Various blog posts have been written by LogRhythm’s very own resident LogRhythm NetMon expert Rob McGovern regarding the numerous benefits of using Deep Packet Analytics within NetMon. If you’re not already familiar with deep packet analytics (DPA) rules, Rob’s post would be a great resource to review and includes free training!
PDF File Format: Recap
The PDF file format is well documented, and the graphical structure of a typical PDF file is shown below:
The table below provides a high-level overview of some of the more common PDF file format elements:
|Header||The header typically contains the PDF version, which is mandatory in order for the PDF reader to be able to successfully open the PDF document|
|Object||A PDF will contain one or more objects. An object can contain information necessary to render the document, such as text, graphics, fonts, forms, |
|Xref||The Xref table is a mapping table of sorts, which contains offset values to the various elements within the PDF|
|Trailer||This contains metadata about the file, as well as the root object, offsets, number of objects, their sizes, and so on|
|End-of-File||This simply marks the end of the file|
Now that you have a basic understanding of a PDF file, you can relate that understanding back to NetMon.
Suppose that a network packet capture has been obtained and is found to contain a PDF file. For a typical PDF file, an object similar to the following will appear in a WireShark output:
2 0 obj <</Type /Page /Parent 1 0 R /Resources 4 0 R /Contents 5 0 R>> endobj
With a little reversing, you can obtain a similar output by accessing the same physical PDF file outside of the PCAP file. For example, you can carve the PDF file from the PCAP to access this same outside file.
obj 2 0 Type: /Page Referencing: 1 0 R, 4 0 R, 5 0 R << /Type /Page /Parent 1 0 R /Resources 4 0 R /Contents 5 0 R >>
Enabling the DPA Rule
Using the network packet capture details and NetMon 3.6.2, you can use a function called
GetPayloadString() function within a DPA packet rule, this method would be significantly more expensive from a performance standpoint. In addition, a flow rule using the GetHttpResponseContent function can trigger a user alarm, which is instantly viewable in the NetMon Alarms dashboard.
The full code for this rule is shown below.
Additional highlights for this rule are as follows:
Alternatively, a simple Lucene search query will display all results for the custom metadata field of filetype PDF for the time window selected.
Ascertaining the Final Host Details
But what if a separate team manages the NetMon appliances in your organization? The good news is that despite not necessarily having access to the NetMon dashboard, you can still be alerted when the DPA rule fires. The “NetMon Lua Alarm” common event can quickly be searched. This will bring up the raw log message that shows a host of useful information pertaining to the source and destination IPs, MAC addresses, port numbers, and other metadata fields.
Once you ascertain which PDF file triggered the alarm, you will have all of the host details you need from both LogRhythm and NetMon to begin taking steps towards mitigation. You will also have access to underlying packet captures available in NetMon to continue with the investigation workflow. Your workflow may include creating a case, adding evidence and notes to the case, and performing the investigation to see how the PDF may have slipped by existing security defenses. This investigation could entail manually carving out the PDF from the PCAP, or performing incident response on the infected machine. The DPA rule can be found on our Community site here.
NetMon Deep Packet Analytics Rapidly Detects Malicious Code