Skip to content
/ packetTrail Public

Associates netflow data with system processes and logs to syslog

7 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

false00/packetTrail

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
README.md
README.md
 
 
packetTrail.exe
packetTrail.exe
 
 
packetTrail.py
packetTrail.py
 
 

Repository files navigation

packetTrail

This program creates a record of every network connection on a system and generates a log that contains the process name that initiated the connection. This gives attribution to which process generated what traffic. Thus, allowing an incident responder or SOC analyst visibility into the host. Use cases are endless, but the log data can be used for incident response missions or threat hunting.

For example, if powershell.exe beacons out to an IP, dies, then that same IP is observed communicating with explorer.exe, this may be an indicator of malware injecting itself into another process. packetTrail would produce the data required to detect something like this. You could also create baselines using packetTrail and trigger on anomalies that don't match your baseline. It can be used many different ways. Currently it only supports forwarding logs via syslog and writing to a local file. I'm working on adding elasticsearch support soon. If you find any bugs let me know. I'd appreciate it.

Log Sample:
syslog format = log_priority + utc_timestamp + host_ip + host_hostname + program_name + process + sip + sport + rip + rport
<12>2018-09-08T11:25:19Z 192.168.50.129 juans-windowsvm packetTrail process=powershell.exe sip=192.168.50.129 sport=50434 rip=192.168.50.134 rport=80
<12>2018-09-08T11:27:56Z 192.168.50.129 juans-windowsvm packetTrail process=explorer.exe sip=192.168.50.129 sport=50433 rip=192.168.50.134 rport=80
<12>2018-09-08T11:28:19Z 192.168.50.129 juans-windowsvm packetTrail process=notepad.exe sip=192.168.50.129 sport=50400 rip=192.168.50.134 rport=80

Getting Started

These instructions will get you a copy of the project up and running on your local machine.

Prerequisites

Windows

vc_redist.x64.exe - https://www.microsoft.com/en-US/download/details.aspx?id=52685

Python

pip install psutil

Supported Operating Systems

Windows 7
Windows 10
macOS High Sierra 10.13.6
Ubuntu 16.04

How to Run

Windows

Usage: packetTrail.exe syslog_ip syslog_udp_port
Example: packetTrail.exe 10.0.0.20 514

Python

Usage: packetTrail.py syslog_ip syslog_udp_port
Example: packetTrail.py 10.0.0.20 514

How to Install as a Service

Windows

sc create packetTrail binPath= "C:\packetTrail-master\packetTrail-master\packetTrail.exe 10.0.0.20 514"
sc config "packetTrail"  start= auto
net start packetTrail

How to Build Windows Binary

If you're not comfortable running the provided Windows binary, you can build your own version using pyinstaller.

Requirements

Software:
Python 3.6.4 

Operating System:
Windows 7

Build

pyinstaller --onefile --hidden-import=queue packetTrail.py

Built With

  • Pyinstaller - Library used to convert python script to windows binary

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.

Authors

License

This project is licensed under the MIT License - see the LICENSE.md file for details

About

Associates netflow data with system processes and logs to syslog

Topics

security netflow logger incident-response syslog process netstat dfir infosec ir psutil procmon

Resources

Readme
Activity

Stars

7 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages