WHAT IS THE
CAPS SOFTWARE PACKAGE?
It
is a Java application that processes Snort alerts (extendible to other
alert formats), anonymizes and aggregates the alerts on your local
system, and pushes the results through a TLS-over-Tor circuit to our
Cyber-TA repository.
DOES CAPS
REQUIRE ROOT?
Snort
requires temporary root access to operate the interface in promiscuous
mode, but our CAPS package does not require root.
DOES CAPS
COLLECT PACKET CONTENT?
No,
our instructions specify that you run Snort 2.6+ with the -N option,
which prevents Snort from storing packet content. Our local deployments
use the "Registered Free" ruleset from snort.org. Snort alerts do not
contain packet content, but do report standard packet header
attributes, such as IP addresses and ports. CAPS
aggregates the snort log, produces an incident summary, and stringently
anonymizes the fields to remove site-local linking information
(discussed next). No data content from packets is stored or
reported by Snort or seen by CAPS.
HOW WILL THE DATA
BE SANITIZED?
Our
current sanitization policy is intended to defeat passive network
sniffing attacks and prevent repository browsing attacks that reveal
the source identity of inserted database entries (i.e., your alerts are
delivered anonymously and we remove or anonymize alert content that may
be linkable back to your site). We intend to red team these privacy
assertions to determine potential methods and use our findings to
improve or develop new countermeasure, as needed. We employ the
following default data sanitization policy. This policy is locally
configurable.
- non-HomeNet IP addresses
- Prefixed preserved or LAN masked octet blocking
- HOME_NET addresses - HMAC,
local keys
- Port rounding policy
- TCP/UDP ports
0-1023: raw
- TCP UDP 1024-1099: 2000
- TCP UDP 2000-65535 - mod
1000
- Timestamps: 1 minute
rounding
- Protocol field: raw
- Event ID = Snort SID
- Observer - Snort +2.6 with
registered free ruleset
- AuthorID - local unique
for each deployment and not stored or known to the repository/operators
- Auto rotation of keys and
AuthorIDs: not yet available.
- Alert aggregation: enabled -
(Same Source / Same SID)
- Delivery protocol: TLS over
TOR onion routing
- Alert distribution
policy:
- Repository Count:
Single Repository
- Repository
Site: Cyber-TA Threat Operations Center
WHAT NETWORK
CONNECTIONS DOES CAPS MAKE?
CAPS establishes a TLS-over-Tor
circuit for data delivery purposes. It thus communicates with Tor
nodes to obtain Tor directory information or to establish the Tor
circuit. It does not establish any other network connections.
CAN I INSPECT THE
SOURCE CODE?
Absolutely. The entire Cyber-TA alert publication source base,
including CAPS, the repository, and web portal applications are released
as BSD open source. Our source code is documented and developers are
we can answer questions through cta-support@csl.sri.com
WHERE WILL THE
DATA BE SENT?
All CAPS incident
reports are delivered to the Cyber-TA repository.
WHO WILL SEE THE
DATA?
The data will be available to the Cyber-TA consortium
partners to conduct research on data privacy and malware defense
research. The data may also be shared with other researchers in
these communities.
HOW WILL THE DATA BE USED?
Research purposes only. The overall Cyber-TA
project objective is to develop technologies to enable
privacy-preserving collaborative threat reconnaissance (and
mitigation). Maintain contributor privacy and security is a core
element of our work.
WHERE SHOULD
CAPS BE PLACED?
This prototype release is
intended to be for small scale deployments of Snort, monitoring egress
points of <= 100Mbps networks.
WILL THERE BE
UPGRADES OR IMPROVEMENTS?
Yes. As our project progresses we will provide improvements
that will enable more efficient data transport performance, enhance
contributor security and privacy (as needed), and enhance our
large-scale attack detection capabilities.
|