Stamus-Networks-Blog

Analyzing Network Traffic with Kibana in SELKS: the SN-Hunt-1 Dashboard Part 2

Written by Rositsa Kyuchukova | Apr 18, 2023 2:00:00 PM

Last week, we introduced the first set of visualizations provided by the SN-Hunt-1 Kibana dashboard in SELKS. This week, we will continue with part 2 of our series on Kibana dashboards in SELKS and walk through some tables and graphs in the SN-Hunt-1 dashboard that can be useful for analyzing network traffic using SELKS. 

With SELKS and its powerful Kibana dashboards and GUI utilizing the Suricata alert and protocol data, you can stay one step ahead of potential threats. As security threats become increasingly sophisticated, it's crucial to have the right tools to monitor your network traffic. This is where the Open Source SELKS predefined dashboards come in. The SN-Hunt-1 Kibana dashboard in SELKS can provide valuable insights into your network traffic and help you detect potential threats. For a closer look at SELKS, read “SELKS 7: An Introduction” , “Inside SELKS: What’s Under the Hood” or Spin up a Complete Suricata Network Security Platform in Under 2 Minutes

Visualizing Network Security Threats: An Overview of the Information Provided by the SN-Hunt-1 Dashboard in SELKS Kibana

The SN-Hunt-1 dashboard is specifically developed for Incident response or threat hunting. It is most useful in two cases. The first case – IP/ host investigation – is done by typing in the IP that we want to investigate. The second case is for review of specific malware cases by way of ingesting a pcap. 

Let’s review that second use case. 

The SN-Hunt-1 dashboard can provide an overview of pcap file content, including application protocols, source and destination IPs, and related network protocol and flow data broken down in interesting metadata visualizations that populate depending on the data reviewed. It also includes really helpful visualizations that are designed to help analysts quickly pivot to identify potentially malicious activity and investigate it further.

First, we want to give a special thanks to Malware Traffic Analysis for providing public pcap data that we use to explain some of the visualizations in the blog posts. 

Today, we will be reviewing the following visualizations provided by the SN-Hunt-1 dashboard:

  • SN-TLS-BySni graph
  • SN-TLS-ByJa3SHash and SN-TLS-ByJa3Hash tables
  • SN-HTTP Top user agents, SN-HTTP Top hostnames and SN-HTTP-Servers pie charts
  • SN-ThreatHunt-HTTP-PossibleC2Beacons-BySrcIP
  • SN-ANOMALY-ByAppProto graph
  • SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnSrcIP and SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnDestIP tables
  • SN-FILE-ByTypeOverTime graph
  • SN-FILE-ByAppProto graph
  • SN-FILE-EventsList section

SN-TLS-BySni

The SN-TLS-BySni graph shows a breakdown of the Server Name Indication (SNI) field in the Transport Layer Security (TLS) handshake for network traffic flows. When a TLS session is established, the client sends a ClientHello message that includes the SNI field, which in turn indicates the domain name of the server that the client is trying to connect to. The server answers with a ServerHello message including the TLS version and other information required to create the secure connection. So, the graph provides a visualization of the distribution of SNIs that have been used in network traffic flows, allowing users to identify threats or suspicious activity associated with specific SNIs.

SN-TLS-ByJa3SHash and SN-TLS-ByJa3Hash tables

The SN-TLS-ByJa3SHash and SN-TLS-ByJa3Hash tables represent information about TLS traffic flows that match a specific JA3S or JA3 fingerprint. It contains the:

  • dest_ip.keyword: the IP address of the destination host that the TLS traffic flow was sent to.
  • tls.ja3s.hash.keyword or tls.ja3.hash.keyword: the JA3S/JA3 fingerprint hash value associated with the TLS traffic flow.
  • tls.sni.keyword: the server name indication (SNI) field value associated with the TLS traffic flow.
  • count: the number of times that this particular combination of JA3S/JA3 fingerprint, SNI value, and destination IP address has been observed in the network traffic flows.

SN-HTTP Top user agents, SN-HTTP Top Hostnames, and SN-HTTP-Servers pie charts

The SN-HTTP Top user agents, SN-HTTP Top hostnames and SN-HTTP-Servers pie charts represent different aspects of HTTP traffic flows:

  • SN-HTTP Top user agents: This pie chart illustrates the frequency of occurrence of HTTP user agent strings in traffic flows. Web browsers and other HTTP clients send user agent strings to web servers to identify themselves. Security researchers can utilize this data to discover unique or suspect user agent strings that may be related with malicious activities.
  • SN-HTTP Top hostnames: This pie chart represents the distribution of the most frequently observed HTTP hostnames in the HTTP traffic flows. Hostnames are used to identify the web server or website being accessed by an HTTP client. This information can be used to identify potentially malicious websites or web servers that may be associated with malware, phishing, or other types of attacks.
  • SN-HTTP-Servers: This pie chart displays the distribution of the most frequently observed web servers in the HTTP traffic flows. This information can be used to identify the web servers that are being accessed most frequently by HTTP clients and to identify potentially vulnerable or misconfigured web servers that may be targeted by attackers.

All three charts provide valuable insights into HTTP traffic flows, and can be used to identify potential security threats and vulnerabilities or suspicious activity related to HTTP traffic.

SN-ThreatHunt-HTTP-PossibleC2Beacons-BySrcIP table

C2 (Command and Control) communications refer to the technique used by cyber attackers to remotely control compromised systems or networks. C2 communications typically involve communication between the attacker’s command server and the compromised system(s) through various communication protocols, including HTTP, HTTPS, DNS, or other application layer protocols. 

The SN-ThreatHunt-HTTP-PossibleC2Beacons-BySrcIP visualization could be really helpful in identifying HTTP traffic patterns that may indicate the presence of Command and Control communications over the HTTP protocol.

Moreover, the visualization is grouping the identified HTTP traffic by the source IP addresses, which can be really useful for investigating which specific devices or systems on a network may be communicating with potential C2 servers over HTTP.

The table basically shows the HTTP protocol communication, ordered by count and size. It correlates the http.length and http.hostname to the src_ip and count of the http traffic flows.

SN-ANOMALY-ByAppProto graph

The SN-ANOMALY-ByAppProto graph shows the count of network anomalies or events detected by Suricata, categorized by the application protocol used in the network communication. Anomalies could include things like potential attacks or suspicious network behavior. This graph can help identify which protocols or hosts have a higher number of anomalies and may require closer inspection for potential security issues.

SN-ThreatHunt-ALERTS-MultipleUniqueAlertOnSrcIP and SN-ThreatHunt-ALERTS-MultipleUniqueAlertOnDestIP tables

The SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnSrcIP and SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnDestIP tables display information related to alerts generated by Suricata for multiple unique signatures detected on a particular source IP address or destination IP address, respectively. Each table has two columns that provide details about the alerts and the correlation between the source or destination IP address with the number of unique alerts. This can be useful in identifying a sudden spike of unique alerts from a specific host - which can indicate malicious activity or a misconfigured application.

SN-FILE-ByTypeOverTime graph

The SN-FILE-ByTypeOverTime graph represents the distribution of transferred file types observed over time in the network traffic captured by SELKS. The graph shows a time-series view of the different types of files that were transferred over the network during a specific period. The file count is shown on the X-axis, while the time period (as timestamp per week) is displayed on the Y-axis. Each color represents a different file type, and the height of the color block indicates the volume of data that was transferred for that file type during that specific time interval.

This graph can be useful in identifying unusual or suspicious file types that may indicate malicious activity in the network. For example, if there is a sudden spike in the transfer of a particular file type, it may be worth investigating further to determine if it is a normal behavior or a potential security risk. It also makes it easier to search a specific file type by its file magic - aka Executable, Ms Office doc, PDF, etc. – and is also useful to see filemagic transfers outside of business hours for some specific parts of the network. 

SN-FILE-ByAppProto graph

The SN-FILE-ByAppProto graph shows the count of files by the application protocol used to transfer them. This visualization can be useful for identifying potential security issues related to file transfers. For example, if there is a spike in the number of files being transferred over an insecure protocol such as FTP, it could indicate a potential security risk that needs to be investigated further.

SN-FILE-EventsList section

The SN-FILE-EventsList section represents a table of file transaction events that have been collected and processed by Suricata. Each row in the table represents a single event, and the columns display information such as the timestamp of the event, the source and destination IP addresses and ports, and the type of event that was detected (such as the transfer of an infected file, including its file type). This section can be used to quickly identify and investigate potential security incidents within the network, allowing administrators to take appropriate action to mitigate any threats.

The SELKS Kibana SN-Hunt-1 Dashboard: A Valuable Network Traffic Analysis Tool

The SELKS Kibana SN-Hunt-1 dashboard can seem intimidating at first, but once you have mastered it it becomes an incredible tool for streamlining network traffic analysis and threat hunting. This dashboard provides a user-friendly interface that allows for easy navigation and analysis of network traffic data, making it easier to identify and troubleshoot issues. The powerful visualization tools and advanced filtering capabilities of the SELKS Kibana dashboard enables users to quickly identify patterns and anomalies in network traffic data, making it easier to recognize security threats and mitigate risks. 

Overall, incorporating the SELKS Kibana SN-Hunt-1 dashboard into your network analysis toolkit can greatly enhance your ability to analyze network traffic data and solve complex network security challenges. To see the dashboard in action, make sure to subscribe to the Stamus Networks blog so you can be notified next week when we release the conclusion to our series on the SN-Hunt-1 dashboard.