aaron.kramer@hpe.com

Using Logger 6.0 LOOKUP - Looking for Tor Traffic

Blog Post created by aaron.kramer@hpe.com on Feb 12, 2015

One of the easy to understand features in Logger 6.0 is the LOOKUP Search Operator.

Here's an example to find the 'Needle in the Haystack'.

 

The LOOKUP search operator is a way to join values from inside Logger, with values from an external source. The way this is done is to load the values from the external source into a LOOKUP table in Logger, and then use the LOOKUP search operator in a Logger interactive search query. I have attached a list from Feb 2015 to this post if you want the fast path to the LOOKUP. Just download the CSV from this post and load it into your Logger.

 

One example is with Tor, aka "The Onion Router". (more here: Tor (anonymity network) - Wikipedia, the free encyclopedia )

 

The Use Case is to search for any communications into or out of a corporate network from in or out of the Tor network. VERY recent malware is identified as using the Tor network for communications. December 2014: New "LusyPOS" Malware Uses Tor For C&C Communications  | SecurityWeek.Com

 

The first step is to obtain the list of Tor IP Addresses. These are called Tor Exit Nodes. Various places on the internet keep updated lists, and these lists can be updated as often as every 30 minutes.

https://wwwww.dan.me.uk/tornodes

http://tns.hermetix.org/query_export.php/Tor_query_EXPORT.csv

 

Using a utility in unix called curl, you could get the raw list like this:

/usr/bin/curl -o tornodes.csv --verbose https://www.dan.me.uk/tornodes

After some formatting, the file to load into Logger needs to be CSV, and have field names in the header row. The first few lines of a valid file look like this

TorExitNodeAddress,TorExitNodeName,Port

100.0.124.207,ansibleTorRelay,9001

100.11.113.161,minotor,9001

100.2.91.30,endeavor,443

Once loaded into Logger, the table would be listed like this:

TorTableListed.png

The View of the table in Logger shows the first few rows of the table like this:

 

TorEntriesListed.png

 

Then in Logger, go to the LOOKUP section, and Add a LOOKUP table. Once the table has been added, now a search using the Tor nodes can be done.

The search for Tor communications looks something like this:

 

TorSearch.png

 

This Logger search is searching all of Logger events, then piping the results to the LOOKUP operation.

- use the table named TorNodes

- find any sourceAddress in Logger that is also a TorExitNodeAddress and display all the columns from the matching entry in the Table.

 

Attachments

Outcomes