UP - Table of Contents NEXT - 2. The Management Interface
Web Tap is a network monitoring system that examines outbound HTTP traffic to identify potentially malicious activity caused by spyware, malware, HTTP tunnels, or insider leaks. When Web Tap detects suspicious communication, it generates an alert that is viewable from the web management interface. The interface displays information about the alert, including the original HTTP traffic as well as the cause of the alert. You can then add custom tags to alerts and create filters in order to automatically classify alerts depending on factors such as the alert type, client address, or server name.
Web Tap uses the libpcap/WinPcap library to passively monitor network traffic. Web Tap Enterprise should be deployed on a computer that is connected at the edge of your network in such a way that it can view all packets coming or going from your network. This computer need not have a TCP or IP stack installed, but having internet connectivity is useful for querying server information and for submitting feedback. Many routers and switches allow you to configure a “mirror” port that will replicate all of the traffic from other ports. Please refer to your router or switch documentation for specific instructions on setting up a mirror port.
Currently, Web Tap Enterprise only collects traffic from one monitoring point. Packet capture, detection, and management all take place on one computer. Please contact support if you are interested in having multiple Web Tap monitoring points in your network.
Web Tap Personal listens locally for network traffic leaving a personal computer. It monitors a specific network interface, capturing packets destined for your network adapter (not promiscuous mode) using the libpcap/WinPcap library. You should configure Web Tap Personal to monitor the adapter that is connected to the internet. It will then continue to passively collect traffic until it is shut down or the network adapter enters a disabled state.
NOTE: Using Web Tap Personal with a wireless network adapter may require restarting the service when associate with a new wireless network (this can be done from the network configuration dialog).
NOTE #2: Web Tap may not work if you are connecting to the internet through a VPN adapter.
When you start Web Tap for the first time, it will ask you to select a network monitoring interface. Choose the adapter that has access to HTTP traffic you wish to monitor. Web Tap will then immediately start listening for suspicious web traffic. An icon for Web Tap should appear in the system tray. Double-clicking on the icon will launch Internet Explorer with the URL of the management interface: http://127.0.0.1:8888 by default. If you wish to use another browser to access the management interface, you may manually enter the same URL. Right clicking on the Web Tap icon then selecting “Stop Service and Exit” will stop the monitoring service and terminate the application.
If you wish to change the default listening port for either the Web Tap server or local web service, or change the listening interface for detection, open up the network configuration dialog by clicking on “Configure Network...”. You may also enable to web management interface to be accessed across the network by other machines. If you select this option, anyone will be able to connect to the management interface and make changes who is allowed by your firewall settings. When you have finished making changes, click on the “Save and Start/Restart Web Tap” button to restart the service with the new settings.
When you first bring up the management interface, it is likely to have several “Unrecognized user-agent” alerts. This is because Web Tap keeps track of trusted HTTP user-agents (these identify different browsers and web applications) and initially does not have any. So, user-agent values for legitimate browsers and web applications in your network must be set as trusted. Click on one of the unrecognized user-agent alerts to see its details. The details should tell you which user agent Web Tap does not recognize. Check the user-agent value to see if it is a trusted browser or web application (Examples: “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)” and “Mozilla/5.0 (compatible; Google Desktop)”). If the user-agent is legitimate, then trust the user-agent values on the alert detail page. This will remove alerts on traffic from trusted user-agents. Similarly, HTTP traffic from some legitimate clients and plug-ins will contain non-standard header fields. Trusting these fields will remove corresponding header format alerts. See the section Trusting User-Agents and Header Fields for more information.
Note: Be careful when trusting header fields and user-agents. Some malware will generate HTTP requests with user-agents that look okay, but are not. An example is just plain “Mozilla/4.0”.