Project 8 - Extending Wireshark Analysis

Primary mentor: Guillaume Arcas (FR)
Student: Jakub Zawadzki


Project Overview:


In this project I'll work on extending Wireshark with plugins: WireShnork, WireshAV, WireSocks and WireViz

  • WireShnork plugin that would support applying Snort IDS rules and signatures against pcap files. This would be useful for network forensic, allowing analysts to automatically colorise packets that match a particular Snort IDS signature.
  • WireshAV plugin that would allow to scan captured files with antiviruses
  • WireBrowse plugin which would allow to access some of wireshark functionality over web browser
  • WireSocks HTTP/SOCKS5 "proxy" plugin that would allow any browser (with proxy support :)) to get the contents of sniffed web pages (with css, images, javascript, and other files) which were saved inside pcap file
  • WireViz GUI plugin which would allow to generate connection graphs with Graphviz


Project Plan:

  • 26 Aprill - 23 May Getting familliar with Snort IDS, looking at rules examples.
  • 24 May - 10 June Working on WireShnork plugin
  • 11 June - 19 June Exams time
  • 19 June - 23 June WireshAV plugin
  • 24 June - 29 June Working on WireSpade plugin
  • 30 June - 3 July Working on WireBrowse plugin
  • 4 July - 9 July Working on WireSocks plugin
  • 10 July - 13 July Working on WireViz plugin
  • 14 July - 18 July Alpha version of plugins, working on documentation, adding missing features, fixing bugs
  • 19 July - 25 July Holidays
  • 26 July - 14 August Beta version of plugins, working on documentation, fixing bugs
  • 15 August - 26 August End of GSoC - Final tests and final release of plugins


Updates:

  1. 15 August - 22 August
  2. 8 August - 14 August
    • Testing (maybe beta version of plugins)
    • Working on documentation
    • General code cleanup, bug fixing
  3. 18 July - 24 July
  4. 11 July - 17 July
  5. 4 July - 10 July
    • Working on WireSocks
    • Playing with GraphViz API
  6. 28 June - 3 July
    • Binary (Linux i686/ Linux AMD64) version of WireShnork, WireshAV plugins
    • Working on documentation
    • WireBrowse plugin:
      • Packet List (with packet details and hexdump)
      • Connection List (In wireshark it's Summary->Conversations)
  7. 22 June - 27 June
    • Add support for WireshAV to scan files embeded in other protocols like: ftp/nfs/samba/IMF (pop3+imap+smtp)
    • Try to use clamd (it should speed-up plugin initialization)
  8. 15 June - 21 June
    • Finished one of my school project, it's Wireshark and Honeynet related (but not GSoC!) and you might find it interesting: Sniffing using iptables
    • Working on ClamAV support for WireshAV
    • WireshAV: Scan files in HTTP protocol
  9. 8 June -- 14 June
    • Played a little with libclamav (API to ClamAV engine). Idea is to create Wireshark plugin which would scan capture file for viruses (extra project approved by mentor)
    • Generally little time for GSoC ;/ Finishing projects and learning to exams takes lot of time. Luckily WireShnork works quite well.
  10. 1 June -- 7 June
    • Trivial: Change filter name from wireshnort.* to snort.*
    • Add checks for some corner cases (no snort installed, bad configuration file, etc...), and display some nice errors
    • Parse /etc/snort/{gen, sid}-msg.map (dropped)
    • Tested plugin with older snort (2.8.6), fixed some reading issues (again ;/)
    • (maybe) add support for parsing output generated by -A console:full and -A console:test (dropped, 2.8.x don't support these outputs)
    • Cool feature: synchronization. tshark -r ... -V display snort tree, It's also possible to filter snort alerts on 1st run
  11. 24 May -- 31 May
    • Initial, working version of WireShnork plugin. For now I am parsing output of /usr/bin/snort -A console
  12. 26 Aprill -- 12 May
    • I've installed Snort, looked at Snort config parser, read Snort users manual (http://www.snort.org/assets/166/snort_manual.pdf)
    • Inside Snort users manual I've found interesting -A unsock option. UNIX sockets or stdio can be used to communicate with Wireshark (if we decide to use Wireshark+Snort)
    • Snort is not using any lexer, parsing of config is done with lot of if (!str[case]cmp()) ... else. Config format is good described in manual, but there's no formal grammar
    • Snort has got much better IP and TCP defragmentation support than Wireshark. Snort can emulate behaviour of multiple OS, it's also possible to set memory limit. Recently it was found that Wireshark has got problems with out of order tcp fragments: http://www.wireshark.org/lists/wireshark-dev/201105/msg00047.html