Don't know how far down that road it goes, but along the lines of CarbonBlack is Immunity's El Jefe (open source).
Frank Frank McClain On Wed, Mar 13, 2013 at 2:28 PM, allison nixon <[email protected]> wrote: > no problem. i think your procmon problem might be solved if you use > carbon black. i remember the outputs contain unresolved ip addresses, port > number, and protocol(tcp/udp). it has a 30 day free trial. > > > On Wed, Mar 13, 2013 at 2:51 PM, Sherif El-Deeb <[email protected]>wrote: > >> - So far the closest thing to what I am looking for is Microsoft >> Network Monitor "Thank you Carlos!", it tries its best to figure out >> the application name ... tries its best, but it is NOT accurate due to >> the way the developers decided to achieve this feature "take snapshot >> of network connections on specific time intervals", this will lead to >> missing short-lived processes/connections, please read this post if >> you are interested in the details: >> >> http://social.technet.microsoft.com/Forums/en-US/netmon/thread/aa1d0602-edbf-4679-a090-67d6d6fd04ee >> >> If we are fine with that, we can create a list of running processes >> then do something like (for each running process) do (nmcap /network * >> /capture "Conversation.ProcessName == 'ProcessName.exe'" /File >> D:\ProcessName.cap /CaptureProcesses") and call it a day. >> >> Thank you Carlos, yet again. >> >> - When Allison mentioned Carbon Black and procmon ... it suddenly came >> to me, there's no need to do it "live", my (alternative) approach will >> be as follows: >> * Capture ALL traffic using dumpcap/tshark "nothing will be ever missed" >> * Record all network activity using procmon "nothing will be ever missed" >> * export procmon log as CSV >> * parse CSV file, get unique process names, ports, hosts, timestamps >> ...etc. per process >> * Use tshark to read the full PCAP then create a new file using a "-R" >> filter prepared with some CLKF using the parsed info from the CSV file >> and since both procmon and tshark are running on the same box, there >> should be no discrepancies between timestamps "right?" >> >> The proplem(s) I currently have are the following: >> - I can't find a way to make ProcMon *NOT* resolve IP addresses and >> ports to services "443->HTTPS" (!) >> - I can't find a way to make ProcMon export date AND time ... not >> only time. "that's more of an annoyance than a problem" >> >> Thank you guys "+ Allison Nixon", If I reached something mature enough >> will ping the list with the update. >> Best regards, >> Sherif. >> >> On Tue, Mar 12, 2013 at 8:22 PM, Sandro Gauci <[email protected]> >> wrote: >> > On OSX, Little Snitch (commercial desktop firewall) can dump pcaps for >> > selected processes. Only tried it once myself (and I'm not an active >> little >> > snitch user) but it seems pretty cool and similar to what you're asking >> for: >> > >> > >> http://www.chrisle.me/2012/11/little-snitchs-hidden-pcap-network-sniffer/ >> > >> > >> > Sandro Gauci >> > Penetration tester and security researcher >> > Email: [email protected] >> > Web: http://enablesecurity.com/ >> > PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C >> > >> > >> > On Tue, Mar 12, 2013 at 1:28 PM, Jim Halfpenny <[email protected] >> > >> > wrote: >> >> >> >> Hi, >> >> Slightly off topic but a useful feature of iptables on Linux is the >> >> ability to filter traffic by user. The link below gives an example of >> how to >> >> block traffic for a particular user. >> >> >> >> >> >> >> http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html >> >> >> >> Another great option is --tee which can copy traffic based on whatever >> >> rules you apply. >> >> >> >> >> >> >> http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/ >> >> >> >> So if you wanted to record on a per-user basis on Linux (useful for >> >> service/daemon users) you could user ipt_user and tee functions to >> mirror >> >> that traffic and tcpdump it out there or just use ipt_user to log >> flows. Not >> >> entirely relevant but I hope it's useful. >> >> >> >> Regards, >> >> Jim >> >> >> >> On 12 March 2013 11:54, Hans Kokx <[email protected]> wrote: >> >>> >> >>> > If you add the p parameter to netstat it gives you the process id >> >>> > associated with the connection. >> >>> >> >>> In Linux, yeah. Mac doesn't support -p though. :( >> >>> >> >>> -- >> >>> Hans Kokx >> >>> >> >>> On Tuesday, March 12, 2013 at 3:32 AM, Robin Wood wrote: >> >>> >> >>> >> >>> On Mar 12, 2013 4:20 AM, "Hans Kokx" <[email protected]> >> wrote: >> >>> > >> >>> > This sounded like an interesting challenge, so I whipped something >> >>> > together that seems to work. Maybe it's what you're looking for, >> or maybe >> >>> > not. >> >>> > >> >>> > So, the idea I came up with is relatively simple: each process is >> going >> >>> > to open an ephemeral port to connect to the known port of the >> service. >> >>> > Let's take, for example, a simple SOCKS5 proxy I've tossed together >> over >> >>> > SSH: >> >>> > >> >>> > nohup ssh -D 8000 -C -N [email protected] >/dev/null 2>&1 & >> >>> > >> >>> > I typically use this everywhere that's not at home, and push ALL my >> >>> > traffic through it. Hey, security. >> >>> > >> >>> > Anywho, on my mac, I was able to find the ephemeral port that it was >> >>> > using: >> >>> > >> >>> > $ netstat -ntl|grep 192.168.1.5|grep 22 >> >>> > tcp4 0 0 192.168.1.156.61697 192.168.1.5.22 >> >>> > ESTABLISHED >> >>> > >> >>> > Now we've got an ephemeral port to work with. Some clever awk- and >> >>> > sed- foo and you can grab JUST that port. >> >>> > >> >>> > Capturing the traffic is simple enough…. >> >>> > >> >>> > $ tcpdump src port 61697 >> >>> > >> >>> > So, we've got the traffic for this individual socket, but who does >> it >> >>> > belong to? >> >>> > >> >>> > $ sudo lsof -i 4tcp:61697 >> >>> > Password: >> >>> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE >> NAME >> >>> > ssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP >> >>> > 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED) >> >>> > >> >>> > There's your pid and process name. >> >>> >> >>> If you add the p parameter to netstat it gives you the process id >> >>> associated with the connection. >> >>> >> >>> Robin >> >>> >> >>> > This was fun. Thanks for the challenge. :) >> >>> > -- >> >>> > Hans Kokx >> >>> > >> >>> > On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote: >> >>> >> >> >>> >> I have been trying to figure out a way to "capture/filter" network >> >>> >> traffic per process, not per host/interface in a windows >> environment >> >>> >> "even though I'd be curious to know how that could be done in >> *n?x/OS >> >>> >> X" . >> >>> >> >> >>> >> What I want to achieve is create a PCAP file for each process id >> that >> >>> >> was executed and communicated over the network. >> >>> >> >> >>> >> help, please. >> >>> >> Thanks and regards, >> >>> >> >> >>> >> Sherif. >> >>> >> _______________________________________________ >> >>> >> Pauldotcom mailing list >> >>> >> [email protected] >> >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>> >> Main Web Site: http://pauldotcom.com >> >>> > >> >>> > >> >>> > >> >>> > _______________________________________________ >> >>> > Pauldotcom mailing list >> >>> > [email protected] >> >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>> > Main Web Site: http://pauldotcom.com >> >>> >> >>> _______________________________________________ >> >>> Pauldotcom mailing list >> >>> [email protected] >> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>> Main Web Site: http://pauldotcom.com >> >>> >> >>> >> >>> >> >>> _______________________________________________ >> >>> Pauldotcom mailing list >> >>> [email protected] >> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>> Main Web Site: http://pauldotcom.com >> >> >> >> >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > _________________________________ > Note to self: Pillage BEFORE burning. > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
