Who is in Your Network?

It is not a question about if but when someone will be eavesdropping on your network. It might not be a “break in” but a “break out”! Do you know how common it is to have your applications and systems communicate out to a third party? Way too often that communication is not known to you, nor even secure.

When I moved to the USA I found a company, LogRhythm, that developed a state of the art network monitor. I rarely blog about the company I work for but with the latest freemium version of NetMonI feel that the word needs to get out.  The NetMon is a treasure for easy network forensics, understanding what is happening on the network or what has happened on your network.

With the freemium choice of NetMon you currently get  up to  1Gbps real time processing. For licensed server installations you get up to 10 Gbps 🙂

For the person that just want to try it out,  installing it on a VM is a breeze. (I recommend VirtualBox VM). After a quick download and and a few minutes of installation you can set it up and inspect data that is going to/from your host system. For most users that is maybe not enough. We want to see the data on our network, whether it is on our home or corporate network. For less than $100 bucks you can buy cheap hardware to set it up on your home network, or use that computer that is just collecting dust now and turn it into a network inspection machine.

One very interesting use case that has proved its value time and time again is the DPA – Deep Packet Analytics. The Lua programming language coupled with an API to NetMon’s packet processing engine allows the interested to tap into the full, rich, metadata that is generated from your network traffic. Writing DPA rules that take action, alarms or create searchable metadata tags is easy if you have even a moderate skill in writing scripts.

NetMon comes with several system rules that can be disabled or enabled, copied to be modified and studied to learn best coding practices from. Some valuable rules that have had immense value for some customers and freemium users are:

– Detecting of clear text credentials (read: passwords)
– Detecting of USA and Canadian bank account information
– Detecting of SSNs
– Detecting data exfiltration

The DPA coupled with extremely easy to make dashboards makes NetMon a true gem that I highly recommend you to explore.

Good luck and don’t hesitate to reach out to me here or through the LogRhythm’s NetMon forum.


Some interesting blog posts about NetMon that might peak your interest

  1. Detecting Home Network Issues with Network Monitor
  2. How to build a Miniature Network Monitor Device
  3. 2.47 minute long, corporate,  video that does a surprisingly good description of NetMon 
  4. Clear text credentials detection: from search to DPA rule 
  5. Search and DPA detection of sensitive personal information
  6. Detection of a “Break out” from a home network
  7. Detection of beaconing malware  (which could be a precursor to ransomware)
  8. How to show DPA created metadata in custom dashboards

About kjellkod

Software Engineer by trade, (former?) Martial Artist and Champion by strong will and small skill... and a Swede by nationality :)
This entry was posted in NetMon, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s