A stratosphere plugin
The goal is to add support for the Stratosphere IPS to uCollect.
What it does (very high level overview):
- It captures netflows
- For each separate remote IP address (and port?), it converts the flows into a kind of signature string. Each new netflow produces 2 letters, based on the pause since the previous flow (regularity and length) and the size and length of the flow itself.
- Using some markov chains and models build on previous captured data it decides on probability that the sequence of flows is caused by some concrete malware. These models are (according to the author Sebastian García, I haven't looked up the URL yet) available publicly online and we could use them.
Also, the signatures can be (also according to the author) used for other analyses.
How we would adapt it to our needs:
- Create a plugin in ucollect, that would build the flows and convert them into the signatures.
- Send the signatures to the server and store them to the database.
- Run the analysis on our server, by feeding a dump of the database to the original stratosphere software.
The tasks we need to perform:
-
#60 (closed) Research ‒ we need to look up the exact parameters of the flows (eg. at what times they are split, how some corner cases are handled). We need to match the Argus (the flow capture software used in the original stratosphere) as close as possible, so we can reuse the models. Using different flow parameters wouldn't stop the analysis from working, but the models would be incompatible. -
#61 (closed) Write the client side. This can be partially inspired by the already existing flow plugin, which is in some parts similar (it gathers some flows and does something with them). The question is how far we want to go about reusing the code and putting it to some shared place, but some reuse is probably a good idea. -
#62 (closed) Write the server side. This is likely just putting the signatures into the DB as they arrive, and adjusting the other support scripts (eg. deletion of old data from the DB, archivation) -
#63 (closed) Integrate the stratosphere analyser ‒ this is likely just dumping the data from DB, converting it to the right format and running it in some kind of cron, at least at the start. We may want to have some nice web interface afterwards, though.