Cyberprobe

Table of contents

Version 0.40 is here! See revision history below. Also see downloads.

Overview

The Cyberprobe project is a distrbuted architecture for real-time monitoring of networks against attack. The software consists of two components:

These components can be used together or separately. For a simple configuration, they can be run on the same host, for more complex environments, a number of probes can feed a single monitor.

The probe, cyberprobe has the following features:

The monitor tool, cybermon has the following features:

The cybermon software is a bit of a work-in-progress at the moment, and needs more protocols added, but there's enough capability to be useful, and to demonstrate the value of this architecture.

The code is targeted at the Linux platform, although it is generic enough to be applicable to other UN*X-like platforms.

The easiest way to learn about the software is to follow our Quick Start tutorial.

Motivation

Cyberprobe started out as a research tool to study networked applications to find out what they were doing, as we all know how software suppliers sometimes like to add some "extras" to their software :). So, a simple tool to configure how packets are captured from a network was produced. But as you are probably aware, the biggest threat to the safety of your information is from outside of your network. Thus, the ability to trigger collection of packets upon detection of a Snort rule hit was added.

Snort is a powerful IDS system which studies packets on your network, analyses them against a set of signatures and creates logs and alerts. We felt there was a need to harness the Snort alerts, but use them to trigger collection and forwarding of packets from the address which caused the alert.

You may be asking why you'd want to use Cyberprobe? After all, monitoring networks with tcpdump and Snort and collecting alerts and packet data for analysis is a straightforward process for many networks. However, real-time analysis is not possible if everything is file based. Collecting the data and forwarding over the network to a central collection point allows for a much more "industrialised" approach to intrusion detection. If you detect an attack attempt, and then observe vast quantities of data leaving your network from the credit card accounts database, then you know you need to act quickly.

You need flexibility about how you monitor for network attacks. There isn't a one-size-fits-all solution. Attackers are ingenious in their approach to attacking your network, so you need to have a flexible, configurable monitoring tool to develop your defences.

There's a war coming... The enemy is resourceful, they can use your networks and systems as their own weapon. But with the right tools, you can prepare a defence. It's time to get ready for Cybermaggedon.

Revision history

Cyberprobe releases:

0.40Now includes prototype STIX support: A TAXII server allows distrubution of threat information, and a TAXII client can read indicator information and store in a way that cybermon can use.
0.30The build process now uses the GNU toolset. It detects the LUA interface and can compile against LUA 5.1 and 5.2. Successfully compiled on a MacBook!
0.25Added SMTP and FTP capability. Also added a primitive mechanism to visualise network observations.
0.20HTTP and DNS protocol capability. TCP reset and DNS packet forgery added. Major overhaul of the LUA language interface.
0.12Cybermon utility is configurable using LUA.
0.11Added basic cybermon utility.
0.10Added management interface.
0.9First release on SourceForge.

See downloads.

Code

You can either download the latest release on the downloads page, or checkout the latest code using git:

git clone http://git.code.sf.net/p/cyberprobe/code cyberprobe

Have a play, and let us know what you think. We'd love to hear questions, comments, what's good, what disappointed you etc. etc.

Powered by SourceForge, project page is here.

For improvement

Suggestions, offers of code, help, etc. very welcome. Get in touch if you'd like to be involved!