Scribd Logo
Upload

Welcome to Scribd!

  • Proof-Of-Concept: Arcsight - Tippingpoint, Logger 6 Lookup: Technical White Paper

    Uploaded by

    azaiah
    15 views8 pages
    This technical white paper describes a proof-of-concept using HP ArcSight's Logger 6 to monitor network traffic related to TOR (The Onion Router). It involves: 1) Importing a list of known TOR exit node IP addresses into Logger 6 as a lookup file. 2) Generating fake HP TippingPoint IPS events using those TOR IP addresses as destinations. 3) Creating Logger 6 dashboards that display the source IP addresses of all hosts communicating with TOR nodes, as well as a list of the top talkers to TOR.

    Original Description:

    Original Title

    PoC LoggerLookup

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This technical white paper describes a proof-of-concept using HP ArcSight's Logger 6 to monitor network traffic related to TOR (The Onion Router). It involves: 1) Importing a list of known TOR exit node IP addresses into Logger 6 as a lookup file. 2) Generating fake HP TippingPoint IPS events using those TOR IP addresses as destinations. 3) Creating Logger 6 dashboards that display the source IP addresses of all hosts communicating with TOR nodes, as well as a list of the top talkers to TOR.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    15 views8 pages

    Proof-Of-Concept: Arcsight - Tippingpoint, Logger 6 Lookup: Technical White Paper

    Uploaded by

    azaiah
    This technical white paper describes a proof-of-concept using HP ArcSight's Logger 6 to monitor network traffic related to TOR (The Onion Router). It involves: 1) Importing a list of known TOR exit node IP addresses into Logger 6 as a lookup file. 2) Generating fake HP TippingPoint IPS events using those TOR IP addresses as destinations. 3) Creating Logger 6 dashboards that display the source IP addresses of all hosts communicating with TOR nodes, as well as a list of the top talkers to TOR.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Technical white paper

    Proof-of-Concept:
    ArcSight – TippingPoint, Logger 6 Lookup

    Contents
    Abstract 2
    Step 1: Import a TOR exit nodes list into Logger 6 3
    Step 2: Generate HP TippingPoint IPS events 6
    Step 3: Logger 6 Dashboard - all hosts using TOR 7
    Step 3: Logger 6 Dashboard - all hosts using TOR 8
    Abstract
    This mini-PoC shows a possible usage of HP ArcSight’s Logger 6 “Lookup Files” feature with HP
    TippingPoint IPS and sFlow events.

    The use case is to have a Logger Dashboard that displays corporate hosts involved in a TOR (The Onion
    Router) network communications.

    TOR is just an example for this PoC and can be substituted with any other Application of interest.

    TOR talkers

    Top TOR talkers

    Steps

    1. Get a Tor exit nodes list and import it as a lookup file into HP ArcSight Logger 6
    2. Generate HP TippingPoint IPS events by using the TOR exit nodes
    3. Create a Logger 6 Dashboard that shows the source IP Addresses of all hosts using TOR
    4. Create a Logger 6 Dashboard that shows the TOR top talkers

    Changes
    Version Autor Changes
    0.1 Angelo Brancato Initial Version

    Confidential - Internal Use only


    Angelo Brancato
    Mobile: +49 174 1502278 Email: angelo.brancato@hp.com

    2
    Step 1: Import a TOR exit nodes list into Logger 6
    Create a csv file where you list all IP Addresses of interest. The very first row in that text file defines the
    columns in the table. E.g:
    IP, DNSname
    193.99.144.85, www.heise.de
    157.166.248.11, www.cnn.com

    The easiest way to get an up-to-date TOR exit nodes list, that is proper formatted for logger to digest, is
    to go to https://www.itensio.com (SuperUser / root00--)  RoboPoC  AmB  download the csv under
    “Option 3”

    Note: Ignore the fields SMS-Tag1, SMS-Tag2 –they are there because of the author’s pure (coding)
    laziness. The only field of interest for this use-case is “IP”:

    Confidential - Internal Use only


    Angelo Brancato
    Mobile: +49 174 1502278 Email: angelo.brancato@hp.com

    3
    The Lookup files can be imported to Logger 6 via the Web GUI: Configuration  Lookup Files  Add

    Give the Lookup File a unique name. You will need the “name” identifier later for the Logger searches.

    After confirming with “Save” you should see a summary like:

    Confidential - Internal Use only


    Angelo Brancato
    Mobile: +49 174 1502278 Email: angelo.brancato@hp.com

    4
    By clicking on the little glasses you can check the Lookup File structure:

    Confidential - Internal Use only


    Angelo Brancato
    Mobile: +49 174 1502278 Email: angelo.brancato@hp.com

    5
    Step 2: Generate HP TippingPoint IPS events
    To create TOR IDS/IPS events with the destination IP Address pointing to TOR exit nodes we will use
    tomahawk for this PoC.

    With tomahawk you can replay whatever packet capture (PCAP) that triggers IPS filters and simply
    overwrite the source and destination IP Address to make it match your requirements – in this case the
    destination IP should match to IP addresses in the TOR exit nodes list.

    Tomahawk usage:
    $tomahawk –i eth1 –j eth2 –a <IP out of the csv> -f <pcap-file>

    In this PoC we use these IP Addresses: 100.0.120.66, 100.0.180.181, 100.0.67.218,


    100.1.94.104, 100.33.8.35, 100.37.110.51, 100.38.78.246, 101.142.101.111 and
    PCAPs that trigger filter 11879, 1789

    That should give us some IPS events with TOR exit nodes as the destination IP Addresses.
    The HP TippingPoint NX IPS sensor will also send sFlow information for these flows to Logger.

    Note: You could also use actual TOR PCAPs to trigger these filters.

    The author will update this document with TOR events ASAP ;)

    Confidential - Internal Use only


    Angelo Brancato
    Mobile: +49 174 1502278 Email: angelo.brancato@hp.com

    6
    Step 3: Logger 6 Dashboard - all hosts using TOR

    Logger Search string Result


    deviceVendor = "TippingPoint" You should see all HP TippingPoint IPS events.

    deviceVendor = "TippingPoint" | You should see all HP TippingPoint IPS events that have a destination IP Address that
    matches an IP Address in the lookup file with the name “tor_nodes”
    lookup tor_nodes IP as
    destinationAddress

    deviceVendor = "TippingPoint" | You should see all HP TippingPoint IPS events with a destination IP address that
    matches an IP Address in the lookup file with the name “tor_nodes”
    lookup tor_nodes IP as The hosts are listed in a top 10 bar chart with their source IP addresses and their
    destinationAddress | absolute matches to the above query within the given time range (in this case 1h).

    chart count by sourceAddress

    Confidential - Internal Use only


    Angelo Brancato
    Mobile: +49 174 1502278 Email: angelo.brancato@hp.com

    7
    Step 3: Logger 6 Dashboard that shows the TOR top talkers
    Logger Search string Result
    agentType = "sflow" | You should see the “top-talkers” that communicate to TOR nodes

    lookup tor_nodes IP as
    destinationAddress |

    chart count by sourceAddress

    Confidential - Internal Use only


    Angelo Brancato
    Mobile: +49 174 1502278 Email: angelo.brancato@hp.com

    You might also like