Hakuna Suricata (it means no worries, except for APT)

Slides:



Advertisements
Similar presentations
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Advertisements

Passive Host Auditing Using Snort And Other Free Tools by John Ives aka. jives.
Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Web Platform Trident Browser Internet Explorer.
1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.
Chapter 9 Application Layer, HTTP Professor Rick Han University of Colorado at Boulder
Security, Privacy and Encryption in Mobile Networks Gyan Ranjan Narus Inc. November 12, 2014 Narus Inc (A wholly owned subsidiary of the Boeing Company.)
Web Platform Trident Navigateur Internet Explorer.
Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
How to Detect a Client’s Browser Senior Seminar CS498.
ECE Prof. John A. Copeland Office: Klaus or call.
Identification of Mobile Devices from Network Traffic Measurements - a HTTP User Agent Method Master’s Thesis August 2 8, 2012 Supervisor – Prof. Heikki.
Web technologies and programming cse hypermedia and multimedia technology Fanis Tsandilas April 3, 2007.
Archive-it WARC usage - compared with NAS – and 3 Questions. By Tue Hejlskov Larsen, netarchive.dk January 2015.
SUNY Polytechnic Institute CS 490 – Web Design, AJAX, jQuery Web Services A web service is a software system that supports interaction (requesting data,
Basic Network Services IMT 546 – Lab 4 December 4, 2004 Agueda Sánchez Shannon Layden Peyman Tajbakhsh.
HTTP Reading: Section and COS 461: Computer Networks Spring
Application Layer 2 Figures from Kurose and Ross
© Janice Regan, CMPT 128, Jan 2007 CMPT 371 Data Communications and Networking HTTP 0.
CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC) UNCLAS Gluten Free Malware (Neutrino EK.
WWW, HTTP, GET, POST, Cookies Svetlin Nakov Telerik Corporation
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
Digital Multimedia, 2nd edition Nigel Chapman & Jenny Chapman Chapter 17 This presentation © 2004, MacAvon Media Productions Multimedia and Networks.
1 Introductory material. This module illustrates the interactions of the protocols of the TCP/IP protocol suite with the help of an example. The example.
Hui Zhang, Fall Computer Networking Web, HTTP, Caching.
Proxy Lab Recitation I Monday Nov 20, 2006.
1 CS 4396 Computer Networks Lab TCP/IP Networking An Example.
HyperText Transfer Protocol (HTTP) RICHI GUPTA CISC 856: TCP/IP and Upper Layer Protocols Fall 2007 Thanks to Dr. Amer, UDEL for some of the slides used.
HTTP1 Hypertext Transfer Protocol (HTTP) After this lecture, you should be able to:  Know how Web Browsers and Web Servers communicate via HTTP Protocol.
Writing Snort Rules A quick guide Brian Caswell. 2 The life of a packet through Snort’s detection engine.
Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version
Reducing false positives in intrusion detection systems by means of frequent episodes Lars Olav Gigstad.
An overview.
Practice 4 – traffic filtering, traffic analysis
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
Life Cycle of a Snort Rule: From Vulnerability to Coverage Alex Kirk Sourcefire VRT.
HTTP/2 and ATS ATS Fall Summit 2015 Bryan Call. Why HTTP/2? Reduce latency and TCP connection overhead Easier to write well-performing sites (no domain.
Intrusion Detection & Snort Dan Fleck, PhD
Digital Multimedia, 2nd edition Nigel Chapman & Jenny Chapman Chapter 17 This presentation © 2004, MacAvon Media Productions Multimedia and Networks.
HTTP and Fiddler Dandan Shi Technical Advisor. Conditions and Terms of Use Microsoft Confidential This training package is proprietary and confidential,
Computer security: certification Frans Kaashoek Spring 2007.
Overview of Servlets and JSP
LURP Details. LURP Lab Details  1.Given a GET … call a proxy CGI script in the same way you would for a normal CGI request  2.This UDP perl.
Ethereal/WireShark Tutorial Yen-Cheng Chen IM, NCNU April, 2006.
1 Introductory material. This module illustrates the interactions of the protocols of the TCP/IP protocol suite with the help of an example. The example.
DEV336. demo HTTP Packet Trace GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible;
Snort 시그니처 기반의 애플리케이션 탐지 정보보안학과 이 상 화.
Troubleshooting web sites with web browsers LIR HEAnet User Group for Libraries DCU June 7 th 2016
© ETH Zürich | ICT-Network/NSG Automatic Reporting of True Positive IDS Cases.
© Janice Regan, CMPT 128, Jan 2007 CMPT 371 Data Communications and Networking HTTP 0.
Fiddler and Your Website Robert Boedigheimer. About Me Web developer since 1995 Columnist for aspalliance.com Pluralsight Author 3 rd Degree Black Belt,
Lecture 4: Stateful Inspection, Advanced Protocols.
“My Company's Intellectual Property Went to China and All I Got Was This Lousy Pink Slip” Defending Against Data-Exfiltrating Malware Joe Stewart, GCIH.
6.033 Lecture 24 Protocols and Authorization Nickolai Zeldovich Spring 2009.
Website-Targeted False Content Injection by Network Operators
Introduction to Bro-ids
Block 5: An application layer protocol: HTTP
Python, PhantomJS, & Selenium
Widgets – Usage statistics collection Task force for the strategic project on the development and use of common ESS tools and services for dissemination.
CS320 Web and Internet Programming Cookies and Session Tracking
CS3220 Web and Internet Programming Cookies and Session Tracking
CS3220 Web and Internet Programming Cookies and Session Tracking
SNORT RULES.
CSCI-351 Data communication and Networks
Intrusion Detection Systems
Log Analysis with GAWK Back to Basics.
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Hakuna Suricata (it means no worries, except for APT) LS Pulsifer Surveillance Analyst 5 May 2014 1

Outline IDS Overview First Thoughts Rules of the Jungle HTTP GET HTTP 200 OK BONUS ROUND! Conclusion 2

First Thoughts Easy Setup TURN ON ALL THE THINGS! Output format(s) 1400 (w/ comments) line config ET rules out of the box Rule management? TURN ON ALL THE THINGS! Output format(s) Fancy-lookin' rules

Rules of the Jungle # PULSIFER.CA / CATS TEST HTTP RULE alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"THE INTERNET WANTS CATS"; content:"GET"; http_method; content:"/cats.html"; http_uri; content:"pulsifer.ca"; http_header; content:”Windows NT 6.1”; http_user_agent; urilen:<11; classtype:bad-unknown; sid:5000001; rev:1;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"THE INTERNET GOT CATS"; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"iframe src"; http_server_body; classtype:bad-unknown; sid:5000000; rev:1;)

First Rule of the Jungle alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"THE INTERNET WANTS CATS"; content:"GET"; http_method; content:"/cats.html"; http_uri; content:"pulsifer.ca"; http_header; content:”Windows NT 6.1”; http_user_agent; urilen:<11; classtype:bad-unknown; sid:5000001; rev:1;) GET /cats.html HTTP/1.1 Host: pulsifer.ca User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive

Debug cont.. PACKET: 0000 00 0C 29 DD B4 57 C8 60 00 CB 92 D9 08 00 45 00 ..)..W.` ......E. 0010 00 28 1E DF 40 00 80 06 50 7F 0A 0D 25 01 43 E7 .(..@... P...%.C. 0020 18 7D B3 A1 00 50 80 F4 76 B0 3A F1 3C 4A 50 10 .}...P.. v.:.<JP. 0030 00 FE 00 93 00 00 00 00 00 00 00 00 ........ .... ALERT CNT: 1 ALERT MSG [00]: THE INTERNET WANTS CATS ALERT GID [00]: 1 ALERT SID [00]: 5000001 ALERT REV [00]: 1 ALERT CLASS [00]: Potentially Bad Traffic ALERT PRIO [00]: 2 ALERT FOUND IN [00]: STATE ALERT IN TX [00]: 0 STREAM DATA LEN: 294 STREAM DATA: ...

Second Rule of the Jungle alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"THE INTERNET GOT CATS"; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"iframe src"; http_server_body; classtype:bad-unknown; sid:5000000; rev:1;) HTTP/1.1 200 OK Date: Tue, 06 May 2014 02:12:05 GMT ... <!DOCTYPE html> <html> <body> <script> document.write('<iframe src="http://mjner.com/update/"></iframe>');

First Rule Debug TIME: 05/05/2014-22:12:06.264225 PCAP PKT NUM: 8 PKT SRC: wire/pcap SRC IP: 10.13.37.1 DST IP: 67.231.24.125 PROTO: 6 SRC PORT: 45985 DST PORT: 80 TCP SEQ: 2163504816 TCP ACK: 988888138 FLOW: to_server: TRUE, to_client: FALSE FLOW Start TS: 05/05/2014-22:12:06.232835 FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE FLOW ACTION: DROP: FALSE FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE FLOW APP_LAYER: DETECTED: TRUE, PROTO 1 FLOWBIT: ET.http.driveby.redkit.uri PACKET LEN: 60

Bonus Round! GUESS THE META! 05/05/2014-20:13:27.852789 [**] Query TX 214c [**] pulsifer.ca [**] A [**] 10.13.37.1:50922 -> 10.0.0.5:53 05/05/2014-20:13:27.852789 [**] Response TX 214c [**] Recursion Desired [**] 10.0.0.5:53 -> 10.13.37.1:50922 05/05/2014-20:13:27.852789 [**] Response TX 214c [**] pulsifer.ca [**] A [**] TTL 12128 [**] 67.231.24.125 [**] 10.0.0.5:53 -> 10.13.37.1:50922 05/05/2014-20:50:35.379305 172.16.0.10:38457 -> 67.231.24.125:993 TLS: Subject='serialNumber=tsWwnNhDJVx2sppFUBFdevYswWWbQOPg, OU=GT90807209, OU=See www.rapidssl.com/resources/cps (c)14, OU=Domain Control Validated - RapidSSL(R), CN=pulsifer.ca' Issuerdn='C=US, O=GeoTrust, Inc., CN=RapidSSL CA' SHA1='d1:0b:df:ca:39:a9:dc:50:79:cb:73:d0:0b:10:84:e9:92:e8:2d:fd' VERSION='TLSv1' 05/05/2014-20:13:27.921584 pulsifer.ca [**] /cats.html [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 156 bytes [**] 10.13.37.1:44739 -> 67.231.24.125:80 05/05/2014-20:13:28.259719 mjner.com [**] /update/ [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 [**] https://pulsifer.ca/cats.html [**] GET [**] HTTP/1.1 [**] 200 [**] 1123 bytes [**] 10.13.37.1:44740 -> 100.42.50.110:80

Conclusion

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.