NetWitness Investigator – Awesome Network Intelligence!

After setting up an incident response system based on @arcsight and @encase last week, I’ve been looking for new input sources for ArcSight ESM.Thanks to twitter, @rockyd suggested I should add NetWitness.

And that was the moment that I found the most impressive network forensics tool ever. It takes a radically new approach on raw traffic analysis by recomposing all the network sessions and presenting an array of nouns, verbs, adjectives related to the captured data.

Forget the pain to go trough the hex representation of packets or to manually correlate packets and sessions. Once the data file has been loaded you have full access to all attributes of the data captured, from layer 1 to layer 7.  And they mean it !

I’ve loaded a 20k packets capture previously recorded with tcpdump and I was absolutely blown away :

In 10 seconds I was able to reconstruct all kind of TCP sesssions , from dropped spam mail (displayed as formated email), to IM (shown as convesation)  and even twitter updates.  You can run reports on passwords, login names, URLs, login actions (failed / succesfull), etc, whatever criteria it crosses your mind… I’ve even checked some suspicious SNMP scans .

Overall, this is the coolest tool I’ve seen i a very long time . It’s like the Matrix scene when Neo gets to see the matrix itself, beyond the VR / agent Smith. 🙂 . Netwitness Investigator gives you this ability to extract intelligence from raw network packets in a second.

I highly reccomend you to first watch 4 short introductory movies on NetWitness Youtube Channel because they reveal a lot of tips & tricks on how to use the GUI to get you where you want. 

NetWitness Investigator is available as a  free download but if you like this tool and you need advanced features like capturing and analyzing remote traffic, I highly reccomend to take a look at  NextGen, NetWitness’ enterprise network forensic solution.

Thank you for reading this post. You can now Read Comments (5) or Leave A Trackback. Print This Post Print This Post

5 Responses to “NetWitness Investigator – Awesome Network Intelligence!

  • 1
    July 7th, 2009 02:56

    I work both with Arcsight and Encase – could you expand on the integration to managed to achieve using both tools, have you used EE? what kind of automation (if any) were you able to achieve, what other integration regarding IR do you reccomend in arcsight?

  • 2
    Dragos Lungu
    July 10th, 2009 11:15

    Hi John,

    By installing Guidance Software’ Information Assurance on top of EnCase Enterprise, I had access to A.I.R.S (Automated Incident Response Solution) to do on demand snapshots on systems running the EnCase servlet.

    Then I defined a custom data source for AIRS where to look for IPs to be polled and the next thing was to get ArcSight to insert IP addresses in that database. Not very complicated, but it works very well.

    So now I have a new tool defined in ArcSight Console which sends the highlighted cell (must be an IP) to EnCase for a forensic snapshot. The same can be used in a correlation rule. However, the analyst has to look into AIRS console to see the snapshot details… I couldn’t find a way to get data back in ArcSight but I think it’s doable . ( my goal was to set up a demo incident response architecture for an event).

    As for new sources of information to be sent in ArcSight. I’m looking forward to work with NetWitness (i think a SNMP flex connector is needed).

    Let me know if you want to go any further with the EnCase / ArcSight integration.

  • 3
    July 14th, 2009 07:08

    Hi Dragos

    You can send an SNMP trap or Syslog message from NetWitness Informer to ArcSight with alerts details. The SIEM link allows you to view events from ArcSight, an IDS/IPS or other security device in NetWitness Investigator. Basically you are taking a date time group and a source and destination IP and running that as a query in Investigator to show ALL sessions between those hosts over a predefined time period, 10 minutes, 10 hours, 10 days whatever you like depending on how long you are storing sessions for.
    I have sent you a white paper on SIEM link for your info.


  • 4
    NetWitness releases NextGen version 9.0 | Dragos Lungu Dot Com
    November 6th, 2009 06:29

    […] It's been a long time since my last post and If I look back at it, I was writing about NetWitness. […]

  • 5
    New NetWitness Visualize : Welcome To The Future! | Dragos Lungu Dot Com
    July 20th, 2010 09:25

    […] have already written about how awesome NetWitness is so I won't repeat what i said in this NetWitness review ; instead I would like to present you the most advanced network traffic visualization system […]

Subscribe without commenting

Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge