Tutorial Introduction

Analysis of network traffic allows us to explore events in the monitored network (even retrospectively). It benefits from the fact that it is almost impossible to maliciously affect the captured data (as opposed to system logs, for example). Therefore, it is a reliable source that suitably complements cyber incident investigation. The analysis of network traffic is currently performed by the use of tools such as Wireshark or Arkime, which allow manual data browsing, filtering, aggregation, and provide interactive visualizations but don't account for the fact that the human brain perceives the data as associations/graphs.

This tutorial shows how network traffic analysis can be adapted to human thinking. The tutorial introduces the Granef toolkit (https://granef.csirt.muni.cz/) that can transform network data into a format suitable for a graph database while at the same time preserving the natural perception of network traffic. Through a simple tutorial exercise, the tutorial shows how to use the toolkit and how to work with the analytical interface.

Requirements

The following commands are for the Linux environment, but the Granef toolkit can be also run in Windows OS. If you are using Windows, then make sure that your Docker or Podman environment is working.

Required tools

• Python 3.12 (older versions should be working as well)
• Docker (https://docs.docker.com/get-docker/) or Podman (https://podman.io/get-started)

Granef toolkit

Toolkit URL: https://granef.csirt.muni.cz/

Download the Granef control script (use git clone or download it as a zip archive) and install it using Python pip:

linux:$ git clone https://gitlab.ics.muni.cz/granef/granef.git && cd granef
# Alternatively you can download the zip archive
# linux:$ wget https://gitlab.ics.muni.cz/granef/granef/-/archive/master/granef-master.zip
# linux:$ unzip granef-master.zip && cd granef-master
linux:$ pip3 install -e .

Alternatively, the toolkit can be installed in the Python virtual environment using the following commands:

linux:$ python3 -m venv granef-venv
linux:$ source granef-venv/bin/activate
(granef-venv) linux:$ pip3 install -e .
# Use this environment for granef run
# Deactivate the environment when no longer needed
(granef-venv) linux:$ deactivate

Verify that everything works and the script executes correctly.:

linux:$ granef -h
usage: granef [-h] [-c CONFIGURATION_FILE]
              (-p | -n | -r {images,network,operations,all} | -o {extraction,transformation,indexing,handling,analysis} | -a)
              [-t {run,stop,start,remove}] [-i INPUT_FILE_OR_DIRECTORY_PATH] [-s CASE_NAME]
              [-l {debug,info,warning,error,critical}]

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIGURATION_FILE, --configuration CONFIGURATION_FILE
                        Configuration file
  -p, --pull            Pull all images
  -n, --network         Create network
  -r {images,network,operations,all}, --remove {images,network,operations,all}
                        Remove specified objects
  -o {extraction,transformation,indexing,handling,analysis}, --operation {extraction,transformation,indexing,handling,analysis}
                        Select operation
  -a, --all             Setup containers environment and perform all operations
  -t {run,stop,start,remove}, --task {run,stop,start,remove}
                        Select operation task
  -i INPUT_FILE_OR_DIRECTORY_PATH, --input INPUT_FILE_OR_DIRECTORY_PATH
                        Input file or directory path
  -s CASE_NAME, --source CASE_NAME
                        Case name stored as a source to each node
  -l {debug,info,warning,error,critical}, --log {debug,info,warning,error,critical}
                        Log level          

Dataset preparation

(This tutorial uses a PCAP file from malware-traffic-analysis.net page with various analysis exercises prepared by Brad Duncan.)

The tutorial follows "Okay-boomer" exercise (see details at https://www.malware-traffic-analysis.net/2019/11/12/index.html). Download the archive with a PCAP file and extract it using the password infected. You can do it manually or use the following commands:

linux:$ mkdir tutorial-data && cd tutorial-data
linux:$ wget https://is.muni.cz/www/milan.cermak/granef-tutorial/2019-11-12-traffic-analysis-exercise.zip
--2022-04-26 15:16:18--  https://is.muni.cz/www/milan.cermak/granef-tutorial/2019-11-12-traffic-analysis-exercise.zip
Resolving is.muni.cz (is.muni.cz)... 147.251.49.10
Connecting to is.muni.cz (is.muni.cz)|147.251.49.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9186864 (8.8M) [application/zip]
Saving to: ‘2019-11-12-traffic-analysis-exercise.zip’

2019-11-12-traffic-analysis-exer 100%[========================================================>]   8.76M   517KB/s    in 14s

2022-04-26 15:16:33 (643 KB/s) - ‘2019-11-12-traffic-analysis-exercise.pcap.zip’ saved [9182767/9182767]

linux:$ 7z x 2019-11-12-traffic-analysis-exercise.zip -p"infected"

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=C.UTF-8,Utf16=on,HugeFiles=on,64 bits,16 CPUs AMD Ryzen 7 PRO 7840U w/ Radeon 780M Graphics   (A70F41),ASM,AES-NI)

Scanning the drive for archives:
1 file, 9186864 bytes (8972 KiB)

Extracting archive: 2019-11-12-traffic-analysis-exercise.zip
--
Path = 2019-11-12-traffic-analysis-exercise.zip
Type = zip
Physical Size = 9186864

Everything is Ok

Size:       11439800
Compressed: 9186864
linux:$ mv 2019-11-12-traffic-analysis-exercise.pcap tutorial.pcap && rm *.zip && cd ..