<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Analyzing Network Traffic with Kibana in SELKS: the SN-Hunt-1 Dashboard Part 1

Keeping your network secure can feel like an endless game of cat and mouse. But with SELKS and its powerful Kibana dashboards and GUI utilizing the Suricata alert and protocol data, you can stay one step ahead of potential threats. As security threats become increasingly sophisticated, it's crucial to have the right tools to monitor your network traffic. This is where the Open Source SELKS predefined dashboards come in. In this blog post, we'll show you one of those 28 Open Source dashboards. 

The SN-Hunt-1 Kibana dashboard in SELKS can provide valuable insights into your network traffic and help you detect potential threats. For a closer look at SELKS, read “SELKS 7: An Introduction” , “Inside SELKS: What’s Under the Hood” or Spin up a Complete Suricata Network Security Platform in Under 2 Minutes

Visualizing Network Security Threats: An Overview of the Information Provided by the SN-Hunt-1 Dashboard in SELKS Kibana

The SN-Hunt-1 dashboard is specifically developed for Incident response or threat hunting. It is most useful in two cases. The first case – IP/ host investigation – is done by typing in the IP that we want to investigate. The second case is for review of specific malware cases by way of ingesting a pcap. 

Let’s review that second use case. 

The SN-Hunt-1 dashboard can provide an overview of pcap file content, including application protocols, source and destination IPs, and related network protocol and flow data broken down in interesting metadata visualizations that populate depending on the data reviewed. It also includes really helpful visualizations that are designed to help analysts quickly pivot to identify potentially malicious activity and investigate it further.

First, we want to give a special thanks to Malware Traffic Analysis for providing public pcap data that we use to explain some of the visualizations in the blog posts. 

Today, we will be reviewing the following visualizations provided by the SN-Hunt-1 dashboard:

  • SN-Mean flow age and count graph
  • SN-Application protocol graph
  • SN-EventsList tables
  • SN-TLS Versions pie chart
  • SN-TLS TCP Ports pie chart
  • SN-DNS-Rrname pie chart

SN-Mean flow age and count graph

The SN-Mean flow age and count graph on the SN-Hunt-1 dashboard displays the average age of network flows and the number of flows over time.

Network flows are the sequence of packets exchanged between a source and a destination during a communication session. Each flow is identified by its source and destination IP addresses, transport protocol (e.g., TCP or UDP), and port numbers. The age of a flow is the time elapsed since the first packet was seen for that flow.

The SN-Mean flow age and count graph shows how the average age of flows and the number of flows change over time. This information can be useful for detecting unusual network behavior or identifying network-related issues. For example, if the average flow age is increasing, it could indicate that some flows are long lived, or transfer more data, or are being held up by lower speed. Similarly, if the number of flows suddenly increases or decreases, it could indicate a change in network activity, such as a new application being used or a network outage. When we see these types of activities, it could be an indication of suspicious activity that requires further investigation. 

Overall, the SN-Mean flow age and count graph provides valuable insights into the health and performance of the network, allowing users to detect potential issues and take corrective action as needed. In the case of a hunt it also makes it easier to pinpoint large transfers or exfiltration attempts. 

SN-Application protocol graph

Another useful tool in the SN-Hunt-1 dashboard for identifying potential security issues is the SN-Application protocol graph, which displays the distribution of network traffic over time by application protocol. With this graph, you can immediately determine the most frequently used protocols on your network because it displays the number of packets sent and received for each protocol over a given time frame. With the help of this data, anomalies that might be signs of a security issue can be found, such as a sudden rise in traffic for a protocol that is not generally used on the network.

For instance, a sharp rise in traffic for a protocol linked to malware or a known vulnerability may be a clue that an intruder is trying to compromise your network. Alternatively, a sudden rise in traffic for a protocol that is generally used for file sharing or video streaming can mean that staff members may be getting involved in unauthorized activities, depending on the security policy of the organization.

By monitoring the SN-Application protocol graph, you can quickly detect unusual network behavior and take appropriate action to protect your organization from potential security threats.

SN-EventsList tables

There are a number of SN-EventsList tables on the SN-Hunt-1 dashboard: SN-HTTP-EventsList, SN-ANOMALY-EventsList, SN-ALERT-EventsList, SN-TLS-EventsList. These tables show lists of various pieces of information, such as network flows, anomaly or protocol related events, source and destination IP addresses, ports, protocols, and timestamps. These tables also have the correlated flows of the events. 

By linking events from various data sources and tables in Kibana dashboards, the "Correlate Flow" function in SELKS is intended to assist security analysts in identifying potential security issues. That correlation pieces together everything on top of the native Suricata “flow_id” capability. When a security event occurs, such as a network intrusion or malware infection, it often leaves a trail of data across multiple systems and log files. In the example below all events from the flow with flow_id:1328344995230503 are correlated and displayed together in EveBox. As one can notice - there is no alert generated , just network security monitoring data generated by Suricata - flow, http and file transaction logs.

The Correlate flow feature is intended to help analysts piece together these data points and identify patterns or anomalies that might indicate a security threat. 

For example, each row of the SN-Flow-EventsList table represents a different network flow and contains information about the packets exchanged between the source and destination IP addresses. The table also includes additional details, such as the flow_id, the flow_age, the flow.bytes_toclient, and the flow.bytes_toserver of the event.

By reviewing the information there, users can quickly identify suspicious network behavior, such as unusual traffic patterns or traffic to and from suspicious IP addresses or ports. This information can be used to detect potential security threats, such as malware infections, data exfiltration, or network intrusions.

The SN-EventsList tables also contain links to VirusTotal (for Source and Destination IPs the user can simply click on the IP/url links as displayed below).

 

VirusTotal is an online virus and malware scanning service that provides a free and easy-to-use platform for users to check files, URLs, and IP addresses for potential security threats. The service checks the given item against a wide database (the free/public version provides over 70 antivirus engines and checks from other security tools) in order to provide an in-depth report on any potential security threats. Its reports offer information about the type of threat, the severity level, and recommendations for further action, such as quarantine or removal of the item. In addition to that, VirusTotal gives information on the reputation of the item, including its history and other metadata, which can assist users in determining if the item is safe to use or not.

The FPC column  – “Full Packet Capture” – on the SN-EventsList tables links to the pcap generated by Suricata and can be viewed in the Open Source Arkime Viewer. Arkime is a network security monitoring application included in SELKS that incorporates a variety of analysis features, such as packet decoding, session reconstruction, and full-text search, to help users quickly identify and investigate security issues.

By using FPC, the SELKS Kibana dashboards allow users to quickly pivot from an event to correlation and pcap that can quickly identify unusual or suspicious traffic patterns that may indicate a security threat.

SN-TLS Versions pie chart

The SN-TLS Versions pie chart gives us a breakdown of the TLS (Transport Layer Security) versions used by clients and servers in network traffic flows. TLS is a protocol that provides secure communication over the internet, and it is commonly used for secure transactions. TLS has several versions, including SSL, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3, with each version offering different security features and capabilities. Thus, the SN-TLS Versions pie chart depicts the distribution of TLS versions used in network traffic flows, allowing users to discover potential security threats or vulnerabilities associated with specific TLS versions. For example, if a large number of flows are using an older, less secure TLS version, it may indicate that the network is at greater risk of a security breach.

SN-TLS TCP Ports pie chart

The SN-TLS TCP Ports pie chart provides a visualization of the distribution of TCP ports used in network traffic flows that use TLS, allowing users to identify any potential security threats or vulnerabilities associated with specific ports. Thus, with the help of this chart, we can see right away a TLS on port 2222, instead of using the standard 443 port. This by itself is a non-malicious activity indication, but gives us visibility and helps us understand what is happening on the network and can be used as an initial pivot point for threat hunting. 

SN-DNS-Rrname pie chart

The SN-DNS-Rrname pie chart shows a breakdown of RRNames (DNS Resource Record Names) that have been queried or resolved in network traffic flows. DNS (Domain Name System) is a protocol that translates human-readable domain names, such as "gmail.com", into IP addresses, which are used to identify networked devices. DNS operates by resolving queries to specific Resource Records (RRs) that contain information about the domain, such as the IP address of the server hosting the website.

The pie chart visualizes the distribution of RRNames queried or resolved in network traffic flows, allowing users to discover potential security issues or suspicious activity linked with particular RRNames. For example, if a large number of flows are querying or resolving a specific RRName that is associated with known malware or phishing sites, it may indicate that the network is at risk of a security breach. It can also indicate what DNS resolvers are used in the network and who is using them, thus providing great visibility.

 

The SELKS Kibana SN-Hunt-1 Dashboard: A Valuable Network Traffic Analysis Tool

The SELKS Kibana SN-Hunt-1 dashboard can seem intimidating at first, but once you have mastered it it becomes an incredible tool for streamlining network traffic analysis and threat hunting. This dashboard provides a user-friendly interface that allows for easy navigation and analysis of network traffic data, making it easier to identify and troubleshoot issues. The powerful visualization tools and advanced filtering capabilities of the SELKS Kibana dashboard enables users to quickly identify patterns and anomalies in network traffic data, making it easier to recognize security threats and mitigate risks. 

Overall, incorporating the SELKS Kibana SN-Hunt-1 dashboard into your network analysis toolkit can greatly enhance your ability to analyze network traffic data and solve complex network security challenges. To see more of the visualizations available in the SN-Hunt-1 dashboard, make sure to subscribe to the Stamus Networks blog so you can be notified next week when we release a follow-up detailing more visualizations available in the SN-Hunt-1 Kibana dashboard in SELKS. 

To see the SN-Hunt-1 dashboard in action, read about how you can use SELKS Kibana dashboards to solve the Unit 42 Wireshark quiz from January 2023. 

Rositsa Kyuchukova

Rositsa is a Senior Quality Assurance Engineer at Stamus Networks with a Passion for Testing and Security. She has over 10 years of experience in the fields of manual and automated testing. As a Senior QA professional, she uses her skills to ensure software quality and identify critical issues that lead to improved product reliability. With a decade of hands-on experience, she has honed her skills in both manual and automated testing. Throughout her career, she has been dedicated to delivering high-quality QA solutions to enhance user satisfaction. Beyond her expertise in software testing, she is deeply passionate about penetration testing and security testing. The challenges and intricacies of network security fascinate her, and she is enthusiastic about exploring new ways to safeguard digital assets. Rositsa resides in Sofia, Bulgaria.

Schedule a Demo of Stamus Security Platform

REQUEST A DEMO