One of the problem to solve on a large network is to know who is talking to whom. host to host communication are easy to monitor using bro or netflow but knowing which software communicates over what connection is a whole different problem (sometimes called endpoint visibility).
Good news is Facebook released osquery and it is now available on all platforms, osquery allow you to access pretty much all the data of a computer using SQL.
For instance something like
osquery> SELECT uid, name FROM listening_ports l, processes p WHERE l.pid=p.pid; +------+-------------+ | uid | name | +------+-------------+ | 1000 | dbus-daemon | +------+-------------+
Would give you all the uid and process name of the process having listening ports (server process if you want).
It also has a daemon (osqueryd) that allows you to have scheduled query and you can save the output of those queries in ElasticSearch for stacking and analysis.
The plan is to have queries running at regular interval that gives you the process name, uid, checksum (sha1) and the connections.
something like this:
osquery> select action, protocol, local_address, local_port, remote_address, remote_port, uid, name FROM processes p, socket_events s WHERE s.pid=p.pid;scheduled at regular interval would do the trick.
Once setup to run it will return something like this on regular interval:
{
"name": "network_info",
"hostIdentifier": "goldorak",
"calendarTime": "Tue Dec 13 15:10:08 2016 UTC",
"unixTime": "1481641808",
"decorations": {
"host_uuid": "FC1D7B01-5138-11CB-B85D-C04D3A0C6645",
"username": "someusername"
},
"columns": {
"action": "connect",
"local_address": "",
"local_port": "0",
"name": "DNS Res~er #115",
"protocol": "14578",
"remote_address": "192.168.1.1",
"remote_port": "53",
"uid": "1000"
},
"action": "added"
}
The next thing I want to look at is the network forensic problem, I define it like this: I want to know at any point in time which host on my network talk to what other host. First Ideally, I want to know the protocol and meta data associated like SSL/TLS cert, file extraction and so on. Now that we have the same sort of information already from osquery (pid, process name and connection ...) we should ideally be able to stitch it all that together to have a global view, the source could be netflow or bro metadata and the same stitching could be done for Snort or Suricata alerts to add more context and details for the analyst.
