Automated PCAP Retrieval from Network Monitor

SmartResponse™ Plugins allow alarms that trigger in LogRhythm to launch actions—adding malicious hostnames to a blacklist, quarantining infected machines, removing users from an Active Directory Group, or nearly anything that can be scripted. Typically, this has been done through PowerShell. However, the SmartResponse™ framework allows for any language or program to be used, so long as it can be installed on the system that contains the LogRhythm Alarming and Response Manager (ARM) service.

Although not included with Windows installations by default, Python is one of the most popular scripting languages, recently becoming the most popular language taught in Computer Science classes. One of Python’s key strengths is the vast library of user-built modules that greatly expand its functionality—these are very useful for easily performing the otherwise complex actions that a LogRhythm user may want to perform.

For example, if an Intrusion Detection System log generates an alarm in LogRhythm, it would be very valuable to an analyst to have the full-content PCAP of the traffic that caused the IDS to fire. Assuming LogRhythm Network Monitor is being used to collect PCAP, the “Retrieve NetMon PCAP” SmartResponse™ Plugin can query the Network Monitor API for all traffic related to the signature, download the associated sessions in PCAP form, and then merge all of the sessions into one easily usable PCAP.

This can occur either automatically or require user approval. Although not officially supported, this plugin is relatively easy to configure and use. This blog post will go through each process, step by step. The plugin can be downloaded here: Retrieve NetMon PCAP SmartResponse Plugin

Setting up the ARM to run Python scripts

1 Determine which LogRhythm appliance is hosting the Alarming and Response Manager service—from the LogRhythm Console Deployment Manager, the host will be listed under the “Event Manager” tab. To double check, it will be listed under “services.msc” on the machine.

1-1

2 Install Python 2.7 and Wireshark (utilized for ‘mergecap’) on the Event Manager.

3 On the Event Manager, hit the Windows key + Pause/Break. This will bring up the System Window. “Select Advanced System Settings,”” and then “Environment Variables.”

1-3

1-3b

4 In the Environment Variables window, scroll to “Path” under the “System Variables” subsection.

1-4]

5 Click “Edit” and append the string:

;C:\Python27\;C:\Python27\Scripts;C:\Program Files\Wireshark

—or the appropriate directory for the Wireshark and Python installations. Then close the window.

6 Open ‘services.msc’ and restart the ARM service. Python will now be ready to launch.

7 Because this Plugin uses a non-standard Python module, “Requests,”” we can also setup PIP, a tool that will allow us to install Python modules with one line. Follow this guide to install PIP.

8 Once PIP in installed, run the command

pip install requests

to install Requests. Alternatively, Requests can be downloaded and installed manually. You’re now ready to import ant run the Retrieve NetMon PCAP SmartResponse™ Plugin.

Importing a Plugin

1 From the LogRhythm Console, open Deployment Manager and then open the SmartResponse™ Plugin Manager via Tools ->  Administration -> Smart Response Plugin Manager

2-1

2 Select Actions -> Import

2-2

3 Navigate to the directory containing the SmartResponse™ Plugin, then select the file (of type AR Plugin File, .lpi) and click Open.

2-3

4 The SmartResponse™ Plugin should now be visible in the list of plugins in the SmartResponse™ Plugin Manager and the Actions tab for Alarms and AI Engine rules.

2-4

Configuring the Retrieve NetMon PCAP Smart**Response™

1 Find an alarm or AI Engine Rule that should trigger the PCAP retrieval. For example, the AI Engine Rule ‘Network Anomaly: Internationalized Domain Name (IDN)’ would be useful, because analysts can use the PCAP to determine what data is being sent to an unusual site. Open the rule and go to the ‘Actions’ tab.

3-1

2 From the Actions tab, select the “Action” dropdown at the top, and find the “Retrieve NetMon PCAP” plugin and select it.

3-2

3 The Parameters section will then be populated. There are four values which need to be specified by the user:

  • Query String: Use “Type” “Alarm Field.” The alarm field chosen as the ‘Value’ will be the string that Network Monitor uses to find all associated sessions. This should typically be a hostname, domain name, or other field that will be visible in network traffic. To test an items effectiveness, it can be searched in the Network Monitor UI as a Lucene Query. For this Alarm, choose “Group” to query by the domain name.
  • PCAP Dir: This will be the directory where the PCAPs will be saved. For example, “c:\tmp\pcaps.”” Remember that this will be in respect to the Event Manager.
  • NM Address: The hostname or address of the Network Monitor device
  • NM API Key: Can be found under the “Configuration - User” section of the NetMon UI.

3-3

4 If the action should not be automatic, use the “Approvals” section to set the Person or Group that needs to authorize the action to run. The approval will need to be done through the Dashboard or Alarm Viewer. If using a new Rule, it’s recommended to require an approver so that the Action doesn’t fire too often or pull down very large amounts of data unintentionally. Leave this section blank to run the action automatically.

3-4

5 When finished, hit “OK.”” The Plugin should now be working. The LogRhythm Labs team will continue to release similar unofficial plugins as they are developed. We are also releasing revamped, official plugins, including plugins for integration with LogRhythm partner devices. This is also where the latest editions of the Threat Detection Cookbook can be found. Again, the Retrieve NetMon PCAP SmartResponse™e Plugin can be downloaded here. The guide can be found here.