ASDIC

User Manual



Introduction

ASDIC is a system collection traffic information from various sources in the network, analyzing the traffic patterns and presents the information in a easy-to-read manner.

Data sources includes firewalls, routers, switches and hosts. All systems capable of generating basic network traffic information can be fed into ASDIC.

The central concept in ASDIC is traffic patterns, or aggregates. By managing collections of sessions as aggregates instead of single packets and sessions, even a complex network environment is possible to grasp. ASDIC creates those traffic patterns automatic.

An aggregate can be seen as "least common property" of a number of sessions, and worth noticing is that you don't know what the patterns might look like in advance. Other traffic monitoring systems can help you extract the data you are looking for, but ASDIC will help you by telling you what to look for.

Traffic patterns can be more or less overlapping. Look at the following example;

alice:4711 => www.bob.inc:80

This session may render the following traffic patterns;

"alice surfes"alice => :80
"alice communicates with www.bob.inc"alice => www.bob.inc
"www.bob.inc has a web server"www.bob.inc:80
"alice surfes to www.bob.inc"alice => www.bob.inc:80

The last pattern "alice surfs to www.bob.inc" is subsidiary the other three patterns, which are "meta" patterns, because they are "pattern of patterns". There's also patterns lacking both subsidiary and meta patterns.

Patterns extracts information from data.

Basic usage

Click to enlarge

Primary you use the system through the web user interface and its search tab. At the top, you can choose a predefined search. By selecting one of those, the rest of the form will be filled in by the values defined in this predefined search.

You can run the predefined search as is, or modify any conditions as below;

IP Group is the addresses and ports for the search. Here you can either choose a predefined saved group (i.e. "all"), or a custom ip group by entering the ip addresses and ports manually. If you enter it by hand, the following rules apply;

IP addresses;

  • An address "192.168.112.21" for an exact match.
  • A prefix "192.168/16" for a range. Just "192.168" denotes the same prefix.
  • A prefix "0/0" matching all addresses. "*" works also.
  • A blank field marks the field is to be excluded.
  • A question mark ("?") marks the field may or may not be included. Often you don't know the form of the pattern, and use question mark. More about this later.

Ports;

  • A port number "123" for exact match.
  • An interval "0-1023" matching a range.
  • A asterisk ("*") matching all ports.
  • A blank filed, marking the field is to be excluded.
  • A question mark, marking the port may or may not be included.
  • For icmp, the first port field represents type, the second code.

Protocol:

  • A protocol specifying the protocol
  • A blank filed specifying protocol not significant

Try playing around with the different kinds of wildcards above. It takes a while to get the hang of it, and the differences between "?", "*" and blank, but it is of vital importance for efficient usage of the system. If in doubt, use the question mark. It is the most general wild card.

Please note that protocol is tied to the port filed, and it's not possible to specify a protocol and at the same time no port. The reverse works well, though.

Also note that the traffic is stored in simplex. That is, the direction of the traffic is of significance. An ordinary sniffed session is therefor most often stored in both forward and reverse direction. To select only one direction, a prefix is used in the search. The "reverse"-button is used to easy switch between directions. A session origin from a stateful firewall log is on the other hand often only logged in the direction the sessions was initiated.

By clicking on the headers, you toggle between question mark, asterisk and blank.

Criterium is used to specify the criteria the traffic must meet in a search.

Typical criteria can be;

  • Pattern matches all traffic aggregate records.
  • Overview matches all aggregate records not subsidiary.
  • Details matches all aggregates not superior (i.e. aggregate of aggregates).
  • Illegal traffic matches all aggregates inconsistent with firewall rules and/or host configuration.
  • TCP services is used to search the network for services.
  • All to mark you do not want to limit the search at all. This even matches single sessions.

Criteria can be defined by the advanced user, so this list varies from site to site. Your criteria list is probably different.

Action is obsolete and will be removed in future releases.

Time span limits the search in time. It also selects what time stamp you wish to see in the report. "-n/a-" or blank time field for no time span. The time shall be on the form "HH", "HH:MM" or "HH:MM:SS" for hours, minutes and seconds.

Search

Searching can be done in different ways.

"Search"-button

  • Generates a list over all records matching the search.
  • Brings up a record in detail if no wild card used
  • Is as a thumb rule sorted after time last seen
  • Displays record for record as they are found in the database.

"Session history"-button

  • Generates a graph over sessions over time matching the selections.
  • Strict sorted by number of sessions per pattern.
  • Displays records and graph after the entire search is completed.

"Packet history"-button

  • Generates a graph over matching packets over time.
  • Strict sorted by the number of packets per pattern.
  • Displays records and graph after the entire search is completed.

Graphics

Traffic graphs are very informative, but requires skill to get the most out of.

Key points to remember;

  • The scale is logarithmic. This means the scale increases exponential with the height. For each division of the scale, the number or packets or sessions are doubled. The top most division would be in an ordinary linear graph be half the graph. One single pixel at the top in the graph, can represent the same number of session as an other pattern totally filling the lower half of the diagram. This can not be stressed enough. Read the graph from top to bottom.
  • The patterns shadows each other. The largest pattern is always the one in the back of the picture, and the next one in front of it, etc.
  • The patterns can be isolated. If you want to look closer at a specific pattern, click on the colour key in the legend leftmost below. This will remove all patterns in front of the selected pattern, revealing the selected in full. Note the marker below the x-axis, pinpointing the selected graph.
  • The diagram might be truncated. If your search matches more than 100 patterns, it will truncate at the largest 100 patterns. You see a red line marking the minimum height a pattern need to be selected (if only occurring at one time sample), and the bottom of the scale will be cut at the level corresponding to the same number of packets as the red line, but not if occurring at every time sample in the graph. To avoid truncation, narrow down the search.

Look at the following two traffic patterns to the right. The red and yellow patterns are almost exactly of the same size, and are representing the same number of sessions, but over a different period of time. → → →

Keep in mind, especially when the system is newly started with empty databases, a pattern in the diagram might seem to vanish, in spite of the fact that the network traffic is not changed. This is the case when you selected an overview of patterns, and an earlier shown pattern is incorporated in a newly formed superior pattern. The earlier shown pattern then becomes a subsidiary pattern, not shown in a overview search.

A pattern can never ever be totally shadowed, unless the shadowing pattern is identical.

Search Result Table

The search result table and colour legend in a graphic search is quite the same. It contain records matching the search.

click to enlarge

Fields from left to right;

  • Colour key identifying the colour in the graph
  • Source address. If blank, denotes multiple/insignificant sources
  • Source port. If blank, denotes multiple/insignificant port.
  • Destination address.
  • Destination port.
  • Protocol, can only be blank if both ports also are blank.
  • Sessions is the number of sessions the pattern matches.
  • Packets is the number of packets matching the pattern.
  • Sum (in graphs) is the sum over time of packets/sessions.
  • Peak (in graphs) is the maximum peak value of sessions/packets.
  • First seen/Last seen/Baselined denotes the time stamp when the pattern was first seen, last seen or when the system learned it was a traffic pattern/aggregate.
  • AR for Accept/Reject indicates the acceptance of the sessions in the pattern. Red is denied, green accepted. ASDIC uses several different parameters to deduce this field; firewall and router access list results, tcp protocol flags and the status of the duplex sessions.

IP addresses, ports and colour legends are all clickable. By clicking an address or port, it will be copied into corresponding input boxes at the top of the search page, for easy search refinement. The colour legends will unreveale a shadowed graph.

Typical work flow

You begin with a coarse report. It might be a deviation report delivered by mail or maybe an overview search. It might also be a specific search about a particular event, host or port triggering your interest.

If you start with a overview, it might show something of interest. By locating the pattern in the colour legend below, you click on the significant parts of the pattern. This will copy them to the input fields. You then probably fill in the rest fields with question marks for a wide search (click on the input box header). You might select criterium "overview" and perform the search, textual or graphics. You get a new result list, and do the same procedure over again, until you isolated the event of interest and traced it to the source. As you narrow the search, you change criteria to "detailed" to get more fine resolutions of the traffic. The speed ASDIC delivers the result, makes it unnecessary to try to be precise in the first search expression - it's better to begin including too much and gradually work your way to the area of interest.

Ping Research

ASDIC

Android