Presentation Material

Abstract

This paper introduces flowinspect, a tool developed specifically for network monitoring and inspection purposes. It takes network traffic as input and extracts layer 4 flows from it. These flows are then passed through an inspection engine that will filter them according to the requested options. For flows that meet inspection criteria, output mode would take them in and dump match statistics and other details to either stdout or a file or both.

The primary difference between flowinspect and other network inspection tools is that flowinspect inspects network flows instead of individual layer 4 packet contents. As such if for a flow, certain data to be matched upon spans multiple packets, flowinspect would still be able to identify it. Inspection happens via any of the following inspection modes:

regex: PCRE-compatible regular expressions fuzzy: fuzzy string matching techniques shellcode: libemu based (x86 compatible) shellcode detection yara: yara-project based signature detection Above modes also accept certain options that a user can use to tweak the behaviour of the respective inspection engine. For example, regex matches could be made case insensitive, fuzzy string match threshold could be altered, shellcode profile output detailing the detected system calls could be generated, etc. Once a match is found over a flow, it is then passed onto the output module which takes care of dumping match statistics to either stdout or a file, or both.

Apart from these, there are a few other handy options that could prove useful in different network inspection scenarios. For example, inspection could be completely disabled and any of the output modes could be used to dump available flows as-is to a file. These files will contain direction-specific raw data for a specific five-tuple. These files could then be analysed separately using some other tool or utility. If required, matched flows could also be dumped to a packet capture file.

AI Generated Summary^{may contain errors}

Here is a summarized version of the content:

The speaker is discussing their open-source project, , a tool for inspecting network streams and detecting malware. The tool uses various technologies such as SpiderMonkey (a JavaScript engine) and V8 (Google’s JavaScript engine) to analyze scripts and identify potential threats.

The speaker highlights several key features of FlowInspect, to include:

1. File extraction and analysis: Extracts files from network streams and analyzes them for anomalies.
2. Script analysis: Uses JavaScript engines to analyze scripts and detect malicious intent.
3. Anomaly detection: Identifies unusual patterns in file formats commonly used for exploitation (e.g., JAR and PDF files).
4. Integration with online scanners: Submits extracted files for manual inspection or automated analysis using online scanners.

The speaker also expresses gratitude to the Python community, various open-source projects (e.g., Pyew, FlowInspect uses), and their employer, Juniper Networks, for supporting their work on FlowInspect.