Monday, November 17, 2008

Netwitness Investigator


NetWitness announced today that it is providing a free version of it’s Investigator product to the world!

I’ve previously blogged about what I think about critical success criteria for Security Operations and Incident Response and that within the Collection activities of the SOC, very little has more importance to me than Full Packet Capture (some call it Deep Packet Inspection or many other newer marketing terms). In the end it is the ability to review and reconstruct activity on your network as it occurred. In a couple of very large organizations I support I’ve been lucky enough to have NetWitness as the tool we use to support those needs, now the rest of the world can start to look at this fantastic technology for their network analysis purposes. Today NetWitness announced it has released a version of their Investigator software for free. This is the full version of Investigator with both the ability to capture and decode/display live and previously recorded network traffic. New functionality exists throughout the product and as I have time and/or if readers ask I’ll blog on those features with screen shots and/or video in the coming days.

Some of the highlights of new or increased functionality in this Release:
Free license supports 25 simultaneous 1GB captures.
Network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)
IPv6 support
Full content search, with Regex support
Bookmarking & history tracking
Hash PCAP on Export

Thoughts on Installation:

Download, Installation and User/Computer Registration was very simple. I’ve installed it on Vista 32bit and 64 bit platforms without much of an issue at all (make sure a recent version of winpcap is installed). They have some great pointers in the documentation if you get stuck. I’ve played with many of the parsers to decode application traffic and hope to have some time to talk through my likes and areas for feature enhancements at some point in the future. I will use the forum for those comments though (I suggest all users do the same).

Initial User Experience:

For folks familiar with previous versions NetWitness the first thing you’ll find is the new graphical representation of data across the extracted timeline. You can toggle it on/off depending on your preferences. I’ve found that for looking over larger time frames it does help to narrow scope to certain peak time activities that become obvious using this method of identification. Looking at data is easy once you spend a few minutes with the product. The documentation is solid and accurate so I do recommend taking a look at it if something isn’t intuitive to you. Data can be captured live or imported as pcap -both worked flawlessly for me in my testing. I imported several of the pcap files on just to see variances in presentation between NW and other tools. Once you have your data set available “pivoting” through data creates filters that streamline your searching and allows you to drill all the way into the session. You start by viewing report data (Summarized data) and you can control the “meta” data that is displayed (the values) and re-order it to meet your needs (under Options look for “Reports” tab for more information).

Advanced users Tip 1: I’ve been told and found through recent personal experience that enabling “querystring” and other non-default selections (Options>Reports) provides some great starting points for investigations.

Advanced user Tip 2: There are ways to add new data elements for actual indexing and therefore later reporting/pivoting but that is for a more detailed post later. Think assigning attributes to IP’s or subnets and you’ll see where I’m headed with that thought.

User Experience Continued: As you find interesting activity you drill into the data by clicking on the link(s) provided.

Hint: The number next to the text tag indicates the number of sessions and if you click on the number it will bring you right to those sessions. If the number is exceptionally high you might want to continue to drill into the data to refine your search a bit more before rendering those sessions.

Once the sessions are presented you will have the option to view it in a few different ways - by default NetWitness will try and present it in the most appropriate manner, but if you prefer Hex or Packet views to session replay you can select those views very easily.

Netwitness also provides a few very easy to follow youtube videos for those of us too lazy to read the documentation and wanting to get started right away.

Netwitness Rules

These rules (Application and Network) sit on the Decoder in a production deployment. On the Free version the decoder software is bundled into the “local capture” functionality of Investigator. Note: As you might expect remote captures are only supported with the enterprise license. The NetWitness help files provide a link to a sample rules file you can download and test. Modifying the rules is very easy. Export the rules filet, edit with any text editor and then import to Investigator. Alternatively you can use the NetWitness provided GUI “Intellisense” and it tells you when you make a mistake in your syntax by changing color. You can reorder the rules and there is some precedence to the rules (first match I think) but the engine is incredibly efficient in terms of both number of rules and number of variables in the rules.

Example Rules:

Let’s take a real world example to show how easy the rules language is. Recent publicly available intelligence from SANS ISC provides some interesting activity we might want to monitor for in order to track down command and control channels. I’m simply presenting NW as a fairly flexible alternative or enhancing event source.

1.) SANS Example 1 - # DNS responses which contained a domain that belonged to one of a long list of dynamic DNS providers;
name:DECURITY_DRAFT:Suspicious_Domains:1; ENDS ‘.’’, ‘domain.xxy’ ; order:1 ; alert ; type:application
Note: Just obtain your favorite list of domains and update this rule and your off to the races…

2.) SANS Example 2 - # DNS requests for a hostname outside of the local namespace which were responded to with a resource record pointing to an IP address within either,, RFC1918 IP space, or anywhere inside the public or private IP space of the organization. Because I’m limited on time I’ll simplify this one a bit and focus on for example just to get the point across - it can be easily extended.
name:DECURITY_DRAFT:Suspicious_DNS_127.0.0.2:1;rule:service=53 && ip.dst=;order:2;keep;alert;type:application

3.) In the Sample Rules file NetWitness also provides protocol to port matching functionality to finding non-standard ports for protocols is easy to alert on. Here is one example:
name:SAMPLE_Vulnerability:NonstandardPort:DNS;rule:service!=53 && tcp.dstport=53;order:51;alert;type:application

I’m sure these examples I provided can be refined greatly (NW Reps/Users if you want to jump in here and provide comments for improvement I’ll all for it!) and at some point maybe we’ll post updated rules files to enhance your NW experience!


Now that this tool is free for your use I fully believe that everyone should try it out. I believe there is significant value in using NetWitness not only for previously captured .pcap data but in live production networks as an operational tool for analysis. When you combine the capabilities of NetWitness with your other data and toolsets (Log Management, SIEM, IDS, Server Logs, etc) you really have a better set of data to comprehend what is happening on your network and you can significantly reduce the time to identify the incidents that are occurring on your network.

No comments: