At NYI, customized solutions start with customized tools. Net Sensor is one such tool.
Developed originally as a dissertation project at the Polytechnic Institute of NYU, Net Sensor has since evolved into a “general-purpose, modular network-analysis suite for use in research, monitoring, diagnostics, forensics, and statistics-gathering.”
Boris Kochergin, Senior System Administrator at NYI, is Net Sensor’s project founder and primary developer. At a chapter meeting last week of the Open Web Application Security Project (OWASP), held at NYI Bridgewater, Kochergin gave a history of the project as well as demonstrated its more advanced features.
Net Sensor’s latest iteration includes five sensor modules:
1) HTTP (sensor/modules/http)
- Parses HTTP messages and maintains a table of active HTTP sessions
2) HTTP Logger (sensor/modules/httpLog)
- Writes HTTP session headers to disk
- HTTP session headers may be read back from disk with the dumpHTTP utility (tools/dumpHTTP)
3) BitTorrent (sensor/modules/bt)
- Detects .torrent file downloads over HTTP
- Detects communication with HTTP BitTorrent trackers
- Detects communication with UDP BitTorrent trackers
- Sends detailed e-mail notifications of any of the above actitivies to any number of e-mail addresses
4) Printer Job Language (sensor/modules/pjl)
- Parses Printer Job Language/PostScript print jobs and maintains a table of active PJL sessions
- Writes various useful information about them to disk
- PJL data may be read back from disk with the dumpPJL utility (tools/dumpPJL)
- Pages printed per computer can be counted up with the countPJL utility (tools/countPJL)
5) Packets per Second (sensor/modules/pps)
- Monitors inbound and outbound packet rates of IPv4 addresses
- Sends out e-mail about IPv4 addresses that exceed a configured packet rate threshold
- E-mail includes a snippet of traffic to and from a reported IPv4 address
Those curious about the architecture of Net Sensor are advised to consult slides two and three of Kochergin’s presentation. The presentation also includes an interesting breakdown of the HTTP Module Architecture, which generated the following intelligence after deployment on a segment of NYI’s network:
- 600 Mbit/s of TCP traffic @ 150,000 packets/s
- 24,000 active HTTP sessions
- Utilizes 60% of one core of an Intel Xeon E5520 @ 2.27 GHz
- Uses 140 MiB of resident memory
- Due primarily to a large number of buckets in the HTTP session hash table
- Optimized for time, not space
- 0.006% packet loss
- Optimized for time, not space
- Due primarily to a large number of buckets in the HTTP session hash table
Along with general network intelligence, Kochergin’s presentation proceeded with a live demonstration of Net Sensor’s capabilities with BitTorrent. The result was a real-time detection of network misuse, which not only impressed the information security professionals in attendance, but also brought the presentation to a satisfying conclusion.
Net Sensor is an open source suite that free and available for use by the broader community. As INFER, it has been covered by Network World and Macworld.
To download Net Sensor, please visit the Net Sensor wiki. For system requirements, visit: http://acm.poly.edu/wiki/Net_Sensor#Requirements
NYI is proud to support OWASP. It also welcomes other organizations looking for space to host meetings. Those interested, please get in touch.
