs should be installed there, if they don’t already install there by default.
We are now ready to go ahead and use it, or at least invoke it to see what its options are. Open up a cmd.exe and navigate to c:\ and enter the following command;
You will note that Windows will ask you with what you would like to open this program with. What happened you ask? Well Chaosreader was written in PERL so we need to rename it to something like the following;
c:> copy chaosreader0.94 chaosreader.pl
Once you have renamed , or made a new copy of it you can go ahead and enter the below noted command;
c:\> chaosreader.pl –help
You should now have the below noted in your cmd.exe;
Version 0.94, 01-May-2004
USAGE: chaosreader [-aehikqrvxAHIRTUXY] [-D dir]
[-b port[,...]] [-B port[,...]]
[-j IPaddr[,...]] [-J IPaddr[,...]]
[-l port[,...]] [-L port[,...]] [-m bytes[k]]
[-M bytes[k]] [-o "time"|"size"|"type"|"ip"]
[-p port[,...]] [-P port[,...]]
infile [infile2 ...]
chaosreader -s [mins] | -S [mins[,count]]
[-z] [-f 'filter']
chaosreader # Create application session files, indexes
-a, --application # Create application session files (default)
-e, --everything # Create HTML 2-way & hex files for everything
-h # Print a brief help
--help # Print verbose help (this) and version
Please note that this is an abbreviated output of the help file included with Chaosreader. So we now have Chaosreader up and running. What we now need to get is some binary input to feed into it. For that I would suggest you use windump. Once you have installed windump to the root of c drive we are ready to go. Please remember that you will also need winpcap so that windump will work. Now you will need to enter a string like the following or a variant of it;
c:> windump.exe –w traffic –s 0
This BPF filter will collect all packets that hit your NIC card and log it to a binary log file called “traffic”. It is this file called “traffic” that we will now use to feed into Chaosreader. Now please issue the following command to get some output from Chaosreader; (make a directory called “chaos_output2” like so: mkdir chaos_output2)
C:\>chaosreader.pl -e traffic -D chaos_output2
Chaosreader ver 0.94
Reading file contents,
Num Session (host:port <=> host:port) Service
0009 192.168.1.102:4500,22.214.171.124:80 web
0012 192.168.1.102:4506,126.96.36.199:80 web
0018 192.168.1.102:4516,188.8.131.52:80 web
0017 192.168.1.102:4514,184.108.40.206:80 web
0003 192.168.1.102:4494,220.127.116.11:80 web
0013 192.168.1.102:4508,18.104.22.168:80 web
0004 192.168.1.102:4484,22.214.171.124:80 web
0011 192.168.1.102:4504,126.96.36.199:80 web
0005 192.168.1.102:4496,188.8.131.52:80 web
0015 192.168.1.102:4512,184.108.40.206:80 web
0014 192.168.1.102:4510,220.127.116.11:80 web
0016 18.104.22.168:12345,192.168.1.102:3704 3704
0007 192.168.1.102:4498,22.214.171.124:80 web
0001 192.168.1.102:4250,126.96.36.199:119 119
0002 192.168.1.102:4249,188.8.131.52:119 119
0010 192.168.1.102:4502,184.108.40.206:80 web
0008 192.168.1.102:1025,220.127.116.11:53 dns
0006 192.168.1.102:1025,18.104.22.168:53 dns
So as we can see from the above output generated by Chaosreader I have a whack of files sitting in the directory “chaos_output2” as seen below;
Volume in drive C has no label.
Volume Serial Number is 806A-DE05
Directory of C:\chaos_output2
11/05/2005 12:52 PM <DIR> .
11/05/2005 12:52 PM <DIR> ..
11/05/2005 12:52 PM 9,430 getpost.html
11/05/2005 12:52 PM 4,381 httplog.text
11/05/2005 12:52 PM 516 image.html
11/05/2005 12:52 PM 9,344 index.html
11/05/2005 12:52 PM 6,254 index.text
11/05/2005 12:52 PM 2,129,400 session_0001.119.hex.html
11/05/2005 12:52 PM 972,286 session_0001.119.hex.text
11/05/2005 12:52 PM 279,154 session_0001.119.html
11/05/2005 12:52 PM 2,029,317 session_0002.119.hex.html
11/05/2005 12:52 PM 926,732 session_0002.119.hex.text
11/05/2005 12:52 PM 266,084 session_0002.119.html
All you need to do now is point your browser to c:\ and navigate to the directory that you dumped all the output from Chaosreader to. From there you would load the “index.html” file into your browser and navigate the links provided to you. This is very much the type of evidence that leaves the employee no room to squirm out of. You now have used a tool to effectively deal with a situation that needed definitive and visual proof. That is the beauty of the tool Chaosreader. It gives you a visual and informative output based on a binary log input. This tool is very useful, and I would definitely recommend it to anyone. I hope you enjoyed this article, and as always welcome your feedback. Till next time!