Traffic Analysis: প্যাকেট স্নিফিং টুলস ব্যবহার করে কর্পোরেট নেটওয়ার্ক ট্রাফিকের ভেতরের সাইবার থ্রেট শনাক্ত করার উপায়!

ক্যাসপারস্কি এবং Forrester-এর research অনুযায়ী enterprise breach-এর গড়ে ৭০% নেটওয়ার্ক traffic-এ observable indicator রেখে যায় detection-এর আগে। Network-based detection-এর কয়েকটি unique strength-

• Tamper-Resistant: log-এর মত network observation host-side থেকে erase করা যায় না।
• Endpoint-Agnostic: যেসব device-এ EDR install করা সম্ভব না (IoT, OT, legacy server) সেগুলোর behavior-ও visible।
• Lateral Movement Visibility: একটি compromised host থেকে অন্য host-এ movement only network-এ visible।
• Data Exfiltration Detection: outbound large transfer, unusual destination।
• Encrypted Channel Analysis: যদিও payload encrypted, metadata (timing, size, frequency) থেকে behavioral inference সম্ভব।

Layer 1 — Full Packet Capture (PCAP): প্রতিটি packet-এর সম্পূর্ণ content capture। Detail সর্বোচ্চ, কিন্তু storage এবং performance cost বিশাল।

Layer 2 — Protocol Metadata (Zeek logs): protocol-aware logging — connection start/end, hostname, certificate info, URL, DNS query। PCAP-এর কয়েক percent storage-এ ৮০-৯০% investigative value।

Layer 3 — Flow Data (NetFlow/IPFIX/sFlow): aggregated connection metadata — source/destination IP, port, byte count, packet count। Most compact, broad coverage।

Mature SOC তিন layer-এর সমন্বিত strategy — flow data সর্বত্র, Zeek logs critical zone-এ, PCAP কেবল on-demand (forensics) বা strategic location-এ (egress, DMZ)।

Wireshark Gerald Combs-এর developed open-source packet analyzer যা ১৯৯৮ সাল থেকে সক্রিয়। ২,০০০+ protocol-এর native dissector আছে।

Capture Method:

• live interface capture (root/admin privilege)।
• offline pcap file।
• remote capture (sshdump, ciscodump)।

Display Filter: powerful filter language —

• http.request.method == "POST"
• tcp.stream eq 5
• ssl.handshake.type == 1 (Client Hello)
• ip.addr == 10.0.0.5 and not tcp.port == 80
• dns.qry.name contains "exfil"

Analysis Feature:

• Follow TCP/UDP/HTTP/QUIC Stream।
• Conversations and Endpoints statistics।
• Protocol hierarchy।
• I/O graph।
• Expert Information (warning, error)।
• File extraction (HTTP, SMB, FTP)।

Practical Use Case:

• Malware C2 reverse engineering — exact protocol structure understand।
• Credential leak detection — plaintext HTTP basic auth, plaintext FTP, telnet।
• DNS tunneling identification — abnormally long subdomain, high entropy।
• Beacon detection — interval-regularity check।

Tshark, Wireshark-এর CLI version — automated/scripted analysis-এর জন্য।

Linux/UNIX-এর native tcpdump library libpcap-এর উপরে। Wireshark-এর foundation-ও libpcap। Capture filter syntax BPF (Berkeley Packet Filter)-

• tcp port 80
• host 192.168.1.1 and not arp
• (src net 10.0.0.0/8) and (dst port 443)

tcpdump capture file Wireshark-compatible pcap format-এ লেখে। Production capture-এ tcpdump-এর low overhead এবং headless operation valuable।

Vern Paxson-এর Lawrence Berkeley National Lab-এ developed Zeek একটি protocol-aware network monitor যা packet content-কে high-level event-এ rendering করে। Output বিভিন্ন structured log file-এ-

• conn.log: প্রতিটি TCP/UDP connection-এর summary।
• http.log: HTTP request/response।
• dns.log: DNS query এবং response।
• ssl.log: TLS handshake, certificate।
• x509.log: certificate detail।
• files.log: extracted file metadata।
• smb.log, smtp.log, ftp.log: protocol-specific।
• weird.log: anomalous behavior।
• notice.log: Zeek script-driven alert।

Zeek-এর scripting language event-driven এবং custom detection logic লেখার সুযোগ দেয়। Corelight commercial Zeek deployment-এর leading vendor।

Zeek log-এর enrichment value SOC analyst-এর জন্য অপরিসীম — কয়েক GB pcap-এর পরিবর্তে কয়েক MB Zeek log SIEM-এ ingest করে।

OISF-এর developed Suricata multi-threaded IDS/IPS/NSM। Snort-compatible signature, কিন্তু বহুগুণ performant।

Suricata rule example —

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Suspicious user agent"; content:"User-Agent: nikto"; sid:1000001; rev:1;)

Emerging Threats (ET) এবং ET Pro rule sets community-driven এবং commercial — millions of signatures cover করে।

Suricata-এর Lua scripting এবং Eve JSON output modern SOC integration সহজ করে। Splunk, Elastic, Kafka-এ direct ingestion।

Cisco-supported Snort 3 next-gen iteration। JSON config, multi-threading, OpenAppID application identification। Hybrid IDS/IPS deployment-এ ব্যবহৃত।

Layer 3 flow data — connection-level summary-

• NetFlow v5/v9: Cisco-developed।
• IPFIX (RFC 7011): standardized successor, vendor-neutral।
• sFlow: sampled flow, switch-friendly।

Flow collector — nfdump, SiLK, Plixer Scrutinizer, ntopng — flow data analyze করে।

Flow data-এর strength — internet-scale visibility, low overhead। Limitation — payload visibility নেই।

৯৫%+ web traffic এখন HTTPS। DoH, DoT-এর rise-এ DNS-ও encrypted। তবে metadata-ভিত্তিক analysis এখনো সম্ভব-

• TLS Fingerprint: JA3, JA3S, JA4 fingerprint client/server TLS implementation identify করে। Malware-specific JA3 hash detection-এ valuable।
• SNI Inspection: Server Name Indication (TLS 1.2-এ plaintext, TLS 1.3-এ ECH-এর adoption increasing)।
• Certificate Analysis: self-signed, recently issued, suspicious CA — সব red flag।
• Traffic Pattern: packet size distribution, inter-arrival timing, total session bytes — encrypted তেও pattern অনন্য।
• Cisco Encrypted Traffic Analytics (ETA): ML-driven malware-in-encrypted-traffic identification।

C2 Beacon

Compromised host C2 server-এর সাথে regular interval-এ communicate করে। Indicator-

• regular interval (jitter সত্ত্বেও pattern visible)।
• small request, small response (heartbeat)।
• non-business-hour activity।
• recently registered domain।
• unusual port বা User-Agent।

RITA (Real Intelligence Threat Analytics) — open-source beacon detection tool যা Zeek log analyze করে।

DNS Tunneling

C2 বা exfiltration DNS query-এর ভেতরে encode করে। Indicator-

• abnormally long subdomain (>50 char)।
• high entropy subdomain।
• excessive TXT, NULL, CNAME query।
• single domain-এ thousands of unique subdomain।

Tool: iodine, dnscat2, DET।

Data Exfiltration

Large outbound transfer to unusual destination। Cloud storage upload (Mega, Dropbox, MEGA, AWS S3, pastebin), encrypted ZIP, RAR over HTTP/HTTPS।

Lateral Movement

Internal traffic — SMB to unusual host, WMI execution, Kerberoasting Kerberos traffic, PsExec named pipe, RDP brute force।

Reconnaissance

Port scan (NMap), DNS zone transfer attempt, SMB enumeration, LDAP query।

Modern NDR vendor — ExtraHop, Vectra AI, Darktrace, Corelight (Zeek-based), Cisco Stealthwatch, Arista Awake, Palo Alto Cortex XDR Network — encrypted traffic-এও ML-driven detection প্রদান করে।

NDR-এর core capability-

• baseline behavioral profile তৈরি।
• anomaly detection।
• automated investigation।
• SOAR integration।
• forensic-grade metadata retention।

ধরা যাক একটি Suricata alert — "Possible Cobalt Strike beacon"। Analyst-এর pivot path-

1. Alert Review: signature ID, source/destination IP, time, byte count।
2. Zeek Log Lookup: same time window-এ conn.log, http.log, ssl.log। JA3 fingerprint check।
3. PCAP Retrieval: যদি available থাকে, exact packet inspect।
4. TI Enrichment: destination IP/domain VirusTotal, AbuseIPDB, internal TI-এ check।
5. Endpoint Correlation: source host-এর EDR data, Sysmon log। কোন process এই connection initiate করেছে?
6. Scope Assessment: একই destination-এ আর কোন host connect করছে?
7. Containment: যদি malicious confirmed, network segmentation, host isolation।
8. Documentation এবং IR: ticket update, IR playbook execute।

Open-source heavy stack-

• Capture: tcpdump, nfdump।
• Analysis: Wireshark, Tshark।
• IDS/NSM: Zeek + Suricata।
• SIEM: Elastic Stack, Wazuh।
• Threat Intel: MISP, Sigma।
• Beacon Detection: RITA, AC-Hunter (commercial)।

Enterprise stack-

• Corelight (Zeek), Suricata, Splunk/Sentinel, NDR (Vectra/Darktrace/ExtraHop), SOAR (Cortex XSOAR, Splunk Phantom)।

Effective traffic analysis-এর জন্য সঠিক visibility architecture জরুরি। SPAN/TAP ports — strategic location-এ traffic mirror। East-west visibility (internal traffic)-ও critical, কেবল north-south (internet boundary) নয়।

Encryption-এর rise এ visibility পেতে decryption broker (SSL/TLS inspection) deploy করা যায়, কিন্তু privacy এবং performance trade-off carefully consider প্রয়োজন।

Network traffic-based defense build করতে-

Strategic Deployment:

• DMZ, internal backbone, branch egress — SPAN/TAP।
• Zeek + Suricata-এর hybrid sensor।
• NetFlow সর্বত্র।

Retention Strategy:

• Zeek log ৯০ দিন+।
• PCAP কেবল strategic location-এ এবং short retention (৭-৩০ দিন)।
• alert data দীর্ঘ retention (১ বছর+)।

Skill Building:

• analyst-দের Wireshark, Zeek-এ training।
• regular CTF participation।
• SANS SEC503 (Intrusion Detection In-Depth)।

Threat Intel Integration:

• IoC feed automated update।
• Sigma rule deployment।

Automation:

• SOAR playbook ব্যবহার করে repetitive task automate।
• common false positive auto-suppress।

Encryption Strategy:

• selective decryption (regulatory consideration সহ)।
• metadata-based detection prioritize।

Periodic Review:

• alert tuning quarterly।
• baseline update yearly।
• red team exercise।

Cloud Visibility:

• AWS VPC Flow Log, Mirror Session, GuardDuty।
• Azure NSG flow log, Network Watcher।
• GCP VPC Flow Log।

OT/IoT Network:

• separate IDS sensor — Claroty, Nozomi, Dragos।
• Modbus, DNP3, S7 protocol-aware।