ids-ethz - nsg-ids-reporting_of_year_2015

49
© ETH Zürich | ICT-Network/NSG [email protected] 03.10.2015 Automatic Reporting of True Positive IDS Cases

Upload: christian-hallqvist

Post on 22-Jan-2018

117 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

© ETH Zürich | ICT-Network/NSG [email protected] 03.10.2015

Automatic Reporting of True Positive IDS Cases

Page 2: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

False Positive

False Negative

True Positives WithExact

Targeting

Page 3: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

Subject: 82.130.97.xx/xx.ethz.ch (MALWARE-CNC Win.Trojan.Badur variant outbound connection)

#########DISCLAIMER#############################################Diese Email wurde automatisch generiert!################################################################  Liebe Kollegen, OS : 82.130.97.xx | WindowsVISTA/W7(variant3) 2015.08.12.10.28 - 2015.08.12.10.29 Ein 'MALWARE-CNC Win.Trojan.Badur variant outbound connection' Fall:################################################################ -> EVENT: MALWARE-CNC Win.Trojan.Badur variant outbound connection -> DATE: 08/12-10:27:11.502025 -> SOURCE: 82.130.97.xx:49237 -> DEST: 54.213.23.40:80

Example of True Positive IDS Report (1/7)

Page 4: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

For whoever is interested, the Signature Trigger Payload:################################################################-> -> -> -> 10:27:11.502025 IP 82.130.97.xx.49237 > 54.213.23.40.80: Flags [P.], -> ack 1, win 1024, length 766 -> GET -> /get/?data=6G5VPuneaszQ3s%2BABClI1SO1BjAKBpQPlMZ8wyd%2BlOf9BiuSYONAhR-> DRsDRTLsdVJ3X5BCSuxJCSe/I82hjfOTO1ccOEf/Uw5M%2B/SMeS9MdgAgoe2/XsWnUTL-> I7kaWstGAG4IiBrgcWCpFgBAGh5KKZt%2BViUqQYOCWOENChzisjMSOtvBp1/KytA54R%-> 2BuslTqtDlehgaFacmArmVt%2BTJ3oweKydxvHH270y86Gn0R4LGdDrk8DyrvYjEA0No%-> 2BSb1udQhdNTibsue/wkTNlm1FUoiz3JCvG8eS8Kx%2BxSv20gAeERpRRLRSKnKPktL6d-> XhwchQnEyfplKuGVx0D7N0zTsJC3gH%2BZpO7cNz2IHq2HlIaDJT5KJOLzCGvjBAD9oVm-> qp3PsIEhh25mfyHlPtv%2B9iPHWDxWC34c0FVHuTvhPw68Bw01lGyApn17uYHZHIFHRW8-> GqE9evJNlx5FsbFl%2BKnDur7HcQ1reET3Tp%2BQm3pE47DUHyDg%2BLg2xGb42yMkPPJ-> Y6/saAlOWy9/GzNP8Rr2zeJg3RLNoD6/17vMY5jCuvk5U5muozbIfGh48eaxWQJgsoEkN-> yHYE%2Bjuy089wJ3Gg9dIiW1oOkzlnb/9pJIWY&version=4 HTTP/1.1-> Accept: */*-> User-Agent: win32-> Host: getterfire.info-> Cache-Control: no-cache

Example of True Positive IDS Report (2/7)

Page 5: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

 Suggested Contact: [email protected] AllAboutIPOrig IP: 82.130.97.xx MAC: d850.e6aa.xxxxx Vpz ISG Info: id-kom-proforma [email protected] ISG ServiceDesk; [email protected] ISG Info: adm-stonepine [email protected] Cxxxxx Dxxxxx Lxx; [email protected] ISG ServiceDesk; [email protected] von Boexxxx Lxxx; [email protected]

 

Example of True Positive IDS Report (3/7)

Page 6: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

################################################################For whoever is interested, the References:################################################################ google search result "GET /get/?data=" https://www.virustotal.com/en/file/d05bb9963be54f728ecc35f666fec61334b7f2de6ffc5e2b1d8eb03a626d758c/analysis/ QUOTE:"Q> SHA256:d05bb9963be54f728ecc35f666fec61334b7f2de6ffc5e2b1d8eb03a626d758cQ> File name: TSULoader.exeQ> Detection ratio: 12 / 46Q> Analysis date: 2013-02-19 23:51:27 UTC ( 1 week, 4 days ago ) " 

Example of True Positive IDS Report (4/7)

Page 7: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

QUOTE:"Q> URL: Q> http://filemagnet.info/get/?data=97LnkIhb9zuqAi4HwyT7kJYfWlCjPN4w4Mj8Q>31X/a7BVH6XhxrDIO3k9Ykr8f0P7fhGNJGE2OPL2ZuxeipA08%2BOlPgQ%2B0IMgrCoQ>kudpMDAF7pJ8HxbMWvCc4IE6emDc2Uy0m9m9UzgOLbS0timpfa79g7/skDDhTH58vhQ>Mcw8HuCPBe7C9XOPWTw40RKIfXuZFfPVy46yTj8%2BQFVR8/nRIOjqtGM6RayOgh6Q>6qBPzq4GydaAWOxhVTzjzzAM8qSZXGbAgxvp/6A%2Bqxbp6gPqXjQuSMAngeU31DnQ>KCox9AbnRScD4XuvCDq1ZgWdJlnttReSKurEcaxnPtq7XyzmsMWodpt1nw%2BnTIanoz5Q> jgPtoDdd6La88CnIHvyCjYixUUC6bTiHxLNyJDjPH/I9/za0S2zvpvDV7gZPaf1FNwlaXQ> EfK7HWzqddk3pFH2HsIVN3qp7RbVesaJEW531u1oLScpFCRFfi5XF3uRUvxzqu&versioQ> n=2Q> TYPE: GETQ> USER AGENT: win32" 03.03.2013________________  

Example of True Positive IDS Report (5/7)

Page 8: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

 https://malwr.com/analysis/M2NlNzliYmE3NGM4NDIwMDlmNzc3NzUzM2JjMmU0NGE/ QUOTE:"Q> GET Q> /get/?data=APIqmXHuJuFfBpzaIKCtiFMn%2BlNx8Mz8AT47K3fSWSggdlmaoNqFGoHjQ> eJdP61ywA3N52xk0uXmvd%2BrzUazeD80OD7THYOAfQWmIWwRe6ZpQC5zu10lcA%2BrOmQ> S%2Bd5LSj9M5oRhi4QQ0po5HPAFA6Rv6XYH/2f/GW9AWZPQmWp9zG18bg0GNrCrdBfUnaQ> h/2y90kDILiZMr7n9HoAw44pH4ANdBKOjhDd2%2BgCCEPXZiPrGXD1TohEyzOJe0OgpoRQ> PFgfRZM92El0laUo1TeO4TNL3tH0Yy08HZ0ZjDMjIrzoh9XZEFYN4NVjlN1oC0yvTetX3Q> BthoQirMrV68F2L38oVvsi3OlvaVnPdHTAKZtBQzmuPtqOeLITgZqPQ%2B6d4j8HbvrByQ> LRyzMwGIWwkkMSMbui73nyFAXenRGrk/smwTj0ka8/Hrgsg/MNokbSfTWzl4gnxXVdtvKQ> d&version=4 HTTP/1.1Q> Accept: */*Q> User-Agent: win32Q> Host: skyprobar.infoQ> Cache-Control: no-cache" 

Example of True Positive IDS Report (6/7)

Page 9: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

QUOTE:"Q> AnalysisQ> Category Started Completed DurationQ> FILE 2014-01-25 05:48:34 2014-01-25 05:49:12 38 secondsQ> File DetailsQ> File Name support.exeQ> File Size 4806656 bytesQ> File Type PE32 executable (GUI) Intel 80386, for MS WindowsQ> MD5 69b389c1c7830bed8ee5777ef56c0fc3Q> SHA1 02185367648fec8eb8e33ab91e4b082f3adbf80dQ> SHA256 cec89619fc58f2e91f104c2c818cb0c751e40e69b19fe9f04ac91c291f6f8d6fQ> SHA512 fc16bf0159c0b2fdd1a04294a76d0d01193aeb3b078df3995cae35d0110621c56408d1404396c2Q> CRC32 C0A6B255Q> Ssdeep 98304:KJrQy9KGK0m3+uz4FeRbWSKpEJxxNjfxfu6VFfng5xmBNyoQ> Yara None matchedQ> You need to loginQ> SignaturesQ> Starts servers listening on 0.0.0.0:0 File has been identified by at Q> least one AntiVirus on VirusTotal as malicious Performs some HTTP Q> requests Steals private information from local Internet browsers Q> Installs itself for autorun at Windows startup" 08.09.2014

Example of True Positive IDS Report (7/7)

Page 10: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

10

How To Automatically Generate True Positive IDS Reports

Basically there are two methods in combination in use:

•Selection of high quality rules. These must be validated, proven and reliable because they are selected for a static and limited special rule set – the „Currentpositives“ ruleset

•Addition of trigger criteria. Combinations of thresholds, destips, sourceips, rules, extrusion, intrusion, payload detection etc are used when processing the positives for exact targeting and so raise the TP/FP ratio even higher.

Page 11: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

11

By selecting specific high quality rules and/or by adding additional criteria it is indeed possible to automatically generate true positive IDS reports

7x24

First the high quality rules have to be found, identified and validated

Rule Selection

Page 12: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

12

Two major rules sources are:

VRT (Vulnerabilty Research Team) of Sourcefirewww.snort.org

ET (Emerging Threats) of Proofpoint www.emergingthreats.net

Rule Sources

Page 13: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

13

Some Facts about the rule provider VRT

VRT (Vulnerabilty Research Team) of Sourcefire

As of 06.08.2015 VRT offered 28’738 rules

Between 05.08.2015 and 06.08.2015 1’935 VRT rules were removed16’010 VRT rules were modified or added

The VRT ruleset snort node generates around 450’000 IDS events at ETH Zurich per 24 hours

Page 14: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

14

ET (Emerging Threats) of Proofpoint

As of 06.08.2015 ET offered 27’774 rules

Between 05.08.2015 and 06.08.2015 2 ET rules were removed11 ET rules were modified or added

The ET Rule set generates around 1’000’000 IDS events at ETH Zurich within 24 hours

Some Facts about the rule provider ET

Page 15: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

15

With nearly 60’000 rules and daily changes it is a challenge to pick the ones with excellent quality.

With simple statistics it is possible to find appropiate candidates

How to find high quality rules with a significant TP/FP ratio?

Page 16: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

16

The original goal of IDS-STAT was:

flexible and automatic anomaly detection with as few (false) positives as possible to be manually managed

That involved also correlation detection between different anomalies.

At ETH we use Rule Profiling «IDS-STAT»

for statistical analysis

Page 17: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

17Source: http://de.nutrend.eu/ge/events-7/art_244787/nutrend-at-meeting-of-world-record-holders.aspx

HoweverIDS-STAT turns out to be a good rule quality evaluater.

The best rules are evaluated further and handpicked for the „Currentpositives“ snort node which generates nearly 100% TP reports

Needless to say, the selected rules must be….

Source: http://stockfresh.com/image/162323/strong-chain

… the very reliable ones

Page 18: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

IDS-STAT Generates two kinds of Reports

18

There are two kinds of reports generated every 24hrs:

1: IDS-STAT signature report

Reports deviations of rule positives when a certain threshold is exceeded

2: IDS-STAT ip report

Total deviation top-10 ip ranking based on cumulated/aggregated result of the IDS-STAT signature report

Page 19: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

The IDS-STAT Analysis Is About„Average“, „Deviation“ And Correlation

19

N=10

Average at peak= 140

Deviation (Sigma σ) at peak= 36

Peak number of

Deviations (Sigma σ) = 10

Page 20: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

Example with «BLEEDING-EDGE P2P BitTorrent peer sync”

(total traffic)

20

N=100

Page 21: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

BLEEDING-EDGE P2P BitTorrent peer sync„Deviations“(total traffic)

21

Page 22: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

„BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port” Peaks

(total traffic)

22

N=100

Page 23: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

„BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port”

Deviations(total traffic)

23

Page 24: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

24

Bleeding-Edge ATTACK RESPONSE IRC-Channel JOIN on non-std port

Bleeding-Edge P2P BitTorrent peer sync

Comparing Peaks/Signals

Page 25: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

25

Deviating Signatures

IDS-STAT Signature report

Signature 1 deviation :10IP Deviation distribution111.111.111.1 4222.222.222.2 4333.333.333.3 2

Signature 2 deviation :12IP Deviation distribution444.444.444.4 5222.222.222.2 4111.111.111.1 3

IDS-STAT IP report

Deviation causing IPs

Ips cumulated deviationIp 222.222.222.2 8Ip 111.111.111.1 7

Correlation detection of deviations between different Ips and rules

Page 26: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

Case 28.02.2008 IDS-STAT Signature Report

26

BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port counter:91 devq: 22.95 Value:0->73. maverage:1.50->2.29 mstddev:2.36->3.12

- ---BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 16 129.132.14y.aaa BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 13 129.132.14y.bbb BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 10 129.132.14z.ccBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 9 129.132.14x.ddBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14y.eee BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14x.fBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 5 129.132.14y.gg BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 82.130.8x.hhhBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.21x.ii BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.14y.j

BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port Deviation“ and IP-Ranking:

Page 27: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

Case 28.02.2008 Positive Distribution of IPs

27

BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port counter:91 devq: 22.95 Value:0->73. maverage:1.50->2.29 mstddev:2.36->3.12

- ---BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 16 129.132.14y.aaa BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 13 129.132.14y.bbb BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 10 129.132.14z.ccBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 9 129.132.14x.ddBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14y.eee BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 8 129.132.14x.fBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 5 129.132.14y.gg BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 82.130.8x.hhhBLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.21x.ii BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port 1 129.132.14y.j

BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port

„Deviation“ and IP-Ranking:

= 22%

= 18%

= 14%

= 12%

= 11%

= 11%

= 7 %

= 1%

= 1%

= 1%

=> 5.0 => 4.1 => 3.2 => 2.7 => 2.5 => 2.5 => 1.6 => 0.2 => 0.2 => 0.2

Page 28: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

Detailed IDS-STAT IP Reportwith correlations

28

129.132.***.*** 105.788571428571 ***129.132.***.*** ET TROJAN Gozi check-in / update 9 (9.) 63.93 (63.93)129.132.***.*** ET USER_AGENTS Suspicious User-Agent (IE) 6 (7.) 34.6285714285714 (40.40)129.132.***.*** SPECIFIC-THREATS Gozi Trojan connection to C&C attempt 30 (30.) 7.23 (7.23)129.132.***.*** CHAT MSN outbound file transfer request 6 (90481.) 0.000310341397641494 (4.68)

82.130.***.** 11.6816165871675 ***82.130.***.** ET RBN Known Russian Business Network IP TCP (291) 23 (325.) 0.798276923076923 (11.28)82.130.***.** ET RBN Known Russian Business Network IP TCP (306) 77 (143.) 5.91230769230769 (10.98)82.130.***.** ET RBN Known Russian Business Network IP TCP (299) 74 (374.) 2.0340106951871 7 (10.28)82.130.***.** ET RBN Known Russian Business Network IP TCP (297) 29 (47.) 2.93702127659574 (4.76)

82.130.**.** 6.32307692307692 ***82.130.**.** SPYWARE-PUT Adware download accelerator plus runtime detection - get ads 7 (13.) 4.24307692307692 (7.88)82.130.**.** SPYWARE-PUT Adware download accelerator plus runtime detection - download files 4 (10.) 2.08 (5.20)

129.132.***.*** 35.83 ***129.132.***.*** ET USER_AGENTS Suspicious User-Agent (IE) 9 (9.) 24.3 (24.30)129.132.***.*** BACKDOOR torpig-mebroot command and control checkin 18 (18.) 11.53 (11.53)

Page 29: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

29

Network ofETH Zurich

Postgres DB

Internet

Snort Node with „VRT Rules“

Snort Node with„ET Rules“

File Server for Logfiles & PCAP Files

Splitting intrusion/extrusionProcessing of dataGenerating 24 hr reports

IDS-STAT

Dynamic Dynamic

IDS-STAT Infrastructure

Page 30: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

30

Classifying the possible situation

Rule1 Ip 1 Ip 2 Ip 4 Ip 3 Could be an epidemicRule1 Ip 1 Could be one compromised host Rule1,2,3 Ip 1 Could be one very compromised host

Possible procedures:1. Google items of the payload, dest ip, dest host, dest domain.2. If possible reproduce the download action and test results with for example www.totalvirus.com and www.sunbeltsecurity.com/sandbox3. Check the traffic for unual connections using the procedure described in presentationhttps://www1.ethz.ch/id/services/list/security/workshops/ETH_Anomaly-Detection-in-Netflows-PPT

Damage:The Damage factors can overlap and also be percieved differently (reputation, network, personal, economical, professional etc).

Threat:The threat categories can also overlap and be percived differently:Dosing (Smurf attacks, DNS-amplification, HTTP-Dosing etc)Trojans (keyloggers, bots, spammers)Fake AVsScannersAd-Ware

Page 31: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

What to do or can be done when a potentially significant Rule is found in order to classify it as high quality for CurrentPositives? :

•Look at the rule and its criteria.•Look up the references inside the rule.•Investigate the criteria.•Investigate the external IP(s) of the event(s).•Cross check if the external IP(s) causes other correlating event(s)•Cross check if the internal IP(s) causes other correlating event(s)•Investigate the trigger payload(s)•Investigate the external host/domain•Find false positives and investigate them•Find true positives and investigate them•Investigate the connections of the internal IP•Crosscheck the external Ips with blacklists•Crosscheck if already validated rules are correlating well.•Investigate traffic by «netflow anomaly detection»

https://www1.ethz.ch/id/services/list/security/workshops/ETH_Anomaly-Detection-in-Netflows-PPT

Page 32: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

32

Finding and determining promising rules for „Currentpositives“ by searching outgoing correlations.

Compromised ETH host Rule 1

Malicious IP

Possibly compromisedETH host

Rule 3Rule 3

Rule 4Rule 4Possibly compromisedETH host

Rule 2Rule 2

Example 1

Page 33: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

33

Finding and determining promising rules for „Currentpositives“ by searching incoming correlations.

Compromised ETH hostRule 1Malicious IP

Rule 3Rule 3

Rule 4Rule 4Possibly malicious IP

Rule 2Rule 2

Possibly malicious IP

Example 2

Page 34: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

34

Dest ip

There Are Many Possible Correlation Combinations.Some Other Examples.

Source ip2

Source ip1

Dest to source ip correlation

Src ipDest ip 2

Dest ip 1Source to dest ip correlation

ipRule 2

Rule 1Rule correlation

Page 35: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

35

Available Trigger Payload Data From Snort

Example of payload:

05:50:56.112006 IP 129.132.abc.abc.1277 > 91.207.61.10.http: P 2492095193:2492095493(300) ack 920686566 win 17640 GET /cgi-bin/options.cgi?user_id=494311523&version_id=370&passphrase=fkjvhsdvlksdhvlsd&socks=25518&version=125&crc=50857252 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6)Host: 91.207.61.10Connection: Keep-Alive

Page 36: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

36

Inside the Snort Signatures/Rules

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi check-in / update"; flow:established,to_server; uricontent:"?user_id="; nocase; uricontent:"&version_id="; nocase; uricontent:"&crc="; nocase; reference:url,www.secureworks.com/research/threats/gozi; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009410; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gozi; sid:2009410; rev:3;)

Example of rule:

Page 37: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

#by Darren Spruellalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1)"; flow:established,to_server; uricontent:"action="; nocase; ur\ icontent:"&entity_list="; nocase; uricontent:"&uid="; nocase; uricontent:"&first="; uricontent:"&guid="; nocase; uricontent:"&rnd="; nocase; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader\:Win32/Bredolab.B; reference:url,doc.emergingthreats.net/2009353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2009353; rev:4;)

37

Example of True Positive

EVENT: ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) DATE: 06/30-07:40:35.374218 SOURCE: 129.132.abc.a:52008DEST: 78.109.29.116:80

07:40:35.374218 IP 129.132.abc.a.52008 > 78.109.29.116.http: P 3033886655:3033886776(121) ack 518552487 win 65535GET /new/controller.php?action=bot&entity_list=&uid=1&first=0&guid=282938190&rnd=981633 HTTP/1.1^MHost: 78.109.29.116^M

Positive

Payload

Rule

Page 38: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

38

Example of False PositiveRule Match Content but Content Does Not Exactly

Match Rule

EVENT: WEB-CGI /cgi-bin/ls access DATE: 07/04-18:23:24.872100 SOURCE: 129.132.abc.ab:51819 DEST: 130.54.101.98:80

18:23:24.872100 IP 129.132.abc.ab.51819 > 130.54.101.98.http: P 2816729049:2816729741(692) ack 912047122 win 65535 <nop,nop,timestamp 514858930 270031558> POST /cgi-bin/lsdproj/ejlookup04.pl?opt=c HTTP/1.1^MHost: lsd.pharm.kyoto-u.ac.jp^MUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5^MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^MAccept-Language: en-us,en;q=0.7,de-ch;q=0.3^MAccept-Encoding: gzip,deflate^MAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7^MKeep-Alive: 300^MConnection: keep-alive^MReferer: http://lsd.pharm.kyoto-u.ac.jp/cgi-bin/lsdproj/ejlookup04.pl?opt=c^MCookie: language=ja^MContent-Type: application/x-www-form-urlencoded^MContent-Length: 97^M

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ls access"; flow:to_server,established; uricontent:"/cgi-bin/ls"; nocase; metadata:service http; reference:bugtraq,936; reference:cve,2000-0079; reference:nessus,10037; classtype:web-application-activity; sid:1539; rev:8;)

Page 39: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

A typical Currentpositives Report Contains:

•The OS of the compromised machine

•The IDS-Positive(s) of a 5 minute window•The payload(s) which triggered the IDS-Positives•References which document the exact targeting attributes of the particular case •«AllAboutIP» information about the responsibility and contact details of the IP

Page 40: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

40

Network ofETH Zurich

Internet

Snort node with„Current rules“

File Server for Logfiles & PCAP Files

Splitting intrusion/extrusionProcessing data every 5 minutesGenerating reports

Static

„Currentpositives“ Infrastructure

Page 41: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

41

Network ofETH Zurich

Postgres DB

Internet

Snort Node with„VRT Rules“

Snort Node with„ET Rules“

File Server for Logfiles & PCAP Files

Splitting intrusion/extrusion

Processing of data

Generating reports

IDS-STAT

Snort Node with„Current Rules“

Current-Positives

DynamicDynamic Static

24 hr

Every 5 minutes

IDS Infrastructure

Page 42: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

Reference LibraryFor The Additional Criteria Made Individually For

Rules

Dest Ip:

Dest Host/Domain:

Payload:

Library:

Dest ip n•http-links•Quotes

Dest host/domain n•http-links•Quotes

Payload n•http-links•Quotes

Report generator of Currentpositives scans the library for matching hits to include in the report

webhp

webhp

ET TROJAN Zeus Bot GET to Google Checking Internet Connection

Page 43: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

Currentpositives ReportExample with Payload trigger

For whoever is interested, the Signature Trigger Payload:

################################################################

->

-> 06:33:05.108689 IP ***.xxx.yyy.zzz .64844 > 173.194.40.95.80: Flags

-> [P.], ack 1, win 258, length 547

-> E..KM.@.}..#.X.|..(_.L.P.3.0..p.P....<..GET /webhp HTTP/1.1

-> Accept: */*

-> Connection: Close

-> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;

-> Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR

-> 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

-> Host: www.google.ch

-> Cache-Control: no-cache

-> Cookie:

-> PREF=ID=e8d86cf8a8472917:U=7f8b0af772b78abc:FF=0:TM=1366626670:LM=136

-> 6627394:S=ShohM133SbbyTnq8;

-> NID=67=Gs1zzxbSieWa9BTTo69mDxVyrHwevOtyWIvBKvXLXeO_iKvOtKfSRuUkWsf0QX

-> dG-qc-4DJFuV8NL9ArmSoICKeXoP0WX1BASRpmjIFiPL6u322TXFJSOYlnVoDeRke3

Page 44: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

Currentpositives ReportPayload References from Library

For whoever is interested, the References:

################################################################

google webhp

http://www.sophos.com/security/analyses/viruses-and-spyware/malzbotbq.html

QUOTE:

"

Q> HTTP Requests

Q>

Q> * http://thinkpadus.cc/22oct_pac.cpm

Q> * http://www.google.com/webhp

Q>

Q> DNS Requests

Q>

Q> * realemotion.cc

Q> * thinkpadus.cc

Q> * www.google.com

"

google webhp

http://www.threatexpert.com/report.aspx?md5=ab3b13c68469bad8305fcb505d76b2ab

QUOTE:

"

Q>http://www.google.com.br/webhp?hl=pt-BR&source=hp

"

Page 45: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

Some Numbers

Number of Currentpositives Cases Between 01.01.2015 and 24.08.2015: 2600

Number of Rules Activated in Currentpositives:2400

Number of total Positives within 24 hrs on a ordinary day of Currentpositives:7 000 000 – 8 000 000

Page 46: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

Possible to do’s

• Gathering of malicious dest IPs for further Rule correlations• Netflow analysis of compromised IPs• Scanning of trigger payloads in search for further common denominators• Traffic correlation validation between malicious IPs and ETH network

Page 47: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015
Page 48: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

Q&A

Page 49: IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015

END

Christian Hallqvist / Network Security / [email protected]