Overview
Any network administrators and numerous users encounter tasks to identify network problems and control network activity almost on a daily basis. In this connection, recording, indexing and sorting of traffic, identifying root causes of errors, analyzing network vulnerabilities and network activity may take weeks or even months. SSECline presents its Stethoscope, a user-friendly and intuitive tool for analyzing network interactions and controlling network activity of users on the internet.
It is based on the principle of traffic control with subsequent recording to disk and analysis of data. The analyzers dynamically identify protocols, decrypt content, receive meta information on the sessions and transmit the data collected to the indexer. The indexer records session information into the database to make it available for the user in the special control and monitoring console.
Potential users of the Stethoscope software for control and analysis of network activity:
- Services responsible for safe networking and investigation of network incidents;
- Companies interested in controlling their employees’ internet activity using the network interaction analyzer that allows, among other things, controlling emails (SMTP/POP3/IMAP);
- Network administrators who track network activity of operating systems and programs;
- Parents interested in things their children do on the internet;
- Advanced users wishing to control their traffic.
Stethoscope Free — is a free of charge software analyzer (x86/AMD64) for controlling network traffic of LAN and internet PCs. The entire traffic is saved and indexed for the purposes of historical or real-time analysis thereof including real-time analysis of data accumulated on discs and in the database. Geolocation and identification of numerous application level protocols are supported. The flexible filtration system is implemented for the traffic statistics to allow getting information based on different attributes of the accumulated data and investigating network anomalies.
Traffic Recording
The network activity is controlled as follows. The Stethoscope records and analyses the network traffic including record of open SSL/TLS traffic. The program can record either entire network traffic or select one to analyze only the data compliant with the user’s requirements. Additionally, the application indexes the recorded network traffic based on individual parameters to simplify searches in common data arrays.
The Stethoscope may intercept traffic using three different methods:
- Outside the client machine by configuring proxies at all client machines. Encrypted (SSL/TLS) traffic is analyzed by adding the root certificate to the client machine browser and routing of traffic via the analyzing server;
- Outside the Client Machine. Just like in option one, encrypted (SSL/TLS) traffic is analyzed using the same method but it is routed using special settings of the router firmware, which allow configuring the proxy server not at each machine;
- Immediately in the client machine using the processor integrated into the network stack of the machine to obtain public data without analysis of encrypted (SSL/TLS) traffic in this case.
After network traffic is recorded, the following occurs: After intercepting sessions and saving network traffic to the disc, the program processes the data obtained and displays the session information in the special control and monitoring console. Console operations support static and dynamic modes. In the dynamic mode, the user is automatically provided with new data on interactions of users, hosts and processes of operating systems in the mode approximating the real-time one.
Statistics
The full image of network flows can be obtained as follows: Analysis of network interactions is required to identify and solve network issues, debug web applications, network programs or sites. The program allows identifying potential vulnerabilities and anomalies in the system, and root causes thereof, investigating network incidents, controlling users’ network activity on the internet, all in the user-friendly and intuitive interface. To do it, the network traffic recorded by the program is analyzed and statistics for accumulated data is collected. In this connection, network interactions may be analyzed retrospectively for any period.
For example, if the host of your accountant has 100 contacts with other hosts within the previous hour it may indicate presence of the virus scanning the network, incorrect configuration of the network or the employee being not busy working.
The program provides the full image of network flows and gives numerous opportunities of searching, sorting and filtering the data. For example, the recorded network traffic can be filtered by packages, bytes, sessions, etc. depending on the criteria selected by the user.
The Stethoscope assists in controlling traffic in your network regardless of the user group you belong to. The Stethoscope supports the PCAP format. If your structure has been using PCAP products already, you do not have to reject your developments.
Content analysis
The Stethoscope also allows analyzing content and configuring the flexible block and prohibition system to prevent information leakages or, for example, unintended use of work time by the employees. The program allows blocking mail, web messaging, specific web content or viruses using pre-set filters. The applications saves objects such as emails, files and queries for further content analysis. Content search may be performed using key words (for example, the “CV” in the employee’s email header may indicate that he or she is looking for a new job).
The near-term plans include development of the functionality for automatic identification of breaches of corporate information security policies.
