Time-to-Live Analysis of DShield Data with Vega-Lite, (Wed, Sep 18th)
SANS Internet Storm Center, InfoCON: green 2024-09-19
Since posting a diary about Vega-Lite [1], I have "played" with other queries that might be interesting and the first one that I wanted to explore since the DShield SIEM [2] capture and parse the iptables logs and store the Time-to-Live (TTL) for analysis.
One of the things I was really curious about, whether any of the source IPs my DShield sensor capture, have more than one or multiple TTL. I started looking at some of the traffic to review the activity of some of the IPs and noticed that infact some have multiple TTL either in the same day or multiple days. One of the ELK dashboard displays the TTL with their Total, the traffic I reviewed was from IP 45.148.10[.]242 to port TCP/8080 scanning every day for /login.cgi and /cgi-bin/luci/;stok=/locale. In order to better see this activity over the past 14 days; I use a vega-lite query to display the activity with this graph.
First, this first picture shows all the TTL in the past 2 weeks of activity by Total for IP 45.148.10[.]242 :
The TTL 50 is likely a outlier from likely the default 51. Anything in the two 200+ might need to review the IP packet ID to get some clues.
This shows the TTL in the past 2 weeks with vega-lite, the darker the color the more activity for that time period:
While reviewing DShield sensor data, I like sometimes to look at some of the other data captured by the honeypot, and explore why some of the traffic by each IPs might be coming from different directions by using the TTL for some clues. In this example, why is the TTL sometimes different? What other route is the IP taking? Is VPN involved?
I took one of the TTL, in this case 239 and reviewed when it was captured by the sensor. The sensor received the first one on the 7 Sep and the second on the 11 Sep 2024. I review the 1 hour period this TTL was capture and 5 other packets with TTL 51 was also capture during that same one hour period. Is TTL 239 2 lost packet?
[1] https://isc.sans.edu/diary/VegaLite+with+Kibana+to+Parse+and+Display+IP+Activity+over+Time/31210/ [2] https://github.com/bruneaug/DShield-SIEM/tree/main [3] https://vega.github.io/vega/examples/ [4] https://github.com/DShield-ISC/dshield [5] https://isc.sans.edu/ipinfo/45.148.10.242
----------- Guy Bruneau IPSS Inc. My Handler Page Twitter: GuyBruneau gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.