The goal of this article is to present a basic howto of Passive Network Audit Framework (PNAF), a PNA (Passive Network Audit) based framework that can be use as useful tool to perform network audits in a passive way by taking advantages from different network traffic analysis tools. The scope of this article includes installation, configuration and basic execution models to extract, parse and interpret information from PCAP files as single input. For additional information about the theoretical model, you can check its original source (masters thesis)[1] , as well as the article (in Spanish) “Frameworks para monitoreo, forense y auditoría de tráfico de red” published in edition 24th of the digital magazine .Seguridad .
Explore this article (English) (Spanish)
The content of this article was published (in Spanish) in the edition 25th of the digital magazine .Seguridad of UNAM-CERT.
CONTENT
Introduction
PNAF v0.1 public prototype is an implementation of a TU/e masters thesis developed as internship project at Fox-IT B.V in The Netherlands. This public prototype DOES NOT include any internal information about TU/e nor Fox-IT.
From Version 0.1.2, PNAF is a project of UNAM-Chapter [The Honeynet Project]
Main development repository
News, updates and howtos
Resources downloads
Version 0.1.2 will get just minor updates (bugs/parsing) and it is the last version of 0.1.x branch. You can either clone this repository and install it on your standalone machine, or download the Virtual Machine image available on http://pnaf.honeynet.org.mx/download/
Summary
PNAF is a framework intended to provide the capability of getting a security assessment of network platforms by analysing in-depth the network traffic (in a passive way) and by providing a high-level interpretation in an automated way. It combines different analysis techniques and tools. The framework is intended to achieve the following goals:
Architecture
- To be a flexible, scalable and modular framework
- To provide accurate analysis of network platforms
- To provide a useful API in order to develop further features and improvements (not included on 0.1.2 prototype, but on 0.2.x)
Functional
- Summary of the security level of the network
- Findings of anomalous activities
- Findings of security audit policy
- Findings of impact analysis (e.g. based on CVE)
- Summary of security recommendations
- Reference of evidence
ARCHITECTURE
PNAF (original prototype) is comprised by three main modules. Each module has its own engines which manage specific tools and process the data. PNAF is written in Perl, why? because Perl rules!
DCM – DATA COLLECTION MODULE
- NTCE – Network Traffic Capture Engine
- NCPE – Network Traffic Pre-processing Engine
DPM – DATA PROCESSING MODULE
- NPEE – Network Profiling and Enumeration Engine
- p0f : Network and service enumeration
- prads : Network and service enumeration
- IDSE – Network Intrusion Detection Engine
- Suricata
- Snort
- Bro
- Barnyard : Unified2 reader
- NFAE – Network Flow Analysis Engine
- Cxtracker : Basic flow data summary
- Argus : Flow data analysis
- Yaf : Flow data analysis
- Silk : Flow data analysis
- Tcpdstat : Protocol statistics
- DPIE – Deep Packet Inspection Engine
- Chaosreader : Application data extraction “any-snarf”
- Nftracker : File extraction
- Xplico : Application data extraction (url, files, …)
- Httpry : HTTP data logger
- Ssldump : SSLv3/TLS data tracker
- Dnsdump : DNS data extraction
- PassiveDNS : Passive DNS data collection
- Dnscap : DNS capture utility (tcpdump-like for DNS)
- Tcpxtract : File extraction
- Tcpdump : Pcap filtering
- NSAE – Network Security Audit Engine
- Pnaf-auditor
DVM – DATA VISUALIZATION MODULE (TODO — Dev)
- WDVE – Web Data Visualization Engine
- GSVE – Graphic Security Visualization Engine
- SARE – Security Audit Report Engine
- DIEE – Data Import/Export Engine
General model of PNAF
The general model of PNAF (Figure 1) defines the workflow of how PNAF decodes, filters and interprets data from network traffic capture files as single input.
Figure 1. Workflow of Passive Network Audit Framework (PNAF)
INSTALLATION MODES
PNAF includes a set of tools[2] for capturing and analysis of network traffic such as passive profilers, IDS, protocol decoders, etc. Since some of these tools are quite complex by themselves, they may involve complex installation processes as well. Thus, PNAF is designed not only to use the set of tools in an automated way, but also to facilitate their integration by implementing clean and easy ways to deploy the whole unified framework. There are four main installation modes which are explained in the sections below.
Installation using installer
PNAF includes an installer that automates the downloading, compilation and configuration of all the tools included within the framework. This installer is a shell script (bash) that provides a wizard based on dialog. In order to use this installation mode, it is necessary to meet the following requirements:
- Debian GNU/Linux 7 or later (8.x recommended) o Gentoo stage 3.x.
- Internet connection during installation process (the installer downloads and installs some libraries and other dependencies via Apt or Emerge), as well as some Perl modules through CPAN.
It may be possible to make PNAF work under Ubuntu or any other GNU/Linux distribution based on Debian APT packages. However, it would imply checking of all the libraries’ equivalences corresponding with such distributions. Moreover, it may be possible to use the installer under other systems which are not based on APT nor Emerge. To do so, you would need to install all needed dependencies manually and then make some small changes on the installer itself. For more information you can check the list of dependencies on README file. Further versions of PNAF are planned to include additional support for the installer as well as additional automated (easier) ways to deploy it (e.g. containers).
Since PNAF needs to install a lot of libraries and dependencies that may cause compatibility issues with the native system, then it is recommended to install PNAF within a chroot environment. This article explains how to perform the installation using chroot.
Thus, assuming that a Debian 8 (amd64) system is used:
1. Generation of chroot environment (via debootstrap)
# aptitude install debootstrap # debootstrap --arch amd64 jessie chroot_pnaf http://ftp.nl.debian.org/debian # mount -t sysfs sysfs chroot_pnaf/sys # mount -t proc proc chroot_pnaf/proc # mount -o bind /dev chroot_pnaf/dev # mount -o bind /dev/pts chroot_pnaf/dev/pts
Then switch to the chroot environment:
# chroot chroot_pnaf # cd ~
2. Download PNAF
Option 1: From its official repository (main development site)
# aptitude install git # git clone https://dev.honeynet.org.mx/traffic-analysis/pnaf.git
Option 2: From github (mirror)
# git clone https://github.com/jusafing/pnaf
Once pnaf latest release is downloaded, get into the directory and execute the installer.
# cd pnaf # ./install.sh
This will execute the installer wizard. First it is necessary to confirm that you want to install PNAF on the system. Afterwards, it is possible to choose what tools will be installed. Despite the fact that in version 0.1.2 not all the tools are used, it is recommended to install all the listed tools. Thus, PNAF installer by itself can be considered as an automated and easy tool to deploy a set of network traffic analysis tools..
Figure 2. Selection of tools within PNAF installer
If it is the very first time that PNAF is installed on the system, then it should be a “clean installation”. Otherwise, in case of PNAF is already on the system, a clean installation will delete any tool and configuration previously set. So, if you need to install or re-install certain too and keeping a previous configuration, then select “NO” option on this step.
Figure 3. Selection of clean installation
After this step, PNAF will start the compilation and configuration process. which may take around 30-40 minutes depending on the features of the machine. In case of any error encountered by the installer, it will show up the corresponding message and you can check the details in the files install.log (basic log) and install.log.exec (detailed log) to identify the problem. If no problems are encountered, then the installer will show a success confirmation and PNAF will be installed on the system.
It is recommended that in order to update all the environment variables, exit out of the chroot environment and switch back again. Furthermore, it may be useful to add a tag on the chroot shell:
# echo 'PS1="(PNAF) $PS1"' >> ~/.bashrc # exit # chroot chroot_pnaf
To verify that PNAF has been installed correctly:
# pnaf_auditor --help
Figure 4. Execution option of PNAF auditor
Installation with a preconfigured Debian chroot (tarball)
The second installation mode can be done by using a preconfigured chroot directory with all the tools already installed and configured. This mode basically avoid the whole process explained in the first installation mode (using debootstrap and run the installer). Moreover, this mode provides a way of deploying environments through the use of templates (chroot directory). In order to use this installation mode, it is only necessary to download the tarball (about 1.3 Gb) that contains the aforementioned template and then just unpack it within the local filesystem.
Note: It is important to emphasize the fact that this mode only works if the native system in which the template is used is Debian 8 (amd64), although it might be possible to make it work on any 64 bit Debian based system.
# wget http://pnaf.honeynet.org.mx/download/chroot_pnaf.tar.bz2 # tar -jxvf chroot_pnaf.tar.bz2 # mount -t sysfs sysfs chroot_pnaf/sys # mount -t proc proc chroot_pnaf/proc # mount -o bind /dev chroot_pnaf/dev # mount -o bind /dev/pts chroot_pnaf/dev/pts # chroot chroot_pnaf
Similarly, it can be tested that PNAF works properly by running:
# pnaf_auditor --help
Installation by using a Virtual machine
This installation mode is very simple. It only need to download an image of a virtual machine (OVA file) that contains a pre-installed and configured PNAF environment under a Debian system. This OVA file can be imported using either VirtualBox or Vmware.
- Download the OVA image http://pnaf.honeynet.org.mx/download/pnaf-0.1.2.ova
- Import it on Virtual Box:
Menu File/Import appliance/ and select the OVA file in order to create the virtual machine. This virtual machine includes a chroot directory with all the tools that the installer is able to deploy. The login credential are shown in the Welcome screen itself once the virtual machine is started. 
Figure 5. Pre-configured virtual machine with PNAF environment
Once the user is logged in, it is necessary to switch to the PNAF environment included in a chroot directory.
# mount -t sysfs sysfs chroot_pnaf/sys # mount -t proc proc chroot_pnaf/proc # mount -o bind /dev chroot_pnaf/dev # mount -o bind /dev/pts chroot_pnaf/dev/pts # chroot /root/chroot_pnaf
Independent installation (advanced mode)
This installation mode is intended to be used when some tools are already installed and configured on the system, so the PNAF core itself (Perl module) is used to process all the information generated by such tools. However, it is not recommended to use this mode since it implies that a huge set of parameters need to be specified on the configuration files, which would make the framework very prone to fail. Thus, it is recommended to use any of the aforementioned installation modes instead.
If you really need to use an independent installation, then just install the Perl module:
# cd pnaf # vim build/pnaf/Pnaf/lib/Pnaf/Core.pm (set all the parameters: paths, binaries, configuration files, etc.) # cd build/pnaf/Pnaf # perl Makefile.PL # make # make test # make install
CONFIGURATION
Version 0.1.2 takes all the configuration options directly from the arguments passed during execution. In order to see the available option of PNAF (pnaf_auditor), it can be used the following options:
# pnaf_auditor –-help
In addition, in order to visualize the versions of the tools included on the built version:
# pnaf_auditor –-version
In case any specific configuration is needed (e.g. a specific path or rules file for suricata, log files for prads, etc), all the configuration files within the directory /pnaf/etc can be set.
POC: Analysis of network traffic files (pcap)
This PoC will show how to perform a basic analysis of network traffic files using PNAF. It has to be emphasized that PNAF extracts and interprets information in different ways, depending the purpose and depth of the desired analysis. Thus, the information presented on this PoC does not represent all the findings that can be obtained using PNAF.
The following table describes the kind of information and purpose obtained on this general analysis.
| Type of data | Purpose |
| Asset identification | Identification of assets that perform activities within the network including their type of link connection, protocols involved, usage rates, platforms, software, among others. |
| Security events (IDS based alerts) | Identification of potential anomalous or malicious activities based on IDS data. |
| Resources | Identification of resources that provide information of workflow activities as well as data sources such as URL, domains, transferred files, etc. |
| Software audit | Passive identification of software that is being used within the network. This information is taken as baseline to identify potential vulnerabilities based on CVEs. |
Initial execution
General processing:
Having the PCAP file test1.cap, pnaf_auditor is executed as follows:
# pnaf_auditor –-cap test1.cap –log_dir /pnaf/www/test1
These options specify that the file will be taken by the tools used by PNAF and the output data will be stored within /pnaf/www/test1 directory.
Figure 6. PNAF generic processing execution
Specific processing
Now, assuming that a more specific analysis is needed, it is possible to execute pnaf_auditor using the following options:
# pnaf_auditor –-cap test2.cap –log_dir /pnaf/www/test2 --home_net 192.168.1.0/24 –-payload
With these parameters pnaf_editor will analyze the pcap file test2.cap, taking the network segment 192.168.1.0/24 as “home_net”, which is the internal network of theorganization. It is possible to specify the home_net using CIDR format. Furthermore, it is specified that payloads will be decoded in case any IDS alert is triggered. This is specially useful to analyse and identify potential false positives.
Analysis and data interpretation
In order to get a basic meaningful information, based on a bunch of raw data, the analysis can be done through different stages.
1. Command line logs (execution stdout)
Logs generated during the execution are displayed on the standard output (Figure 7 below). This phase is important since the analyst can check what tools are being used to retrieve raw logs, as well as the basic overview of parsed events and assets audit.
Figure 7. Execution log and summary
2. Web visualization
PNAF provides a basic web visualization that includes the following data:
- Raw data logs generated by all the tools included on the PNAF built
- Pre-processed logs in JSON format
- Audit data processed logs in JSON format displayed on a JSON viewer.
All JSON data generated by PNAF can be used and interpreted within the framework itself, however it is important to emphasize that such data can be also exported to feed data analysis systems such as SIEM.
In order to use the basic web visualization, it is necessary to enable the web server Apache.
# apachectl start
By default, all the findings are stored in /pnaf/www directory. When pnaf_auditor is executed, –log_dir option can be used to specify that the output directory is set directly within the webdir. In the running example the output directory was set on /pnaf/www/test2 which can be accessed directly through a web browser on http://localhost or the corresponding IP address of the server where PNAF has been deployed.
Figure 8. PNAF basic web visualization
The web directory has the following structure (practical example on Figure 9):
DIRECTORY_NAME/ (Raw logs generated by tools) | |----- JSON/ (Parsed files in JSON format) | | | |---SUMMARY/ (JSON tree view of dataset and audits) | | | (This is the main basic visualizer) | | | | | |---dataset (Parsed data of all toolsets) | | |---auditSummary (Summary of audit information) | | |---dataset.html (All software found within trafic) | | |---auditOutput (Audit based on CVE (NIST) and software) | | |---dataset.html (Audit data sorted per single asset) | | | |-------VIEW1/ (Alternative JSON viewer) | | | |-------VIEW2/ (Deprecated)
Figure 9. Files generated for web visualization
The analysis of this PoC is performed from general data to specific findings. First, it is useful to review the file json/summary/dataset.html. Here, the analyst can visualize data logs generated by all the tools using JSON viewers. Each tree has two main categories:
- Summary: it contains the summary of findings
- Tracking: It contains data sorted out by single asset
Depending on the depth of the analysis, it is possible to dig into details on each dataset, as well as perform searching using the textbox embedded on the viewer.
Figure 10. Dataset of tools used in PNAF
The next step on the analysis involves checking the parsed and correlated data stored on the file /json/summary/auditSummary.html . Here, the analyst can visualize detailed information of each asset identified on the network traffic. For instance, it is possible to review information about URLs, SSL certificates, IDS alerts, transferred files, software, etc. Moreover, it is possible to review the audit correlation through a Tracking category (just as the main dataset explained before), in which audit data is sorted out by single asset. In order to do so, the file /json/summary/auditTracking.html can be accessed.
Figura 11. Audit summary. Main correlation
Figure 12. Audit summary. Tracking category (sorted by assets)
Finally, the file /json/summary/auditOutput.html shows findings about vulnerabilities in software identified within the network traffic, based on CVE database[3]. This analysis includes a score that measures the impact of the aforementioned vulnerabilities. Furthermore, a list of assets identified within blacklists (IP & domain name based and taken from trusted sources: e.g. EmergingTheats DB) is presented.
Figure 13. Audit summary. Vulnerability and blacklisted asset analysis based on trusted databases
Taking into consideration all the data gathered by the tools, the information interpreted by PNAF, as well as the meaningful (specific) interpretation performed by the analyst herself, then a big picture of the context and characteristics of the network can be determined. In fact, the kind of information that should be filtered and put focus on, depends upon the kind of problem, context and issue that needs to be identified.
It is very important to note that PNAF is prone to false positives due to the nature of PNA itself, in which the single input and potential lack of complete datasets (e.g. actual logs from applications, etc) may cause a miss interpretation and inaccurate correlation, leading to inaccurate findings that need to be verified manually by the analyst himself.
Currently PNAF is under development. Version 0.1.2 is the last version of 0.1 branch. Next versions will include improvements mainly on the visualization of the results, stability, ease of deployment and integration with external software for data analysis. For additional information you can follow the activities on the official blog of the UNAM-Chapter of the Honeynet Project and its development repository:
- http://blog.honeynet.org.mx
- https://dev.honeynet.org.mx/traffic-analysis/pnaf
- http://www.honeynet.unam.mx
References
[1] Passive Network Audit Framework, Master thesis. Santillan, Javier. Eindhoven University of Technology. The Netherlands. 2014
[2]Tabla 1. “Herramientas de análisis de tráfico de red” del artículo anterior
