how to sandbox and analyse traffic by firewall

Question

I read Palo Alto Wildfire product. There its said:

WildFire, which provides the ability to identify malicious behaviors in executable files by running them in a virtual environment and observing their behaviors

I didn't how i can programmatically analyse this malware behavior.
[update] My confusion is how can firewall analyse a live traffic by putting it in virtual encironment and executing it! say if some is exploting pdf vulnerability. How can a firewall programmatically analyse that?

not sure what you are confused about please revise your question — pyCthon, Oct 03 '12 at 04:41
I think it is a valid question, although a very vague one. However, in my humble opinion it is off topic here, because it is not a coding question. — Stefan Steinegger, Oct 03 '12 at 06:46

score 0 · Answer 1 · edited Apr 13 '17 at 12:13

0

The company probably won't tell you how they do it but a naive guess is that they some how use the firewall to first send files to the Virtual machine, tests them and then sends it to the end user. So the firewall itself is most likely not programmatically analyzing anything.

update

network monitoring tools for linux

edited Apr 13 '17 at 12:13

Community

1
1

answered Oct 03 '12 at 04:47

pyCthon

11,746
20
73
135

that my point .. how can you test a live traffic? definitely no manual intervention is there. – ashmish2 Oct 03 '12 at 04:54
well on linux you have logs files all over the place, you have the `netstat` command there are plenty of ways to analyze traffic, and `man netstat` there are probably more I am unaware of that others can answer – pyCthon Oct 03 '12 at 04:56
ya but knowing traffic will be effective if you know what you are searching for (signature) what they are claiming is that using this they can detect 0 day threats – ashmish2 Oct 03 '12 at 05:21
1

signature and other similar identification methods are developed first by establishing that session x produced file y, which was only supposed to perform task z on machine. However, it was also doing a, b and c and hence is malicious. If you identified a way to classify session x, you would start say blocking more instances of x. – fkl Oct 03 '12 at 06:02

fkl · Accepted Answer · 2012-10-03T05:40:04.667

To understand these kind of products you need to first recognize the behavior of malwares and other similar software. Usually they claim to be something else and upon execution start performing tasks not matching the standard behavior of similar applications.

Modern firewall products have code which tracks the activities performed by a downloaded executable.

For example your firewall detected a session of say an application which copies an executable on your system which claims to be a media player. They attempt to detect complete L7 i.e. identifying which application is being used and which file it copied. Then they run the received file on test machines.

The firewall also monitors the virtual machine for abnormal behaviors. Such as the received player trying to copy a lot of files on its own, or read other information from disk etc. or starts writing to the file system of machine, or starts openings sockets to send data back some where. None of this is expected to be done by a standard program of that type. This level of products have a generic programmed frame work which defines types of actions valid for a list of received application types. If they perform a behavior beyond that list, it is termed suspicious.

Details of these are in the domain of Intrusion detection (IDS/IPS).

To sum up the key here is not merely dissecting real time traffic. But also upon completion of a session, monitoring the activities performed by a downloaded program.

Lastly, once an identified application is flagged malicious, manual as well as automated mechanisms are used to be able to identify traffic of that kind. This is where signatures, connection patterns, payload lengths and other factors come in place. Snort is one example tool to define such rules and there are many others.

Once you establish a criteria such as this media player looking malicious software actually has a pattern y in 90% of the cases, they start blocking traffic right away for that particular session

thanks @fayyazkl .. that made a lot of sense... that also means traffic is aloud at that time but when it is declared suspicious.. further action is taken. Right? Also, how firewall will have a database to known application and there functionality because how can a firewall know what an unknown application is supposed to do. Right? — ashmish2, Oct 05 '12 at 16:37
@ashmish2 Yeah that is correct. But the truth is, for the companies who take this as their primary jobs i.e. the likes of Symantec and many others, they usually are one step ahead. Chances are that before some malicious code reaches your machine, they probably have studied and devised a detection mechanism already (of course by first allowing and running that traffic on their sandbox machines). So the product offering you are using from them, chances are that it is already updated with definitions. So a user being attacked gets the feeling that they were protected on the fly. — fkl, Oct 05 '12 at 18:46

how to sandbox and analyse traffic by firewall

2 Answers2