Kaspersky Anti Targeted Attack Platform
7.0
English

Contents

Monitoring network sessions

Kaspersky Anti Targeted Attack Platform can scan traffic to detect network sessions that devices create to connect to other devices. The application registers detected network sessions and saves information that can help you analyze network activity of devices and download data about transmitted network packets from traffic dump files. Unlike links on the network interactions map, registered network sessions allow you to obtain more fine-grained information about device interactions, due in part to independent registration of sessions for different ports and protocols that are used for the interactions.

The application detects network sessions if the Network Session Detection method is enabled for the Asset Management technology. Network Session Detection can be performed when analyzing traffic arriving at monitoring points, as well as when receiving information from the Endpoint Agent component.

Each registered network session contains information about the connection between two devices that are parties to the interaction. A network session is characterized by the address information of the parties to the interaction (MAC and/or IP addresses), port numbers, and the application protocol that is used for the connection. The first device in a network session is usually the device that initiated the sending of network packets to the other device.

You can view the full list of protocols detected by Kaspersky Anti Targeted Attack Platform by downloading the file from the link below.

icon_download_file_from_help Protocols detected by Kaspersky Anti Targeted Attack Platform

A network session is considered closed if no network packets have been sent for one minute or if the Network Session Detection technology becomes disabled on the relevant node or monitoring point.

When an exceedingly large number of network sessions is detected, the application applies the following session registration restrictions:

  • The number of registered sessions between two interacting parties using the same application protocol may not exceed 1000 per minute.
  • The total number of registered sessions between the two parties may not exceed 5000 per minute.

The application stores information about network sessions in a database on the Central Node server. The total amount of stored records cannot exceed the configured limit. If the amount exceeds the limit, the application automatically deletes 10% of the oldest records.

In distributed solution

and
multitenancy
mode, information about network sessions of SCN servers is not displayed on the PCN.

In this section

Network sessions table

Viewing network session details

Downloading network session traffic

Searching network packets

Preconfigured network packet search rules
Page top
[Topic 257980]

Network sessions table

To view the list of network sessions:

  1. Select the Network map section in the application web interface window.
  2. Go to the Network sessions tab.

The network sessions table is displayed.

The table contains the following information:

  • Status is the status of the network session. A registered network session can have one of the following statuses:
    • Active. This status is assigned when a network session is registered and is retained as long as the devices keep sending network packets within this session.
    • Closed. This status is assigned to a network session if no network packets have been sent for one minute or if the Network Session Detection technology becomes disabled on the relevant node or monitoring point.
  • Side 1 is the MAC and/or IP addresses of one of the sides of the network interaction. The display of MAC and IP addresses can be turned on and off.
  • Side 1 port is the port number of the first side of the interaction.
  • Side 2 is the MAC and/or IP addresses of the other side of the network interaction. The display of MAC and IP addresses can be turned on and off.
  • Side 2 port is the port number of the second side of the interaction.
  • Device 1 is the name of the device known to the application, which corresponds to the address information of the first side of the interaction.
  • Device 2 is the name of the device known to the application, which corresponds to the address information of the second side of the interaction.
  • Transfer protocol is the name of the transport protocol used in the network session.
  • Application protocol is the name of the application layer protocol used in the network session.
  • Current speed is the current data transfer rate for the network session.
  • Average speed is the average data transfer rate for the network session.
  • Total transmitted is the number of bytes transmitted during the network session.
  • Monitoring points lists the names of monitoring points that have received traffic for the network session.
  • Start is the date and time of the first network packet in the network session or the date and time of the beginning of the time period defined by data from an EPP application.
  • Last interaction is the date and time of the last network packet in the network session or the date and time of the end of the time period defined by data from an EPP application (if only one packet was received in the network session, this value is the same as the Start).
  • Number of packets is the number of network packets transmitted during the network session.

When viewing the table of network sessions, you can configure, filter, and sort the network sessions, as well as navigate to related items and export data.

Page top
[Topic 257982]

Viewing network session details

Detailed information about a network session includes information from the Network sessions table, as well as the name of the application that was active when the network session was initiated (if Kaspersky Anti Targeted Attack Platform was able to determine the name of the application).

To view the details of a network session:

  1. Select the Network map section in the application web interface window.
  2. Go to the Network sessions tab.
  3. Click the line with the relevant session.

This opens a window with information about the network session.

Page top
[Topic 258268]

Downloading network session traffic

When viewing the table of network sessions, you can download traffic related to the selected network sessions. Traffic is downloaded as a PCAP file. To download only the data you need, you can configure network packet filtering.

The application downloads traffic of network sessions from traffic dump file storages. Traffic can be downloaded from the internal storage that was automatically created as part of the Sensor installation process, as well as an external storage if one is connected.

When downloading network session traffic, consider the following:

  • Traffic can be downloaded only for those network sessions that were registered when analyzing traffic that arrived at the monitoring points. If a network session was registered based on information received from the Endpoint Agent component, you cannot download the traffic of such a session.
  • Traffic dump files are stored in storages temporarily and are automatically deleted as new traffic arrives (the rotation period depends on the amount of traffic and the application storage configuration). You cannot downloading traffic for a network session if the corresponding traffic dump files have already been deleted from storages.

To download network session traffic:

  1. Select the Network map section in the application web interface window.
  2. Go to the Network sessions tab.
  3. Select check boxes next to network sessions whose traffic you want to download.

    You can select a maximum of 100 network sessions.

  4. Click Download traffic.

    The details area is displayed in the right part of the web interface window.

  5. Do the following:
    • If you want to download traffic for a certain period of time, set the bounds using the Period of traffic to download setting.

      By default, the maximum possible period is chosen, starting from the date and time when the earliest network session was established and ending with the date and time when the latest session in the selection ended. If necessary, you can move the bounds within this period or set an empty value for one of the bounds (for example, for the right bound to download new traffic of sessions that have not ended yet).

    • Under Download volume limit, set the maximum amount of traffic to download.

      If the amount of downloaded traffic exceeds the specified limit, the newest traffic is dropped.

    • If necessary, enable filtering under Filtering by monitoring points and specify the monitoring points that got the traffic that you need.

      By default, the monitoring points that got the traffic of selected network sessions are specified.

    • If necessary, enable filtering in the Filtering by address spaces section and specify the address spaces to which the addresses in the network packets of the selected network sessions belong (this section is displayed if additional address spaces are added to the application).

      By default, all address spaces created in the application are specified.

    • If necessary, enable filtering under Filtering using BPF and enter an expression for filtering using the BPF (Berkley Packet Filter) technology by address parameters in network packets of the selected network sessions.

      Example of a filter expression:
      tcp port 102 or tcp port 502

    • If necessary, enable filtering under Filtering using regular expressions and enter a regular expression for filtering by the payload data of network packets of the selected network sessions.

      Example of a filtering expression:
      ^test.+xABxCD

  6. Click Download.
  7. If file generation takes a long time (more than 15 seconds), the file generation operation becomes a background operation. In that case, follow these steps to download the file:
    1. Click the Arrow pointing to a tray icon. button in the application web interface menu.

      This opens the list of background operations.

    2. Wait for the file generation operation to complete.
    3. Click the Download file button.

Your browser saves the downloaded file. Depending on your browser's settings, a window may be displayed on your screen in which you can specify the path and name of the downloaded file.

Page top
[Topic 258283]

Searching network packets

You can find and view the traffic related to the selected network packets. If necessary, you can download dumps of the found traffic.

To find traffic related to the selected network packets:

  1. Select the Network map section in the application web interface window.
  2. Go to the Network sessions tab.
  3. Click Search in packets.

    This opens the window with network packet search settings.

  4. Do the following:
    • In the Period of traffic to download field, set the bounds within which you want to search network packets.
    • If necessary, enable filtering under Filtering using BPF and enter an expression for filtering using the BPF (Berkley Packet Filter) technology by address parameters in network packets of the selected network sessions. The BPF filtering expression is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.

      Example of a filter expression:
      tcp port 102 or tcp port 502

    • If necessary, enable filtering in the Filtering using regular expressions section and enter an expression for filtering based on payload data in network packets.

      Example of a filtering expression:
      ^test.+xABxCD

    • If necessary, enable filtering under Filtering by monitoring points and specify the monitoring points from which you want to get traffic.
    • If necessary, enable filtering under Filtering by address spaces and specify the address spaces to which the addresses in network packets belong.
  5. Click Search.

    The table displays data that match the filtering criteria.

  6. If you want to download the dumps of the found network packets, click Download.

Raw network traffic dumps are downloaded in PCAP format.

Page top
[Topic 292608]

Preconfigured network packet search rules

You can search in traffic using preconfigured rules that use BPF and regular expressions.

To search network packets using a preconfigured rule:

  1. Select the Network map section in the application web interface window.
  2. Go to the Network sessions tab.
  3. Click Search in packets.

    This opens the window with network packet search settings.

  4. In the Period of traffic to download field, set the bounds within which you want to search network packets.
  5. In the table below, copy a filtering expression from the Filtering using BPF or Filtering using regular expressions column and paste it into the corresponding section of the web interface for searching in network packets.
  6. Click Search.

The table displays data that match the filtering criteria.

The preconfigured rules are listed in the table below.

Preconfigured network packet search rules

Purpose of the rule

Filtering using BPF

Filtering using regular expressions

Explanation

Example

Searching traffic by IP address

host <address>

 

<address> is an IPv4 address

host 10.10.0.1

Searching traffic between two hosts

host <address1> and host <address2>

 

<address1> and <address2> are IPv4 addresses

host 10.10.0.1 and host 10.10.0.2

Searching for traffic of an individual TCP session

tcp <port1> and host <address1> and tcp <port2> and host <address2>

 
  • <address1> and <address2> are communication IPv4 addresses
  • <port1> and <port2> are communication ports

tcp port 80 and tcp port 53567

and host 10.10.0.1 and host 10.10.0.2

Searching for traffic by multiple IP addresses

host <address1> or host <address2> or ... host <addressN>

 

<address 1-N> are IPv4 addresses

host 10.10.0.1 and host 10.10.0.2 and host 10.10.0.3

Finding all DNS queries from a group of hosts

udp and dst port 53 and ( src host <address1> or src host <address2> or ... src host <addressN> )

 

<address 1-N> are IPv4 addresses

udp and dst port 53 and ( src host 10.10.0.1 or src host 10.10.0.2 )

Searching for HTTP traffic

 

" HTTP/"

The filter must be used without quotes

 

Searching for DNS traffic

udp dst port 53 or tcp dst port 53

 

Standard DNS only

 

Searching for HTTP traffic with a GET request to a certain domain

tcp port 80 or tcp port 8000 or tcp port 8080 or tcp port 8888

GET.{1,1000}<domain>

<domain> is the domain to be found

 

Searching for ICMP traffic of a specific host

icmp and host <address>

 

<address> is an IPv4 address

icmp and host 10.10.10.1

Searching for authentication data transmitted as plain text

tcp port 80 or tcp port 8000 or tcp port 8080 or tcp port 8888 or port ftp or port smtp or port imap or port pop3 or port

telnet

"pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|Username:|Password:|login:|pass |user|VXNlcm5hbWU6|UGFzc3dvcmQ6|LOGIN |USER|PASS "

The filter must be used without quotes

 

Searching for TCP sessions in which the host acts as a client

tcp[tcpflags] = tcp-syn and host <address>

 

<address> is an IPv4 address

tcp[tcpflags] = tcp-syn and host 10.10.10.1

Searching for HTTP traffic in a given subnet

net xx.xx.xx.xx/yy and ( port 8080 or port 80 )

 

xx.xx.xx.xx/yy is an IPv4 subnet with mask

net 10.10.10.0 /24 and ( port 8080 or port 80 )

Searching for local interaction traffic

ip and src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16)

 

 

 

Searching for traffic of interaction with objects on the internet

ip and not (src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16)) and not multicast and not broadcast and not net 169.254/16

 

 

 

Searching for traffic by the UserAgent field in HTTP traffic

User-Agent:

 

 

 

Page top

[Topic 294702]