Presentation is loading. Please wait.

Presentation is loading. Please wait.

© ETH Zürich | ICT-Network/NSG 03.10.2015 Automatic Reporting of True Positive IDS Cases.

Published bySolomon Miller Modified over 8 years ago

Similar presentations

Presentation on theme: "© ETH Zürich | ICT-Network/NSG 03.10.2015 Automatic Reporting of True Positive IDS Cases."— Presentation transcript:

1 © ETH Zürich | ICT-Network/NSG christian.hallqvist@id.ethz.ch 03.10.2015 Automatic Reporting of True Positive IDS Cases

2 False Positive False Negative True Positives With Exact Targeting

3 Subject: 82.130.97.xx/xx.ethz.ch (MALWARE-CNC Win.Trojan.Badur variant outbound connection) #########DISCLAIMER############################################# Diese Email wurde automatisch generiert! ################################################################ Liebe Kollegen, OS : 82.130.97.xx | WindowsVISTA/W7(variant3) 2015.08.12.10.28 - 2015.08.12.10.29 Ein 'MALWARE-CNC Win.Trojan.Badur variant outbound connection' Fall: ################################################################ -> EVENT: MALWARE-CNC Win.Trojan.Badur variant outbound connection -> DATE: 08/12-10:27:11.502025 -> SOURCE: 82.130.97.xx:49237 -> DEST: 54.213.23.40:80 Example of True Positive IDS Report (1/7)

4 For whoever is interested, the Signature Trigger Payload: ################################################################ -> -> 10:27:11.502025 IP 82.130.97.xx.49237 > 54.213.23.40.80: Flags [P.], -> ack 1, win 1024, length 766 -> GETGET -> /get/?data=6G5VPuneaszQ3s%2BABClI1SO1BjAKBpQPlMZ8wyd%2BlOf9BiuSYONAhR -> DRsDRTLsdVJ3X5BCSuxJCSe/I82hjfOTO1ccOEf/Uw5M%2B/SMeS9MdgAgoe2/XsWnUTL -> I7kaWstGAG4IiBrgcWCpFgBAGh5KKZt%2BViUqQYOCWOENChzisjMSOtvBp1/KytA54R% -> 2BuslTqtDlehgaFacmArmVt%2BTJ3oweKydxvHH270y86Gn0R4LGdDrk8DyrvYjEA0No% -> 2BSb1udQhdNTibsue/wkTNlm1FUoiz3JCvG8eS8Kx%2BxSv20gAeERpRRLRSKnKPktL6d -> XhwchQnEyfplKuGVx0D7N0zTsJC3gH%2BZpO7cNz2IHq2HlIaDJT5KJOLzCGvjBAD9oVm -> qp3PsIEhh25mfyHlPtv%2B9iPHWDxWC34c0FVHuTvhPw68Bw01lGyApn17uYHZHIFHRW8 -> GqE9evJNlx5FsbFl%2BKnDur7HcQ1reET3Tp%2BQm3pE47DUHyDg%2BLg2xGb42yMkPPJ -> Y6/saAlOWy9/GzNP8Rr2zeJg3RLNoD6/17vMY5jCuvk5U5muozbIfGh48eaxWQJgsoEkN -> yHYE%2Bjuy089wJ3Gg9dIiW1oOkzlnb/9pJIWY&version=4 HTTP/1.1 -> Accept: */* -> User-Agent: win32 -> Host: getterfire.info -> Cache-Control: no-cache Example of True Positive IDS Report (2/7)

5 Suggested Contact: adm-xxxx@netsup.ethz.chadm-xxxx@netsup.ethz.ch AllAboutIP Orig IP: 82.130.97.xx MAC: d850.e6aa.xxxxx Vpz ISG Info: id-kom-proforma servicexxxxx@id.ethz.ch ISG ServiceDesk; netxxxxx@id.ethz.chservicexxxxx@id.ethz.chnetxxxxx@id.ethz.ch ISG Info: adm-stonepine adm-xxxx@netsup.ethz.ch Cxxxxx Dxxxxx Lxx; dxxxxx.cxxxxx@id.ethz.ch ISG ServiceDesk; netxxxx@id.ethz.ch von Boexxxx Lxxx; lxxx@id.ethz.chadm-xxxx@netsup.ethz.chdxxxxx.cxxxxx@id.ethz.chnetxxxx@id.ethz.chlxxx@id.ethz.ch Example of True Positive IDS Report (3/7)

6 ################################################################ For whoever is interested, the References: ################################################################ google search result "GET /get/?data=" https://www.virustotal.com/en/file/d05bb9963be54f728ecc35f666fec61334b7f2de6ffc5e2b1d8eb03a626 d758c/analysis/ QUOTE: " Q> SHA256: d05bb9963be54f728ecc35f666fec61334b7f2de6ffc5e2b1d8eb03a626d758c Q> File name: TSULoader.exe Q> Detection ratio:12 / 46 Q> Analysis date: 2013-02-19 23:51:27 UTC ( 1 week, 4 days ago ) " Example of True Positive IDS Report (4/7)

7 QUOTE: " Q> URL: Q> http://filemagnet.info/get/?data=97LnkIhb9zuqAi4HwyT7kJYfWlCjPN4w4Mj8http://filemagnet.info/get/?data=97LnkIhb9zuqAi4HwyT7kJYfWlCjPN4w4Mj8 Q>31X/a7BVH6XhxrDIO3k9Ykr8f0P7fhGNJGE2OPL2ZuxeipA08%2BOlPgQ%2B0IMgrCo Q>kudpMDAF7pJ8HxbMWvCc4IE6emDc2Uy0m9m9UzgOLbS0timpfa79g7/skDDhTH58vh Q>Mcw8HuCPBe7C9XOPWTw40RKIfXuZFfPVy46yTj8%2BQFVR8/nRIOjqtGM6RayOgh6 Q>6qBPzq4GydaAWOxhVTzjzzAM8qSZXGbAgxvp/6A%2Bqxbp6gPqXjQuSMAngeU31Dn Q>KCox9AbnRScD4XuvCDq1ZgWdJlnttReSKurEcaxnPtq7XyzmsMWodpt1nw%2BnTIanoz5 Q> jgPtoDdd6La88CnIHvyCjYixUUC6bTiHxLNyJDjPH/I9/za0S2zvpvDV7gZPaf1FNwlaX Q> EfK7HWzqddk3pFH2HsIVN3qp7RbVesaJEW531u1oLScpFCRFfi5XF3uRUvxzqu&versio Q> n=2 Q> TYPE: GET Q> USER AGENT: win32 " 03.03.2013 ________________ Example of True Positive IDS Report (5/7)

8 https://malwr.com/analysis/M2NlNzliYmE3NGM4NDIwMDlmNzc3NzUzM2JjMmU0NGE/ QUOTE: " Q> GET Q> /get/?data=APIqmXHuJuFfBpzaIKCtiFMn%2BlNx8Mz8AT47K3fSWSggdlmaoNqFGoHj Q> eJdP61ywA3N52xk0uXmvd%2BrzUazeD80OD7THYOAfQWmIWwRe6ZpQC5zu10lcA%2BrOm Q> S%2Bd5LSj9M5oRhi4QQ0po5HPAFA6Rv6XYH/2f/GW9AWZPQmWp9zG18bg0GNrCrdBfUna Q> h/2y90kDILiZMr7n9HoAw44pH4ANdBKOjhDd2%2BgCCEPXZiPrGXD1TohEyzOJe0OgpoR Q> PFgfRZM92El0laUo1TeO4TNL3tH0Yy08HZ0ZjDMjIrzoh9XZEFYN4NVjlN1oC0yvTetX3 Q> BthoQirMrV68F2L38oVvsi3OlvaVnPdHTAKZtBQzmuPtqOeLITgZqPQ%2B6d4j8HbvrBy Q> LRyzMwGIWwkkMSMbui73nyFAXenRGrk/smwTj0ka8/Hrgsg/MNokbSfTWzl4gnxXVdtvK Q> d&version=4 HTTP/1.1 Q> Accept: */* Q> User-Agent: win32 Q> Host: skyprobar.info Q> Cache-Control: no-cache " Example of True Positive IDS Report (6/7)

9 QUOTE: " Q> Analysis Q> CategoryStartedCompletedDuration Q> FILE 2014-01-25 05:48:34 2014-01-25 05:49:1238 seconds Q> File Details Q> File Namesupport.exe Q> File Size 4806656 bytes Q> File Type PE32 executable (GUI) Intel 80386, for MS Windows Q> MD5 69b389c1c7830bed8ee5777ef56c0fc3 Q> SHA102185367648fec8eb8e33ab91e4b082f3adbf80d Q> SHA256 cec89619fc58f2e91f104c2c818cb0c751e40e69b19fe9f04ac91c291f6f8d6f Q> SHA512 fc16bf0159c0b2fdd1a04294a76d0d01193aeb3b078df3995cae35d0110621c56408d1404396c2 Q> CRC32 C0A6B255 Q> Ssdeep 98304:KJrQy9KGK0m3+uz4FeRbWSKpEJxxNjfxfu6VFfng5xmBNyo Q> Yara None matched Q> You need to login Q> Signatures Q> Starts servers listening on 0.0.0.0:0 File has been identified by at Q> least one AntiVirus on VirusTotal as malicious Performs some HTTP Q> requests Steals private information from local Internet browsers Q> Installs itself for autorun at Windows startup " 08.09.2014 Example of True Positive IDS Report (7/7)

10 10 How To Automatically Generate True Positive IDS Reports Basically there are two methods in combination in use: Selection of high quality rules. These must be validated, proven and reliable because they are selected for a static and limited special rule set – the „Currentpositives“ ruleset Addition of trigger criteria. Combinations of thresholds, destips, sourceips, rules, extrusion, intrusion, payload detection etc are used when processing the positives for exact targeting and so raise the TP/FP ratio even higher.

11 11 By selecting specific high quality rules and/or by adding additional criteria it is indeed possible to automatically generate true positive IDS reports 7x24 First the high quality rules have to be found, identified and validated Rule Selection

12 12 Two major rules sources are: VRT (Vulnerabilty Research Team) of Sourcefire www.snort.org ET (Emerging Threats) of Proofpoint www.emergingthreats.net Rule Sources

13 13 Some Facts about the rule provider VRT VRT (Vulnerabilty Research Team) of Sourcefire As of 06.08.2015 VRT offered 28’738 rules Between 05.08.2015 and 06.08.2015 1’935 VRT rules were removed 16’010 VRT rules were modified or added The VRT ruleset snort node generates around 450’000 IDS events at ETH Zurich per 24 hours

14 14 ET (Emerging Threats) of Proofpoint As of 06.08.2015 ET offered 27’774 rules Between 05.08.2015 and 06.08.2015 2 ET rules were removed 11 ET rules were modified or added The ET Rule set generates around 1’000’000 IDS events at ETH Zurich within 24 hours Some Facts about the rule provider ET

15 15 With nearly 60’000 rules and daily changes it is a challenge to pick the ones with excellent quality. With simple statistics it is possible to find appropiate candidates How to find high quality rules with a significant TP/FP ratio?

16 16 The original goal of IDS-STAT was: flexible and automatic anomaly detection with as few (false) positives as possible to be manually managed That involved also correlation detection between different anomalies. At ETH we use Rule Profiling «IDS-STAT» for statistical analysis

17 17 Source: http://de.nutrend.eu/ge/events-7/art_244787/nutrend-at-meeting-of-world-record-holders.aspx However IDS-STAT turns out to be a good rule quality evaluater. The best rules are evaluated further and handpicked for the „Currentpositives“ snort node which generates nearly 100% TP reports Needless to say, the selected rules must be…. Source: http://stockfresh.com/image/162323/strong-chain … the very reliable ones

18 IDS-STAT Generates two kinds of Reports 18 There are two kinds of reports generated every 24hrs: 1: IDS-STAT signature report Reports deviations of rule positives when a certain threshold is exceeded 2: IDS-STAT ip report Total deviation top-10 ip ranking based on cumulated/aggregated result of the IDS-STAT signature report

19 The IDS-STAT Analysis Is About „Average“, „Deviation“ And Correlation 19 N=10 Average at peak= 140 Deviation (Sigma  at peak= 36 Peak number of Deviations (Sigma  = 10

20 Example with «BLEEDING-EDGE P2P BitTorrent peer sync” (total traffic) 20 N=100

21 BLEEDING-EDGE P2P BitTorrent peer sync „Deviations“ (total traffic) 21

22 „BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port” Peaks (total traffic) 22 N=100

23 „BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port” Deviations (total traffic) 23

24 24 Bleeding-Edge ATTACK RESPONSE IRC-Channel JOIN on non-std port Bleeding-Edge P2P BitTorrent peer sync Comparing Peaks/Signals

25 25 Deviating Signatures IDS-STAT Signature report Signature 1 deviation :10 IP Deviation distribution 111.111.111.1 4 222.222.222.2 4 333.333.333.3 2 Signature 2 deviation :12 IP Deviation distribution 444.444.444.4 5 222.222.222.2 4 111.111.111.1 3 IDS-STAT IP report Deviation causing IPs Ips cumulated deviation Ip 222.222.222.2 8 Ip 111.111.111.1 7 Correlation detection of deviations between different Ips and rules

26 Case 28.02.2008 IDS-STAT Signature Report 26 BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port counter:91 devq: 22.95 Value:0->73. maverage:1.50->2.29 mstddev:2.36->3.12 - --- BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 16 129.132.14y.aaa BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 13 129.132.14y.bbb BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 10 129.132.14z.cc BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 9 129.132.14x.dd BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14y.eee BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14x.f BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 5 129.132.14y.gg BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 82.130.8x.hhh BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.21x.ii BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.14y.j BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port Deviation“ and IP-Ranking:

27 Case 28.02.2008 Positive Distribution of IPs 27 BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port counter:91 devq: 22.95 Value:0->73. maverage:1.50->2.29 mstddev:2.36->3.12 - --- BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 16 129.132.14y.aaa BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 13 129.132.14y.bbb BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 10 129.132.14z.cc BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 9 129.132.14x.dd BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14y.eee BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14x.f BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 5 129.132.14y.gg BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 82.130.8x.hhh BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.21x.ii BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.14y.j BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port „Deviation“ and IP-Ranking: = 22% = 18% = 14% = 12% = 11% = 7 % = 1% => 5.0 => 4.1 => 3.2 => 2.7 => 2.5 => 1.6 => 0.2

28 Detailed IDS-STAT IP Report with correlations 28 129.132.***.*** 105.788571428571 *** 129.132.***.*** ET TROJAN Gozi check-in / update 9 (9.) 63.93 (63.93) 129.132.***.*** ET USER_AGENTS Suspicious User-Agent (IE) 6 (7.) 34.6285714285714 (40.40) 129.132.***.*** SPECIFIC-THREATS Gozi Trojan connection to C&C attempt 30 (30.) 7.23 (7.23) 129.132.***.*** CHAT MSN outbound file transfer request 6 (90481.) 0.000310341397641494 (4.68) 82.130.***.** 11.6816165871675 *** 82.130.***.** ET RBN Known Russian Business Network IP TCP (291) 23 (325.) 0.798276923076923 (11.28) 82.130.***.** ET RBN Known Russian Business Network IP TCP (306) 77 (143.) 5.91230769230769 (10.98) 82.130.***.** ET RBN Known Russian Business Network IP TCP (299) 74 (374.) 2.03401069518717 (10.28) 82.130.***.** ET RBN Known Russian Business Network IP TCP (297) 29 (47.) 2.93702127659574 (4.76) 82.130.**.** 6.32307692307692 *** 82.130.**.** SPYWARE-PUT Adware download accelerator plus runtime detection - get ads 7 (13.) 4.24307692307692 (7.88) 82.130.**.** SPYWARE-PUT Adware download accelerator plus runtime detection - download files 4 (10.) 2.08 (5.20) 129.132.***.*** 35.83 *** 129.132.***.*** ET USER_AGENTS Suspicious User-Agent (IE) 9 (9.) 24.3 (24.30) 129.132.***.*** BACKDOOR torpig-mebroot command and control checkin 18 (18.) 11.53 (11.53)

29 29 Network of ETH Zurich Postgres DB Internet Snort Node with „VRT Rules“ Snort Node with „ET Rules“ File Server for Logfiles & PCAP Files Splitting intrusion/extrusion Processing of data Generating 24 hr reports IDS-STAT Dynamic IDS-STAT Infrastructure

30 30 Classifying the possible situation Rule1 Ip 1 Ip 2 Ip 4 Ip 3 Could be an epidemic Rule1Ip 1 Could be one compromised host Rule1,2,3 Ip 1 Could be one very compromised host Possible procedures: 1. Google items of the payload, dest ip, dest host, dest domain. 2. If possible reproduce the download action and test results with for example www.totalvirus.com and www.sunbeltsecurity.com/sandbox 3. Check the traffic for unual connections using the procedure described in presentation https://www1.ethz.ch/id/services/list/security/workshops/ETH_Anomaly-Detection-in-Netflows-PPT Damage: The Damage factors can overlap and also be percieved differently (reputation, network, personal, economical, professional etc). Threat: The threat categories can also overlap and be percived differently: Dosing (Smurf attacks, DNS-amplification, HTTP-Dosing etc) Trojans (keyloggers, bots, spammers) Fake AVs Scanners Ad-Ware

31 What to do or can be done when a potentially significant Rule is found in order to classify it as high quality for CurrentPositives? : Look at the rule and its criteria. Look up the references inside the rule. Investigate the criteria. Investigate the external IP(s) of the event(s). Cross check if the external IP(s) causes other correlating event(s) Cross check if the internal IP(s) causes other correlating event(s) Investigate the trigger payload(s) Investigate the external host/domain Find false positives and investigate them Find true positives and investigate them Investigate the connections of the internal IP Crosscheck the external Ips with blacklists Crosscheck if already validated rules are correlating well. Investigate traffic by «netflow anomaly detection»netflow anomaly detection https://www1.ethz.ch/id/services/list/security/workshops/ETH_Anomaly-Detection-in-Netflows-PPT

32 32 Finding and determining promising rules for „Currentpositives“ by searching outgoing correlations. Compromised ETH hostRule 1 Malicious IP Possibly compromised ETH host Rule 3 Rule 4 Possibly compromised ETH host Rule 2 Example 1

33 33 Finding and determining promising rules for „Currentpositives“ by searching incoming correlations. Compromised ETH host Rule 1 Malicious IP Rule 3 Rule 4 Possibly malicious IP Rule 2 Possibly malicious IP Example 2

34 34 Dest ip There Are Many Possible Correlation Combinations. Some Other Examples. Source ip2 Source ip1 Dest to source ip correlation Src ip Dest ip 2 Dest ip 1 Source to dest ip correlation ip Rule 2 Rule 1 Rule correlation

35 35 Available Trigger Payload Data From Snort Example of payload: 05:50:56.112006 IP 129.132.abc.abc.1277 > 91.207.61.10.http: P 2492095193:2492095493(300) ack 920686566 win 17640 GET /cgi- bin/options.cgi?user_id=494311523&version_id=370&passphrase=fkjvhsdvlksdhvlsd&socks=25518&version=125&crc=50857252 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6) Host: 91.207.61.10 Connection: Keep-Alive

36 36 Inside the Snort Signatures/Rules alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi check-in / update"; flow:established,to_server; uricontent:"?user_id="; nocase; uricontent:"&version_id="; nocase; uricontent:"&crc="; nocase; reference:url,www.secureworks.com/research/threats/gozi; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009410; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gozi; sid:2009410; rev:3;) Example of rule:

37 #by Darren Spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1)"; flow:established,to_server; uricontent:"action="; nocase; ur\ icontent:"&entity_list="; nocase; uricontent:"&uid="; nocase; uricontent:"&first="; uricontent:"&guid="; nocase; uricontent:"&rnd="; nocase; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader\:Win32/Bredolab.B; reference:url,doc.emergingthreats.net/2009353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2009353; rev:4;) 37 Example of True Positive EVENT: ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) DATE: 06/30-07:40:35.374218 SOURCE: 129.132.abc.a:52008 DEST: 78.109.29.116:80 07:40:35.374218 IP 129.132.abc.a.52008 > 78.109.29.116.http: P 3033886655:3033886776(121) ack 518552487 win 65535 GET /new/controller.php?action=bot&entity_list=&uid=1&first=0&guid=282938190&rnd=981633 HTTP/1.1^M Host: 78.109.29.116^M Positive Payload Rule

38 38 Example of False Positive Rule Match Content but Content Does Not Exactly Match Rule EVENT: WEB-CGI /cgi-bin/ls access DATE: 07/04-18:23:24.872100 SOURCE: 129.132.abc.ab:51819 DEST: 130.54.101.98:80 18:23:24.872100 IP 129.132.abc.ab.51819 > 130.54.101.98.http: P 2816729049:2816729741(692) ack 912047122 win 65535 POST /cgi-bin/lsdproj/ejlookup04.pl?opt=c HTTP/1.1^M Host: lsd.pharm.kyoto-u.ac.jp^M User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5^M Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^M Accept-Language: en-us,en;q=0.7,de-ch;q=0.3^M Accept-Encoding: gzip,deflate^M Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7^M Keep-Alive: 300^M Connection: keep-alive^M Referer: http://lsd.pharm.kyoto-u.ac.jp/cgi-bin/lsdproj/ejlookup04.pl?opt=c^Mhttp://lsd.pharm.kyoto-u.ac.jp/cgi-bin/lsdproj/ejlookup04.pl?opt=c^M Cookie: language=ja^M Content-Type: application/x-www-form-urlencoded^M Content-Length: 97^M alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ls access"; flow:to_server,established; uricontent:"/cgi-bin/ls"; nocase; metadata:service http; reference:bugtraq,936; reference:cve,2000-0079; reference:nessus,10037; classtype:web-application-activity; sid:1539; rev:8;)

39 A typical Currentpositives Report Contains: The OS of the compromised machine The IDS-Positive(s) of a 5 minute window The payload(s) which triggered the IDS-Positives References which document the exact targeting attributes of the particular case «AllAboutIP» information about the responsibility and contact details of the IP

40 40 Network of ETH Zurich Internet Snort node with „Current rules“ File Server for Logfiles & PCAP Files Splitting intrusion/extrusion Processing data every 5 minutes Generating reports Static „Currentpositives“ Infrastructure

41 41 Network of ETH Zurich Postgres DB Internet Snort Node with „VRT Rules“ Snort Node with „ET Rules“ File Server for Logfiles & PCAP Files Splitting intrusion/extrusion Processing of data Generating reports IDS-STAT Snort Node with „Current Rules“ Current-Positives Dynamic Static 24 hr Every 5 minutes IDS Infrastructure

42 Reference Library For The Additional Criteria Made Individually For Rules Dest Ip: Dest Host/Domain: Payload: Library: Dest ip n http-links Quotes Dest host/domain n http-links Quotes Payload n http-links Quotes Report generator of Currentpositives scans the library for matching hits to include in the report webhp ET TROJAN Zeus Bot GET to Google Checking Internet Connection

43 Currentpositives Report Example with Payload trigger For whoever is interested, the Signature Trigger Payload: ################################################################ -> -> 06:33:05.108689 IP ***.xxx.yyy.zzz.64844 > 173.194.40.95.80: Flags -> [P.], ack 1, win 258, length 547 -> E..KM.@.}..#.X.|..(_.L.P.3.0..p.P....<..GET /webhp HTTP/1.1E..KM.@.}..#.X.|..(_.L.P.3.0..p.P....<..GET -> Accept: */* -> Connection: Close -> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; -> Trident/5.0; SLCC2;.NET CLR 2.0.50727;.NET CLR 3.5.30729;.NET CLR -> 3.0.30729; Media Center PC 6.0;.NET4.0C;.NET4.0E; InfoPath.3) -> Host: www.google.chwww.google.ch -> Cache-Control: no-cache -> Cookie: -> PREF=ID=e8d86cf8a8472917:U=7f8b0af772b78abc:FF=0:TM=1366626670:LM=136 -> 6627394:S=ShohM133SbbyTnq8; -> NID=67=Gs1zzxbSieWa9BTTo69mDxVyrHwevOtyWIvBKvXLXeO_iKvOtKfSRuUkWsf0QX -> dG-qc-4DJFuV8NL9ArmSoICKeXoP0WX1BASRpmjIFiPL6u322TXFJSOYlnVoDeRke3

44 Currentpositives Report Payload References from Library For whoever is interested, the References: ################################################################ google webhp http://www.sophos.com/security/analyses/viruses-and-spyware/malzbotbq.html QUOTE: " Q> HTTP Requests Q> Q> * http://thinkpadus.cc/22oct_pac.cpmhttp://thinkpadus.cc/22oct_pac.cpm Q> * http://www.google.com/webhphttp://www.google.com/webhp Q> Q> DNS Requests Q> Q> * realemotion.cc Q> * thinkpadus.cc Q> * www.google.comwww.google.com " google webhp http://www.threatexpert.com/report.aspx?md5=ab3b13c68469bad8305fcb505d76b2ab QUOTE: " Q>http://www.google.com.br/webhp?hl=pt-BR&source=hphttp://www.google.com.br/webhp?hl=pt-BR&source=hp "

45 Some Numbers Number of Currentpositives Cases Between 01.01.2015 and 24.08.2015: 2600 Number of Rules Activated in Currentpositives: 2400 Number of total Positives within 24 hrs on a ordinary day of Currentpositives: 7 000 000 – 8 000 000

46 Possible to do’s Gathering of malicious dest IPs for further Rule correlations Netflow analysis of compromised IPs Scanning of trigger payloads in search for further common denominators Traffic correlation validation between malicious IPs and ETH network

47

48 Q&A

49 END Christian Hallqvist / Network Security / ICT-Networks hall@id.ethz.ch

Download ppt "© ETH Zürich | ICT-Network/NSG 03.10.2015 Automatic Reporting of True Positive IDS Cases."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.

Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015.

Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google