DeepProbe Surveillance Modules

Flexible and extensible to serve evolving surveillance needs!

DeepProbe intercept functionality is provided via innovative Surveillance Modules. To the user, Surveillance Modules (SMs) are a series of well-defined, secure ASN.1 commands, which are designed for specific surveillance techniques.  For example, there are SMs for discovering webmail traffic, user-id login (e.g., radius or DHCP), and VoIP traffic.  These are termed ‘application-level’ SMs, since they deal with specific target applications/usages. Some application-level SMs, such as Webmail and IM/chat use plugins, including 3rd-party-created Custom PlugIns (CPIs), to support new or prorietary services.

Other SMs include those geared towards monitoring more generic flows (sessions) based on specific packet header or content characteristics.  These are termed ‘protocol-level’ SMs since these require the user to be somewhat knowledgeable of specific packet header and/or content values.  

SM's have up to three logical components:

1. Filters: define what is to be discovered and collected
2. Delivery Instructions: define what, where and how collected data is delivered
3. (Optional) Scan Schema: define content scanning options for the collected data

SM's are configured through a set of secure (SSL authenticated or encrypted), reliable (TCP), ASN.1-formatted commands.

Once the targets are discovered DeepProbe SMs can deliver varying amounts of intercepted information, including the complete application flow with related content such as attachments, a summary of the content, or just the application session events/IPDRs.

DeepProbe also incorporates sophisticated reconstruction logic to deliver only pertinent information when monitoring complex applications such as webmail and IM/chat, significantly reducing the processing required by the monitoring, data retention, and analytic systems. 

SM delivery of collected data shares the same security and reliability features as SM configuration, but also provides a failover mechanism.

DeepProbe systems can run numerous SM's concurrently.

 

Extensible, for Custom and Proprietary Application Monitoring

IP Fabrics’ Custom Plugin™ (CPI) architecture allows 3rd-parties to easily build additional custom/proprietary plugin decoders to supplement the IP Fabrics plugins.  IP Fabrics CPI SDK allows developers to reuse key DeepProbe capabilities, such as provisioning, delivery, logging, and HTTP dechunking and compression.

Webmail Surveillance Module

The webmail SM provides application-level intercept and reconstruction of popular webmail services, including Hot mail, Yahoo, Maktoob, and Facebook.com. The SM can intercept specific user webmail activity or collect data from all webmail activity. The webmail SM also supports an option scan schemea plugin, to allow content scanning of collected webmail data.

Webmail SM filters include the flexibility to specify the webmail service, email address (user), To/From/both, and folder reads (e.g., inbox, drafts, etc.). Intercept options include the flexibility to intercept and deliver the full email w/attachments, no attachments, summary-only, events/IPDRs, and others.

Lastly, the Webmail SM incorporates sophisticated reconstruction logic to deliver only pertinent information in a standardized manner. Emails are converted to RFC822 format, folder reads are summarized, and attachments are delivered as a byte stream with associated information (e.g. file name, application, etc.). This powerful feature eliminates the need for mediation or monitoring systems to decode and reconstruct various webmail service protocols and formats.

Users can also develop Webmail SM CPIs for custom/proprietary Webmail services

The following is a summary of the Webmail SM:

 

 

Email Traffic SM: SMTP, POP3, and IMAP4-based Email Discovery and Data Collection

This SM discovers and collects data based on an email activity. Monitored traffic can be all email, or can be specified as localname@domainname, localname (at any domain), @domainname (any localname on this domain). Additionally, targets can be specified as: to (including cc and bcc), from, or both. Options for delivered traffic include the email session events, the full email with attachments, and others.

 

VoIP Traffic SM: SIP-Based VoIP Discovery and Data Collection

This SM discovers and collects data on VoIP calls that use the SIP signaling protocol. Monitored traffic can be the all SIP VoIP activity, or can be specified as: user@host, user@IPv4/IPv6 address, phone_number@host, host, phone-number@IPv4/IPv6, tel:phone_number, hostname, or IPv4/IPv6 address. Options for delivered traffic include the pertinent signaling (SIP and dialed digits), RTP packets, and others.

 

IP Traffic Surveillance Module

The IP Traffic SM intercepts traffic based on IP address, protocol, and layer-4 port, including support for IPv4, IPv6, subnets, and dynamic addresses. Dynamic IP addresses can be discovered via RADIUS (username, NAS port) and DHCP (MAC, option 61, option 82) and addresses are tracked through potential reassignments. Layter-4 ports can be specified as single ports, ranges, sets, or not conditions. .

IP Traffic SM Intercept options include the flexibility to intercept and deliver the captured packets or events.

 

Keyword Scan Schema SM Plugin: IP Data Collection Based on Application Content

This SM plugin can further qualify email, webmail, and IM/Chat SM data collection by the content in the bodies or attachments. Content can be specified by a set of simple strings, complex strings, regular expression, or pattern/signature database. The match criteria can be further qualified by the location of the content within the communications (e.g., body, attachment, subject line, etc).

Web Traffic SM: HTTP/HTTPS and DNS Traffic Discovery and Data Collection

This SM detects and collects data based on DNS domain lookups and HTTP/HTTPS traffic based on URL, HTTP header, and SSL handshakes.  Traffic can be discovered and collected for all web activity, or can be specified with targeting information including the client, a web site, a cookie/cookie value, or a specific type of traffic. Available in 2011.

Web Application SM and Application Plugins: Web-Based Application Traffic Discovery and Data Collection

This SM detects and collects data based on popular web applications, such as bulletin boards. Planned applications include the vBulletin forum/message board application. Users can also develop Web Application SM CPIs for custom/proprietary web applications. Available in 2011.

File Transfer SM: File Transfer/Sharing Discovery and Data Collection

This SM detects and collects data based on file transfer activity, such as FTP, BitTorrent, Gnutella, and EDonkey. Available in 2011.

 

Dark Traffic SM: Malformed and Unusual Traffic Discovery and Data Collection

This SM detects and collects data based on malformed and unusual traffic in protocols and applications including IPv4, IPv6, ICMP, TCP, UDP, DCCP, DNS queries, and HTTP/SSL responses. Available in 2011.

Encrypted Traffic SM: Encrypted Traffic Discovery and Data Collection

This SM detects and collects data based on encrypted traffic such as Skype, IPSec, SSL/TLS, SSH, pcAnywhere, encrypted XMPP, and encrypted services, such as Gmail. Available in 2011.

 

For complete specifications, please refer to the DeepProbe Datasheet.

For more information about Network Surveillance using DeepProbe, please refer to the IP Network Surveillance Whitepaper.