Network traffic analysis

The PiRogue is designed to continuously analyze the network traffic of any device connected to its Wi-Fi network. This means that it is constantly monitoring and inspecting the data packets that are being transmitted and received by these devices. The purpose of this analysis is to identify any suspicious or malicious activity that may be taking place on the device.

The PiRogue employs two primary methods for analyzing network traffic: NFStream Deep Packet Inspection (DPI) and Suricata rule-based IDS.

Deep Packet Inspection (DPI)

DPI is a technique that allows the PiRogue to examine the contents of data packets in detail. This includes information such as the source and destination IP addresses, the ports being used, the type of data being transmitted, and even the identification of the application involved. By analyzing this information, we can identify patterns and anomalies that may indicate malicious activity.

The PiRogue relies on NFStream to carry out the DPI. NFStream is a Python-based framework designed for efficient and flexible network data analysis. It serves as a powerful tool for researchers and network engineers to process and extract insights from network traffic. Its deep packet inspection (DPI) capabilities enable it to delve into the contents of network packets, going beyond basic header information to analyze the payload data. This allows NFStream to identify applications, protocols, and specific content within the traffic flow. With its DPI engine, NFStream can classify encrypted traffic, extract metadata, and fingerprint applications, even when they are hidden within encrypted protocols like TLS or SSH. This deep inspection capability makes NFStream a valuable tool for network traffic classification, anomaly detection, and security analysis.

Threat detection

An intrusion detection system (IDS) is a cybersecurity sentinel that monitors network traffic and system activities to identify potential intrusions or malicious activities. It acts as a vigilant guard, scrutinizing network packets, system logs, and user behavior to detect suspicious patterns or anomalies. IDSs employ various detection techniques, including signature-based, anomaly-based, and behavioral analysis, to identify both known and unknown threats. Upon detecting a potential intrusion, IDSs generate alerts, allowing security teams to investigate and respond promptly to safeguard the network and its assets.

Introduction to Suricata

The PiRogue relies on Suricata to detect and identify known threats. Suricata is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS) designed to safeguard network environments against malicious activities. It functions as a vigilant sentinel, scrutinizing network traffic in real-time to detect and thwart potential threats. It employs a multi-faceted approach, combining signature-based detection with advanced anomaly-based techniques to identify both known and unknown threats. It leverages a comprehensive ruleset, continuously updated with the latest threat intelligence, to flag suspicious patterns and behaviors. Additionally, Suricata’s deep packet inspection capabilities enable it to scrutinize the contents of network packets, uncovering hidden malware or exploit attempts.

The PiRogue comes pre-configured with rules from ProofPoint Emerging Threat Open and Echap, two reputable sources of threat intelligence. The PiRogue update those rules on a daily basis.

Suricata could operate in two modes:

  • Passive Mode (IDS Mode): Suricata monitors network traffic flowing through PiRogue’s WiFi interfaces and generates alerts when it detects anomalies that could be caused by malware or other cybersecurity threats.
  • Active Mode (IPS Mode) : (Not currently used in PiRogue project): Suricata actively alters network traffic on predefined rules, offering an additional layer of protection.

Suricata analyzes captured network traffic, constantly comparing it against a massive database of known threats (called signatures). If traffic matches a signature, Suricata triggers an alert, notifying you of potential security risks. These rules sets can be custom-built or imported from trusted third-party sources.

The forensic data generated by Suricata aids threat hunters and security researchers in their investigations. Suricata can produce large amounts of data in various formats. To tailor Suricata to your specific needs, you can examine the default configuration settings file located at /usr/share/pirogue/suricata/suricata.yaml.

PiRogue’s Suricata rules are stored in /var/lib/suricata/rules/suricata.rules. These rules are critical for staying ahead of cybersecurity threats, as they’re constantly updated daily from the suricata-rules Github respository.

Important: Resource Consumption

The size of the Suricata rules database and the amount of network traffic you monitor can significantly impact your system resources, especially RAM usage. This high RAM usage can degrade overall system performance.

Understanding Suricata Rules

Suricata rules might seem complex at first, but fear not!. A Suricata rule defines what to look for in captured network traffic and what action to take. Let’s break down Suricata rules into their key parts:

  • Action: This specifies what Suricata should do when the rule’s criteria are met. Suricata supports various action types, processed in the following order:

    • pass: Stop processing the packet.
    • drop: Drop the packet and log an alert.
    • reject: Send packet rejection. (IPS Mode only) rejectsrc, rejectdst and rejectboth specify who receives notifications.
    • alert: Log an alert.
  • Header: This specifies the network traffic to monitor, including protocol, IP addresses, ports, and traffic direction. Suricata supports various header keywords:

    • Protocol: Specifies the network protocols (e.g., tcp, udp, icmp and ip is for all protocols). Refer to the full list of supported protocols.
    • Source and destination: Specifies packet source and destination. Allows IPv4 and IPv6 formats along with operators like ../..(range), !(negation), and [..,..,](grouping) or rule variables like $HOME_NET and $EXTERNAL_NET. Refer to the full list of Suricata Rule variables
    • Ports: Specifies packet source and destination ports.
    • Direction: Specifies packet flow direction with -> for single direction and <> both directions.
  • Options (Optional): This section allows for additional matching criteria, such as packet payload content and TCP flags. Options are enclosed within parentheses, with keywords separated by semicolons.

    Common meta keywords include msg (custom message for logging),sid (unique signature identifier), classtype(classification of rules and alerts), and reference(reference information of rule such author or CVE-database number) among others. Refer to the full list of Suricata Meta Keywords.

Example Suricata Rule

alert dns $HOME_NET any -> any any (msg:“PTS LOCATION TRACKER Device Atlas (maw[.]re)”; metadata: type tracker; dns.query; content:“maw.re”; depth:6; nocase; endswith; fast_pattern; reference:url,esther.codes; classtype:targeted-activity; sid:1001016; rev:1;)

  • action
  • header
  • options

In this example Suricata rule detects DNS queries to a known tracker domain(maw.re) which may be used by certain applications or malicious actors. Here’s a breakdown of its functionality:

  • Suricata detects outgoing DNS queries to a known tracker domain (maw.re).
  • This rule matches any IP address and port for the outgoing traffic.
  • Suricata checks the first six bytes of the payload content for a case-insensitive match of the tracker domain.
  • If a match occurs, Suricata logs an alert with a custom message and metadata, including classification type and a reference URL.

Spot the Rule Quickly

To quickly identify the Suricata rule behind an alert, open the Suricata rules file (/var/lib/suricata/rules/suricata.rules) in terminal or a web browser (online version]). Search the file content using matching criteria from the alert, like message content, DNS domain name or IP addresses. Once you’ve narrowed down potential rules, analyze its action, header, and options sections for a deeper understanding. This active approach empowers you to investigate potential false positives and refine Suricata rules to better suit your needs.

Learn More: Adding Custom Suricata Rules

To learn more about creating custom Suricata rules, check out the PiRogue recipe: adding your own suricata rules to PiRogue.

Visualizing analysis results

The results of the PiRogue’s automatic network traffic analysis can be visualized in the dashboard. This dashboard provides a graphical overview of the network traffic that has been analyzed, as well as any threats that have been detected. The dashboard also allows users to drill down into the details of specific network flows to learn more about them.

Going Further

If you want to learn more about Suricata , explore these external resources: