Port Independent Protocol Detection

Our heavy-duty PCAP analyzer CapLoader comes with a feature called ”Port Independent Protocol Identification”, a.k.a. PIPI (see Richard Bejtlich's PIPI blog post from 2006). Academic research in the Traffic Measurement field often use the term ”Traffic Classification”, which is similar but not the same thing. Traffic Classification normally group network traffic in broad classes, such as Email, Web, Chat or VoIP. CapLoader, on the other hand, identifies the actual application layer protocol used in each flow. So instead of classifying a flow as ”VoIP” CapLoader will tell you if the flow carries SIP, Skype, RTP or MGCP traffic. This approach is also known as “Dynamic Protocol Detection”.

Being able to identify application layer protocols without relying on the TCP or UDP port number is crucial when analyzing malicious traffic, such as malware Command-and-Control (C2) communication, covert backdoors and rouge servers, since such communication often use services on non-standard ports. Some common examples are:

• Many botnet C2 protocols communicate over port TCP 443, but using a proprietary protocol rather than HTTP over SSL.
• Backdoors on hacked computers and network devices typically wither run a standard service like SSH on a port other than 22 in order to hide.
• More advanced backdoors use port knocking to run a proprietary C2 protocol on a standard port (SYNful knock runs on TCP 80).

This means that by analyzing network traffic for port-protocol anomalies, like an outgoing TCP connection to TCP 443 that isn't SSL, you can effectively detect intrusions without having IDS signatures for all C2 protocols. This analysis technique is often used when performing Rinse-Repeat Intrusion Detection, which is a blacklist-free approach for identifying intrusions and other form of malicious network traffic. With CapLoader one can simply apply a BPF filter like “port 443” and scroll through the displayed flows to make sure they are all say “SSL” in the Protocol column.

Statistical Analysis

CapLoader relies on statistical analysis of each TCP, UDP and SCTP session's behavior in order to compare it to previously computed statistical models for known protocols. These statistical models are generated using a multitude of metrics, such as inter-packet delays, packet sizes and payload data. The port number is, on the other hand, a parameter that is intentionally not used by CapLoader to determine the application layer protocol.

The PIPI/Dynamic Protocol Detection feature in CapLoader has been designed to detect even encrypted and obfuscated binary protocols, such as Tor and Encrypted BitTorrent (MSE). These protocols are designed in order to deceive protocol detection mechanisms, and traditional signature based protocol detection algorithms can't reliably detect them. The statistical approach employed by CapLoader can, on the other hand, actually detect even these highly obfuscated protocols. It is, however, important to note that being a statistical method it will never be 100% accurate. Analysts should therefore not take for granted that a flow is using the protocol stated by CapLoader. There are some situations when it is very difficult to accurately classify an encrypted protocol, such as when the first part of a TCP session is missing in the analyzed data. This can occur when there is an ongoing session that was established before the packet capture was started.

Identified Protocols

The following protocols are currently available for detection in CapLoader's protocol database:

AOL Instant Messenger

BACnet

BitTorrent

BitTorrent Encrypted - MSE

CCCam

CUPS

DAYTIME

DHCP

DHCPv6

Diameter

DirectConnect

DNS

Dockster

DropBox LSP

eDonkey

eDonkey Obfuscated

EtherNet-IP

FTP

Gh0st RAT

Gnutella

Groove LAN DPP

HSRP

HTTP

IMAP

IRC

ISAKMP

iSCSI

JavaRMI

Kelihos

Kerberos

L2TP

LDAP

LLC

Meterpreter

MgCam

MGCP

MikroTik NDP

Modbus TCP

MSN Messenger

MS RPC

MS-SQL

MySQL

NAT-PMP

NetBIOS Datagram Service

NetBIOS Name Service

NetBIOS Session Service

NetFlow

NTP

OsCam

Pcap-over-IP

Poison Ivy RAT

POP3

QUIC

Ramnit

Reverse Shell

RTCP

RTP

RTSP

Shell

SIP

Skype

SLP

SMTP

SNMP

Socks

SopCast P2P

Spotify P2P

Spotify Server

SSH

SSL

Syslog

TeamViewer

TeamViewer UDP

Telnet

Teredo

TFTP

TFTP Data

TPKT

VNC

WS-Discovery

XMPP Jabber

ZeroAccess

Zeus TCP

Zeus UDP

The list of implemented protocols is constantly being increased with new protocols.

PIPI in NetworkMiner

NetworkMiner Professional, which is the commercial version of NetworkMiner, also comes with an implementation of our protocol detection mechanism. Even though NetworkMiner Professional doesn't detect as many protocols as CapLoader, the PIPI feature built into NetworkMiner Pro still helps a lot when analyzing HTTP traffic on ports other that 80 or 8080 as well as in order to reassemble files downloaded from FTP or TFTP servers running on non-standard ports.

Posted by Erik Hjelmvik on Tuesday, 06 October 2015 09:05:00 (UTC/GMT)

Tags: #Protocol Identification​ #CapLoader​ #VoIP​ #SIP​ #RTP​ #TOR​ #SSL​ #PIPI​ #PCAP​ #NetworkMiner​