Projects‎ > ‎Projects Archive‎ > ‎

Net Senor

ISIS

This project aims to be a general-purpose, modular network-analysis suite for use in research, diagnostics, forensics, and statistics-gathering. It monitors traffic on an Ethernet interface, performs some preprocessing on it--such as figuring out where a packet's payload begins--and passes it along to any number of modules. A module is an ELF shared object which may maintain state, write data out to disk using the Berkeley DB-backed Writer library, or send e-mail using the SMTP library. In addition to processing packets from the network, a module can also accept input from any number of other modules.

Sensor Modules

There are currently three sensor modules included:

HTTP (sensor/modules/http)

  • Stateful HTTP parser that maintains a table of active HTTP sessions

HTTP Logger (sensor/modules/httpLog)

  • Logs HTTP session headers to disk
  • HTTP session headers may be read back from disk with the dumpHTTP utility (tools/dumpHTTP)

BitTorrent (sensor/modules/bt)

  • Detects .torrent file downloads over HTTP
  • Detects communication with HTTP BitTorrent trackers
  • Detects communication with UDP BitTorrent trackers
  • Sends detailed e-mail notifications of any of the above actitivies to any number of e-mail addresses

Requirements

The code is C/C++ and has the following dependencies:

  • libpcap (0.9.8 through 1.1.1 tested)
  • Berkeley DB (4.4 through 5.1 tested)
  • libESMTP (1.0.4 tested)

Operating systems tested:

  • FreeBSD (7.1 through 8.2)
  • GNU/Linux (kernel 2.6.32, glibc 2.11.1)

Microarchitectures tested:

  • i386
  • amd64
  • sparc64

Compilers tested:

  • GCC 4.2.1
  • GCC 4.4.3
  • Clang/LLVM 2.8

Download

Download: Net Sensor 0.8.0

Upcoming Features

  • Build Infrastructure
    • NetBSD support
    • OpenBSD support
    • Mac OS X support
    • Automatic detection of Berkeley DB versions on BSD and OS X
  • Sensor
    • IPv6 support
  • Sensor Modules
    • Optional compression for on-disk records
  • HTTP Sensor Module
    • Chronological ordering of HTTP messages, as opposed to all requests followed by all replies
  • dumpHTTP Utility
    • Filtering by client and server IP addresses
    • Filtering by HTTP headers

Release History

  • 0.8.0 (March 1st, 2011)
    • Initial release.

Participants:

Boris Kochergin