Post on 22-Jan-2018
© ETH Zürich | ICT-Network/NSG christian.hallqvist@id.ethz.ch 03.10.2015
Automatic Reporting of True Positive IDS Cases
False Positive
False Negative
True Positives WithExact
Targeting
Subject: 82.130.97.xx/xx.ethz.ch (MALWARE-CNC Win.Trojan.Badur variant outbound connection)
#########DISCLAIMER#############################################Diese Email wurde automatisch generiert!################################################################ Liebe Kollegen, OS : 82.130.97.xx | WindowsVISTA/W7(variant3) 2015.08.12.10.28 - 2015.08.12.10.29 Ein 'MALWARE-CNC Win.Trojan.Badur variant outbound connection' Fall:################################################################ -> EVENT: MALWARE-CNC Win.Trojan.Badur variant outbound connection -> DATE: 08/12-10:27:11.502025 -> SOURCE: 82.130.97.xx:49237 -> DEST: 54.213.23.40:80
Example of True Positive IDS Report (1/7)
For whoever is interested, the Signature Trigger Payload:################################################################-> -> -> -> 10:27:11.502025 IP 82.130.97.xx.49237 > 54.213.23.40.80: Flags [P.], -> ack 1, win 1024, length 766 -> GET -> /get/?data=6G5VPuneaszQ3s%2BABClI1SO1BjAKBpQPlMZ8wyd%2BlOf9BiuSYONAhR-> DRsDRTLsdVJ3X5BCSuxJCSe/I82hjfOTO1ccOEf/Uw5M%2B/SMeS9MdgAgoe2/XsWnUTL-> I7kaWstGAG4IiBrgcWCpFgBAGh5KKZt%2BViUqQYOCWOENChzisjMSOtvBp1/KytA54R%-> 2BuslTqtDlehgaFacmArmVt%2BTJ3oweKydxvHH270y86Gn0R4LGdDrk8DyrvYjEA0No%-> 2BSb1udQhdNTibsue/wkTNlm1FUoiz3JCvG8eS8Kx%2BxSv20gAeERpRRLRSKnKPktL6d-> XhwchQnEyfplKuGVx0D7N0zTsJC3gH%2BZpO7cNz2IHq2HlIaDJT5KJOLzCGvjBAD9oVm-> qp3PsIEhh25mfyHlPtv%2B9iPHWDxWC34c0FVHuTvhPw68Bw01lGyApn17uYHZHIFHRW8-> GqE9evJNlx5FsbFl%2BKnDur7HcQ1reET3Tp%2BQm3pE47DUHyDg%2BLg2xGb42yMkPPJ-> Y6/saAlOWy9/GzNP8Rr2zeJg3RLNoD6/17vMY5jCuvk5U5muozbIfGh48eaxWQJgsoEkN-> yHYE%2Bjuy089wJ3Gg9dIiW1oOkzlnb/9pJIWY&version=4 HTTP/1.1-> Accept: */*-> User-Agent: win32-> Host: getterfire.info-> Cache-Control: no-cache
Example of True Positive IDS Report (2/7)
Suggested Contact: adm-xxxx@netsup.ethz.ch AllAboutIPOrig IP: 82.130.97.xx MAC: d850.e6aa.xxxxx Vpz ISG Info: id-kom-proforma servicexxxxx@id.ethz.ch ISG ServiceDesk; netxxxxx@id.ethz.ch ISG Info: adm-stonepine adm-xxxx@netsup.ethz.ch Cxxxxx Dxxxxx Lxx; dxxxxx.cxxxxx@id.ethz.ch ISG ServiceDesk; netxxxx@id.ethz.ch von Boexxxx Lxxx; lxxx@id.ethz.ch
Example of True Positive IDS Report (3/7)
################################################################For whoever is interested, the References:################################################################ google search result "GET /get/?data=" https://www.virustotal.com/en/file/d05bb9963be54f728ecc35f666fec61334b7f2de6ffc5e2b1d8eb03a626d758c/analysis/ QUOTE:"Q> SHA256:d05bb9963be54f728ecc35f666fec61334b7f2de6ffc5e2b1d8eb03a626d758cQ> File name: TSULoader.exeQ> Detection ratio: 12 / 46Q> Analysis date: 2013-02-19 23:51:27 UTC ( 1 week, 4 days ago ) "
Example of True Positive IDS Report (4/7)
QUOTE:"Q> URL: Q> http://filemagnet.info/get/?data=97LnkIhb9zuqAi4HwyT7kJYfWlCjPN4w4Mj8Q>31X/a7BVH6XhxrDIO3k9Ykr8f0P7fhGNJGE2OPL2ZuxeipA08%2BOlPgQ%2B0IMgrCoQ>kudpMDAF7pJ8HxbMWvCc4IE6emDc2Uy0m9m9UzgOLbS0timpfa79g7/skDDhTH58vhQ>Mcw8HuCPBe7C9XOPWTw40RKIfXuZFfPVy46yTj8%2BQFVR8/nRIOjqtGM6RayOgh6Q>6qBPzq4GydaAWOxhVTzjzzAM8qSZXGbAgxvp/6A%2Bqxbp6gPqXjQuSMAngeU31DnQ>KCox9AbnRScD4XuvCDq1ZgWdJlnttReSKurEcaxnPtq7XyzmsMWodpt1nw%2BnTIanoz5Q> jgPtoDdd6La88CnIHvyCjYixUUC6bTiHxLNyJDjPH/I9/za0S2zvpvDV7gZPaf1FNwlaXQ> EfK7HWzqddk3pFH2HsIVN3qp7RbVesaJEW531u1oLScpFCRFfi5XF3uRUvxzqu&versioQ> n=2Q> TYPE: GETQ> USER AGENT: win32" 03.03.2013________________
Example of True Positive IDS Report (5/7)
https://malwr.com/analysis/M2NlNzliYmE3NGM4NDIwMDlmNzc3NzUzM2JjMmU0NGE/ QUOTE:"Q> GET Q> /get/?data=APIqmXHuJuFfBpzaIKCtiFMn%2BlNx8Mz8AT47K3fSWSggdlmaoNqFGoHjQ> eJdP61ywA3N52xk0uXmvd%2BrzUazeD80OD7THYOAfQWmIWwRe6ZpQC5zu10lcA%2BrOmQ> S%2Bd5LSj9M5oRhi4QQ0po5HPAFA6Rv6XYH/2f/GW9AWZPQmWp9zG18bg0GNrCrdBfUnaQ> h/2y90kDILiZMr7n9HoAw44pH4ANdBKOjhDd2%2BgCCEPXZiPrGXD1TohEyzOJe0OgpoRQ> PFgfRZM92El0laUo1TeO4TNL3tH0Yy08HZ0ZjDMjIrzoh9XZEFYN4NVjlN1oC0yvTetX3Q> BthoQirMrV68F2L38oVvsi3OlvaVnPdHTAKZtBQzmuPtqOeLITgZqPQ%2B6d4j8HbvrByQ> LRyzMwGIWwkkMSMbui73nyFAXenRGrk/smwTj0ka8/Hrgsg/MNokbSfTWzl4gnxXVdtvKQ> d&version=4 HTTP/1.1Q> Accept: */*Q> User-Agent: win32Q> Host: skyprobar.infoQ> Cache-Control: no-cache"
Example of True Positive IDS Report (6/7)
QUOTE:"Q> AnalysisQ> Category Started Completed DurationQ> FILE 2014-01-25 05:48:34 2014-01-25 05:49:12 38 secondsQ> File DetailsQ> File Name support.exeQ> File Size 4806656 bytesQ> File Type PE32 executable (GUI) Intel 80386, for MS WindowsQ> MD5 69b389c1c7830bed8ee5777ef56c0fc3Q> SHA1 02185367648fec8eb8e33ab91e4b082f3adbf80dQ> SHA256 cec89619fc58f2e91f104c2c818cb0c751e40e69b19fe9f04ac91c291f6f8d6fQ> SHA512 fc16bf0159c0b2fdd1a04294a76d0d01193aeb3b078df3995cae35d0110621c56408d1404396c2Q> CRC32 C0A6B255Q> Ssdeep 98304:KJrQy9KGK0m3+uz4FeRbWSKpEJxxNjfxfu6VFfng5xmBNyoQ> Yara None matchedQ> You need to loginQ> SignaturesQ> Starts servers listening on 0.0.0.0:0 File has been identified by at Q> least one AntiVirus on VirusTotal as malicious Performs some HTTP Q> requests Steals private information from local Internet browsers Q> Installs itself for autorun at Windows startup" 08.09.2014
Example of True Positive IDS Report (7/7)
10
How To Automatically Generate True Positive IDS Reports
Basically there are two methods in combination in use:
•Selection of high quality rules. These must be validated, proven and reliable because they are selected for a static and limited special rule set – the „Currentpositives“ ruleset
•Addition of trigger criteria. Combinations of thresholds, destips, sourceips, rules, extrusion, intrusion, payload detection etc are used when processing the positives for exact targeting and so raise the TP/FP ratio even higher.
11
By selecting specific high quality rules and/or by adding additional criteria it is indeed possible to automatically generate true positive IDS reports
7x24
First the high quality rules have to be found, identified and validated
Rule Selection
12
Two major rules sources are:
VRT (Vulnerabilty Research Team) of Sourcefirewww.snort.org
ET (Emerging Threats) of Proofpoint www.emergingthreats.net
Rule Sources
13
Some Facts about the rule provider VRT
VRT (Vulnerabilty Research Team) of Sourcefire
As of 06.08.2015 VRT offered 28’738 rules
Between 05.08.2015 and 06.08.2015 1’935 VRT rules were removed16’010 VRT rules were modified or added
The VRT ruleset snort node generates around 450’000 IDS events at ETH Zurich per 24 hours
14
ET (Emerging Threats) of Proofpoint
As of 06.08.2015 ET offered 27’774 rules
Between 05.08.2015 and 06.08.2015 2 ET rules were removed11 ET rules were modified or added
The ET Rule set generates around 1’000’000 IDS events at ETH Zurich within 24 hours
Some Facts about the rule provider ET
15
With nearly 60’000 rules and daily changes it is a challenge to pick the ones with excellent quality.
With simple statistics it is possible to find appropiate candidates
How to find high quality rules with a significant TP/FP ratio?
16
The original goal of IDS-STAT was:
flexible and automatic anomaly detection with as few (false) positives as possible to be manually managed
That involved also correlation detection between different anomalies.
At ETH we use Rule Profiling «IDS-STAT»
for statistical analysis
17Source: http://de.nutrend.eu/ge/events-7/art_244787/nutrend-at-meeting-of-world-record-holders.aspx
HoweverIDS-STAT turns out to be a good rule quality evaluater.
The best rules are evaluated further and handpicked for the „Currentpositives“ snort node which generates nearly 100% TP reports
Needless to say, the selected rules must be….
Source: http://stockfresh.com/image/162323/strong-chain
… the very reliable ones
IDS-STAT Generates two kinds of Reports
18
There are two kinds of reports generated every 24hrs:
1: IDS-STAT signature report
Reports deviations of rule positives when a certain threshold is exceeded
2: IDS-STAT ip report
Total deviation top-10 ip ranking based on cumulated/aggregated result of the IDS-STAT signature report
The IDS-STAT Analysis Is About„Average“, „Deviation“ And Correlation
19
N=10
Average at peak= 140
Deviation (Sigma σ) at peak= 36
Peak number of
Deviations (Sigma σ) = 10
Example with «BLEEDING-EDGE P2P BitTorrent peer sync”
(total traffic)
20
N=100
BLEEDING-EDGE P2P BitTorrent peer sync„Deviations“(total traffic)
21
„BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port” Peaks
(total traffic)
22
N=100
„BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port”
Deviations(total traffic)
23
24
Bleeding-Edge ATTACK RESPONSE IRC-Channel JOIN on non-std port
Bleeding-Edge P2P BitTorrent peer sync
Comparing Peaks/Signals
25
Deviating Signatures
IDS-STAT Signature report
Signature 1 deviation :10IP Deviation distribution111.111.111.1 4222.222.222.2 4333.333.333.3 2
Signature 2 deviation :12IP Deviation distribution444.444.444.4 5222.222.222.2 4111.111.111.1 3
IDS-STAT IP report
Deviation causing IPs
Ips cumulated deviationIp 222.222.222.2 8Ip 111.111.111.1 7
Correlation detection of deviations between different Ips and rules
Case 28.02.2008 IDS-STAT Signature Report
26
BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port counter:91 devq: 22.95 Value:0->73. maverage:1.50->2.29 mstddev:2.36->3.12
- ---BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 16 129.132.14y.aaa BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 13 129.132.14y.bbb BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 10 129.132.14z.ccBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 9 129.132.14x.ddBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14y.eee BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14x.fBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 5 129.132.14y.gg BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 82.130.8x.hhhBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.21x.ii BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.14y.j
BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port Deviation“ and IP-Ranking:
Case 28.02.2008 Positive Distribution of IPs
27
BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port counter:91 devq: 22.95 Value:0->73. maverage:1.50->2.29 mstddev:2.36->3.12
- ---BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 16 129.132.14y.aaa BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 13 129.132.14y.bbb BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 10 129.132.14z.ccBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 9 129.132.14x.ddBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14y.eee BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14x.fBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 5 129.132.14y.gg BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 82.130.8x.hhhBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.21x.ii BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.14y.j
BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port
„Deviation“ and IP-Ranking:
= 22%
= 18%
= 14%
= 12%
= 11%
= 11%
= 7 %
= 1%
= 1%
= 1%
=> 5.0 => 4.1 => 3.2 => 2.7 => 2.5 => 2.5 => 1.6 => 0.2 => 0.2 => 0.2
Detailed IDS-STAT IP Reportwith correlations
28
129.132.***.*** 105.788571428571 ***129.132.***.*** ET TROJAN Gozi check-in / update 9 (9.) 63.93 (63.93)129.132.***.*** ET USER_AGENTS Suspicious User-Agent (IE) 6 (7.) 34.6285714285714 (40.40)129.132.***.*** SPECIFIC-THREATS Gozi Trojan connection to C&C attempt 30 (30.) 7.23 (7.23)129.132.***.*** CHAT MSN outbound file transfer request 6 (90481.) 0.000310341397641494 (4.68)
82.130.***.** 11.6816165871675 ***82.130.***.** ET RBN Known Russian Business Network IP TCP (291) 23 (325.) 0.798276923076923 (11.28)82.130.***.** ET RBN Known Russian Business Network IP TCP (306) 77 (143.) 5.91230769230769 (10.98)82.130.***.** ET RBN Known Russian Business Network IP TCP (299) 74 (374.) 2.0340106951871 7 (10.28)82.130.***.** ET RBN Known Russian Business Network IP TCP (297) 29 (47.) 2.93702127659574 (4.76)
82.130.**.** 6.32307692307692 ***82.130.**.** SPYWARE-PUT Adware download accelerator plus runtime detection - get ads 7 (13.) 4.24307692307692 (7.88)82.130.**.** SPYWARE-PUT Adware download accelerator plus runtime detection - download files 4 (10.) 2.08 (5.20)
129.132.***.*** 35.83 ***129.132.***.*** ET USER_AGENTS Suspicious User-Agent (IE) 9 (9.) 24.3 (24.30)129.132.***.*** BACKDOOR torpig-mebroot command and control checkin 18 (18.) 11.53 (11.53)
29
Network ofETH Zurich
Postgres DB
Internet
Snort Node with „VRT Rules“
Snort Node with„ET Rules“
File Server for Logfiles & PCAP Files
Splitting intrusion/extrusionProcessing of dataGenerating 24 hr reports
IDS-STAT
Dynamic Dynamic
IDS-STAT Infrastructure
30
Classifying the possible situation
Rule1 Ip 1 Ip 2 Ip 4 Ip 3 Could be an epidemicRule1 Ip 1 Could be one compromised host Rule1,2,3 Ip 1 Could be one very compromised host
Possible procedures:1. Google items of the payload, dest ip, dest host, dest domain.2. If possible reproduce the download action and test results with for example www.totalvirus.com and www.sunbeltsecurity.com/sandbox3. Check the traffic for unual connections using the procedure described in presentationhttps://www1.ethz.ch/id/services/list/security/workshops/ETH_Anomaly-Detection-in-Netflows-PPT
Damage:The Damage factors can overlap and also be percieved differently (reputation, network, personal, economical, professional etc).
Threat:The threat categories can also overlap and be percived differently:Dosing (Smurf attacks, DNS-amplification, HTTP-Dosing etc)Trojans (keyloggers, bots, spammers)Fake AVsScannersAd-Ware
What to do or can be done when a potentially significant Rule is found in order to classify it as high quality for CurrentPositives? :
•Look at the rule and its criteria.•Look up the references inside the rule.•Investigate the criteria.•Investigate the external IP(s) of the event(s).•Cross check if the external IP(s) causes other correlating event(s)•Cross check if the internal IP(s) causes other correlating event(s)•Investigate the trigger payload(s)•Investigate the external host/domain•Find false positives and investigate them•Find true positives and investigate them•Investigate the connections of the internal IP•Crosscheck the external Ips with blacklists•Crosscheck if already validated rules are correlating well.•Investigate traffic by «netflow anomaly detection»
https://www1.ethz.ch/id/services/list/security/workshops/ETH_Anomaly-Detection-in-Netflows-PPT
32
Finding and determining promising rules for „Currentpositives“ by searching outgoing correlations.
Compromised ETH host Rule 1
Malicious IP
Possibly compromisedETH host
Rule 3Rule 3
Rule 4Rule 4Possibly compromisedETH host
Rule 2Rule 2
Example 1
33
Finding and determining promising rules for „Currentpositives“ by searching incoming correlations.
Compromised ETH hostRule 1Malicious IP
Rule 3Rule 3
Rule 4Rule 4Possibly malicious IP
Rule 2Rule 2
Possibly malicious IP
Example 2
34
Dest ip
There Are Many Possible Correlation Combinations.Some Other Examples.
Source ip2
Source ip1
Dest to source ip correlation
Src ipDest ip 2
Dest ip 1Source to dest ip correlation
ipRule 2
Rule 1Rule correlation
35
Available Trigger Payload Data From Snort
Example of payload:
05:50:56.112006 IP 129.132.abc.abc.1277 > 91.207.61.10.http: P 2492095193:2492095493(300) ack 920686566 win 17640 GET /cgi-bin/options.cgi?user_id=494311523&version_id=370&passphrase=fkjvhsdvlksdhvlsd&socks=25518&version=125&crc=50857252 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6)Host: 91.207.61.10Connection: Keep-Alive
36
Inside the Snort Signatures/Rules
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi check-in / update"; flow:established,to_server; uricontent:"?user_id="; nocase; uricontent:"&version_id="; nocase; uricontent:"&crc="; nocase; reference:url,www.secureworks.com/research/threats/gozi; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009410; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gozi; sid:2009410; rev:3;)
Example of rule:
#by Darren Spruellalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1)"; flow:established,to_server; uricontent:"action="; nocase; ur\ icontent:"&entity_list="; nocase; uricontent:"&uid="; nocase; uricontent:"&first="; uricontent:"&guid="; nocase; uricontent:"&rnd="; nocase; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader\:Win32/Bredolab.B; reference:url,doc.emergingthreats.net/2009353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2009353; rev:4;)
37
Example of True Positive
EVENT: ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) DATE: 06/30-07:40:35.374218 SOURCE: 129.132.abc.a:52008DEST: 78.109.29.116:80
07:40:35.374218 IP 129.132.abc.a.52008 > 78.109.29.116.http: P 3033886655:3033886776(121) ack 518552487 win 65535GET /new/controller.php?action=bot&entity_list=&uid=1&first=0&guid=282938190&rnd=981633 HTTP/1.1^MHost: 78.109.29.116^M
Positive
Payload
Rule
38
Example of False PositiveRule Match Content but Content Does Not Exactly
Match Rule
EVENT: WEB-CGI /cgi-bin/ls access DATE: 07/04-18:23:24.872100 SOURCE: 129.132.abc.ab:51819 DEST: 130.54.101.98:80
18:23:24.872100 IP 129.132.abc.ab.51819 > 130.54.101.98.http: P 2816729049:2816729741(692) ack 912047122 win 65535 <nop,nop,timestamp 514858930 270031558> POST /cgi-bin/lsdproj/ejlookup04.pl?opt=c HTTP/1.1^MHost: lsd.pharm.kyoto-u.ac.jp^MUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5^MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^MAccept-Language: en-us,en;q=0.7,de-ch;q=0.3^MAccept-Encoding: gzip,deflate^MAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7^MKeep-Alive: 300^MConnection: keep-alive^MReferer: http://lsd.pharm.kyoto-u.ac.jp/cgi-bin/lsdproj/ejlookup04.pl?opt=c^MCookie: language=ja^MContent-Type: application/x-www-form-urlencoded^MContent-Length: 97^M
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ls access"; flow:to_server,established; uricontent:"/cgi-bin/ls"; nocase; metadata:service http; reference:bugtraq,936; reference:cve,2000-0079; reference:nessus,10037; classtype:web-application-activity; sid:1539; rev:8;)
A typical Currentpositives Report Contains:
•The OS of the compromised machine
•The IDS-Positive(s) of a 5 minute window•The payload(s) which triggered the IDS-Positives•References which document the exact targeting attributes of the particular case •«AllAboutIP» information about the responsibility and contact details of the IP
40
Network ofETH Zurich
Internet
Snort node with„Current rules“
File Server for Logfiles & PCAP Files
Splitting intrusion/extrusionProcessing data every 5 minutesGenerating reports
Static
„Currentpositives“ Infrastructure
41
Network ofETH Zurich
Postgres DB
Internet
Snort Node with„VRT Rules“
Snort Node with„ET Rules“
File Server for Logfiles & PCAP Files
Splitting intrusion/extrusion
Processing of data
Generating reports
IDS-STAT
Snort Node with„Current Rules“
Current-Positives
DynamicDynamic Static
24 hr
Every 5 minutes
IDS Infrastructure
Reference LibraryFor The Additional Criteria Made Individually For
Rules
Dest Ip:
Dest Host/Domain:
Payload:
Library:
Dest ip n•http-links•Quotes
Dest host/domain n•http-links•Quotes
Payload n•http-links•Quotes
Report generator of Currentpositives scans the library for matching hits to include in the report
webhp
webhp
ET TROJAN Zeus Bot GET to Google Checking Internet Connection
Currentpositives ReportExample with Payload trigger
For whoever is interested, the Signature Trigger Payload:
################################################################
->
-> 06:33:05.108689 IP ***.xxx.yyy.zzz .64844 > 173.194.40.95.80: Flags
-> [P.], ack 1, win 258, length 547
-> E..KM.@.}..#.X.|..(_.L.P.3.0..p.P....<..GET /webhp HTTP/1.1
-> Accept: */*
-> Connection: Close
-> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
-> Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
-> 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
-> Host: www.google.ch
-> Cache-Control: no-cache
-> Cookie:
-> PREF=ID=e8d86cf8a8472917:U=7f8b0af772b78abc:FF=0:TM=1366626670:LM=136
-> 6627394:S=ShohM133SbbyTnq8;
-> NID=67=Gs1zzxbSieWa9BTTo69mDxVyrHwevOtyWIvBKvXLXeO_iKvOtKfSRuUkWsf0QX
-> dG-qc-4DJFuV8NL9ArmSoICKeXoP0WX1BASRpmjIFiPL6u322TXFJSOYlnVoDeRke3
Currentpositives ReportPayload References from Library
For whoever is interested, the References:
################################################################
google webhp
http://www.sophos.com/security/analyses/viruses-and-spyware/malzbotbq.html
QUOTE:
"
Q> HTTP Requests
Q>
Q> * http://thinkpadus.cc/22oct_pac.cpm
Q> * http://www.google.com/webhp
Q>
Q> DNS Requests
Q>
Q> * realemotion.cc
Q> * thinkpadus.cc
Q> * www.google.com
"
google webhp
http://www.threatexpert.com/report.aspx?md5=ab3b13c68469bad8305fcb505d76b2ab
QUOTE:
"
Q>http://www.google.com.br/webhp?hl=pt-BR&source=hp
"
Some Numbers
Number of Currentpositives Cases Between 01.01.2015 and 24.08.2015: 2600
Number of Rules Activated in Currentpositives:2400
Number of total Positives within 24 hrs on a ordinary day of Currentpositives:7 000 000 – 8 000 000
Possible to do’s
• Gathering of malicious dest IPs for further Rule correlations• Netflow analysis of compromised IPs• Scanning of trigger payloads in search for further common denominators• Traffic correlation validation between malicious IPs and ETH network
Q&A
END
Christian Hallqvist / Network Security / ICT-Networkshall@id.ethz.ch