This blogpost was authored by Kamila Babayeva (@_kamifai_) on December 20th, 2019.

As the network grows, the possibilities of being infected raise proportionally. One of the most efficient ways to secure yourself is to monitor your own traffic. The Stratosphere Linux IPS and Kalipso are the tools that can help to do this monitoring fast and efficiently. In this blog we introduce Kalipso, the new command line GUI for Slips, and how to use it to detect malicious behavior in the network traffic.

What is the Stratosphere Linux IPS?

The Stratosphere Linux IPS

The Stratosphere Linux IPS [1], shortly Slips, is a behavioral-based intrusion detection and prevention system that uses machine learning algorithms to detect malicious behaviors. Slips was first introduced in 2016. During the last year, Slips has gone through a significant refactoring process. The new version of Slips was released on the 31st of October 2019.

Slips Architecture

Slips works at a flow level. Its core functionality is to separate the traffic into profiles for each IP address that appear in the traffic. A profile is a complete behavior of the IP in the traffic and the simplest data structure in Slips. Then each profile is divided into time windows. Each time window is 1 hour long by default, and it contains dozens of features computed for all connections that start in that time window. 

Zeek in Slips

Zeek [2], formerly known as Bro, is an open-source software framework for analyzing network traffic that is most commonly used to detect behavioral anomalies on a network for cybersecurity purposes. Zeek generates a wide range of log files for different protocols, including logs for: DNS, HTTP, DHCP, SMTP, and a conn log with all the connections independently of their protocol. 

Among other formats, Slips can read Zeek log files to create profiles. For example, the timeline for each time window is an interpretation of what the IP did during 1 hour. The timeline consists of Zeek generated conn.log flows and additional interpretation from other logs like dns.log or http.log.

Other formats that Slips can read are Argus flows, Nfcapd flows, Suricata flows, pcap and directly from the interface.

What is Kalipso?

Kalipso

Kalipso is a graphical user interface designed specifically for Slips. It provides Slips users with a brief overview of analyzed data, attack,s and malicious behaviors that were detected by Slips. Kalipso is very friendly and easy to use.

Kalipso Architecture

Kalipso is a JavaScript GUI that uses Node.Js runtime environment to execute the JavaScript code outside of a browser. There are two high-level libraries used that provide the interface with clickable and scrollable widgets: blessed library [3] and its extension blessed-contrib [4].

Slips and Kalipso interaction

The interaction between the two tools is also important. It is done through Redis [5] in-memory database. Slips uses Redis to store the data about the analyzed pcap while Kalipso retrieves this data from Redis and fills its dashboards and widgets with extracted data.

Kalipso: real traffic analysis! 

The goal of the analysis is to show step by step how Kalipso can be used to detect if there is a malicious behaviour in the packet capture.  

We will use in this example the “2019-10-05-traffic-analysis-exercise-part-1.pcap” that can be downloaded from https://www.malware-traffic-analysis.net/2019/10/05/index.html.

PCAP information:

Pcap is from a Windows host on the internal corporate network for tinsolutions.net. Windows host address: 172.16.2.197 LAN segment range:  172.16.2.0/24 (172.16.2.0 through 172.16.2.255) Domain controller:  172.16.2.2  LAN segment gateway:  172.16.2.1 LAN segment broadcast address:  172.16.2.255

Analysis

Here we start! We run Slips to analyze the pcap: ./slips.py -c slips.conf -N -r <pcap-name>

-r defines that input data is in the form of pcap. -N stands for starting Kalipso graphical interface automatically. 

We can see IP addresses on the left in the widget profile tree. The tree consists of IP addresses of the profiles generated by Slips. Slips configuration during that capture analysis is ‘out’. It means that in the time windows there will be only outgoing connections from the IP of the profile. ‘Out’ configuration is useful to detect if the host is infected.

This profile tree contains both external and private IP addresses with outgoing connections in their time windows. Analyzing the information from the pcap file, we know that the IP of our Windows host is 172.16.2.197. After we press ‘Enter’ on this IP, the list of time windows appears. In this case, we have time window 0 (zero) and time window 1 (one). 

If we press ‘Enter’ on the time window 1, there is a colorful timeline appear on the right. 

The timeline represents the flows from conn.log of Zeek, and almost each of these lines has an additional interpretation from other Zeek logs, like DNS or HTTPs. We can focus on a timeline using the ‘Tab’ key and scroll using normal arrows or Vim [6] style keys.

The first thing that catches the attention of the user is the text highlighted in red ‘Not Recognized Established flow’ from the source IP to the destination IP 172.16.2.2. It means that these flows from the Zeek conn.log do not have an additional interpretation from other Zeek logs, so Zeek was not able to identify the protocol.

After these ‘Not Recognized Established flows’, there are several DNS requests. Then we can see some  ‘Not Recognized Not Established flow’ to destination IP addresses that are different from the Domain Controller IP 172.16.2.2. If we focus and press ‘Enter’ on those lines one by one, the information about the destination IP will appear in the upper box - the IP info box. This info box shows the ASN, geolocation and a Virus Total [7] analysis of the destination IP (from the Slips VirusTotal module). 

These are the destination IP addresses and their information as seen in Figure 2:

First IP - 128.0.54.51 - port 465/tcp - Data Invest sp. Z.o.o. S.K.A - Poland Second IP - 111.65.230.89 - port 25/tcp  - Voyager Internet Ltd. - New Zealand Third IP - 185.22.201.25 - port 587/tcp - 10dencehispahard, S.L - Spain Fourth IP - 82.223.190.138 - port 587/tcp - 1&1 Internet SE - Spain 

Eventually, these IP addresses are the IP addresses of mail servers from DNS requests above! 

So the host asks the IP addresses of mail servers domains and tries to establish a connection with them. It is possible that the host uses email clients, like eM Client or Mozilla Thunderbird, because the ports used to connect to them are 587, 465, 25 (used for SMTP and SMTPs); ports 143, 993 (used for IMAP and IMAPs); and ports 110, 995 (used for POP3 and POP3s). In general, these protocols are usually used for the device to communicate with a mail server.

If we scroll down the whole timeline, we observe that the timeline consists of a big amount of DNS requests to the mail servers. Then there are attempts to establish a communication with these mail servers after the DNS requests.

M hotkey

Using ‘M’ hotkey we can observe the geolocations of all the destinations IP addresses from a timeline on the map. It is visible then that the IP of the profile was trying to connect everywhere it could. 

H hotkey

The ‘H’ hotkey shows information about the Out Tuples. An Out Tuple is the combination of an destination IP address, destination port, and the protocol used for the communication. In the table for each out tuple the information shown is:

• Out Tuple

• Behavioral letters [8] (Slips feature)

• ASN

• geo country

• Virus Total summary

The behavioral letters are the description of the flow according to its duration, size and periodicity. As we scroll down, we can see a sequential interpretation of flows by behavioral letters. In our case, it is mostly ‘21’, which means that there is no periodicity, the duration of flows were medium and small and the sizes of flows were small.

Analysis Conclusion

From this quick and brief overview of the pcap file we got the following evidence:

1. Big amount of DNS requests to mail servers 

2. The establishment of communication to a lot of mail servers

3. The destination IP addresses geolocations

4. A huge amount of flows with the same behavior

We can conclude that the host can be infected. It might happen that there is malware that tries to infect or spam other devices via sending emails from the host. It means that the traffic should definitely be checked deeper using packet analysis tools like Wireshark or tcpdump to confirm that theory.

Closing Notes

Slips and its interface Kalipso can be useful tools in detecting malicious behavior in the traffic. Kalipso and its features provides a variety of tables and bars to summarize and compare analyzed network traffic for each profile. With the help of stacked bars, it is possible to compare the amount of data sent and received based on a port number, protocols and IPs. Tables with Out Tuples can provide an overall description of each connection using behavioral letters and IP information. Map is a subtle way to show geolocations of connections. The full functionality of Kalipso is described in this link.

References:

[1] Stratosphere Linux IPS, https://github.com/stratosphereips/StratosphereLinuxIPS

[2] Zeek, https://www.zeek.org/

[3] blessed library, https://github.com/chjj/blessed

[4] blessed-contrib library, https://github.com/yaronn/blessed-contrib

[5] Redis, https://redis.io/

[6] Vim, https://www.vim.org/

[7] Virus Total, https://www.virustotal.com

[8] Behavioral letters, https://www.stratosphereips.org/stratosphere-testing-framework