Copyright 2006 Richard Bejtlich and David Bianco 1 Network Security Monitoring with Sguil Richard...

Network Security Monitoringwith Sguil

Richard Bejtlich

richard@taosecurity.com

www.taosecurity.com / taosecurity.blogspot.com

David Bianco

david@vorant.com

www.vorant.com / infosecpotpourri.blogspot.com

ShmooCon 2006

Overview

• The Problem• Network Security Monitoring• Sguil• Case Study

The Problem

• You want to know if your network is compromised• You could... inspect every host for signs of compromise

– Where to begin? What to check? Do you trust results?– Unless your enterprise is very small, and you are competent to

perform host-centric forensics, this is not a viable option

• You could... perform a vulnerability assessment– VA indirectly measures compromise by showing potential for

intrusion, not actual intrusions– VA is vulnerability-centric, not threat-centric; not recommended

• You could... inspect network traffic for signs of compromise– Where to monitor? What about encryption or high bandwidth?– This option represents best return on invested resources, if the

right data is collected, analyzed, and escalated

The Problem

• Most people install an IDS or IPS in monitoring mode and wait for alerts

• Thanks to the IDS alert, an analyst is aware of a Web site problem -- but what about activity before or after the alert?

Event Example IDS Action

Event 1 Ping Web site IP address Ignore

Event 2 Visit Web site Ignore

Event 3 Exploit Web site flaw Alert

Event 4 FTP to retrieve tools Ignore

Event 5 Install back door Ignore

Event 6 Communicate with back door Ignore

Event 7 Connect via SSH to another site Ignore

Event 8 Transfer local exploit via SCP Ignore

Event ... And so on... ?

The Problem

• The previous slide presented a best-case scenario -- at least the attack was detected by the IDS! But what do you get with that alert?– Cryptic message about an attack– Maybe a packet that specifically triggered an alert– A reference to visit the vendor's Web site for more generic info

• Factors compounding the problem– Attack over HTTPS using SSL– Attack using insertion and evasion methods– Attack using a zero-day exploit undetected by any IDS

• Scarier scenarios– Use stolen credentials and connect via SSH– Compromise a customer or employee and ride their VPN– Go rogue and steal from your own company

The Problem

• Many security developers and vendors believe one or more of the following– Attacks can be understood prior to execution– Methods to detect or prevent attacks can be encapsulated in

programming logic– Customers will purchase, properly configure, and effectively

deploy products offering sufficient defensive logic– The customer's environment will behave as anticipated by the

developers and vendors

• Accordingly, developers and vendors field alert-centric products which act on those beliefs

• All of these beliefs must hold true in order to counter sophisticated threats, but few do

The Problem

• Investigations with alert-centric systems quickly end, often without resolving the incident

• Analysts stuck with only alert data to inspect cannot make validation and escalation decisions– MSSPs call customers to ask if they have been compromised– Security personnel ignore alerts because they have no other

ALERT ALERT

Queries database for alerts

Analyst sees original alert

Database returns single alert

Investigation ends

Network Security Monitoring

• Network security monitoring is the collection, analysis and escalation of indications and warning to detect and respond to intrusions

• NSM gives analysts the data they need to make decisions

• NSM treats all data as indicators, not "false positives" or "false negatives"

• NSM relies upon four forms of traffic-centric data– Statistical data (Capinfos, Tcpdstat)

• Descriptive, high-level view of aggregated events

– Session data (Argus, SANCP, NetFlow)• Summaries of conversations between systems

• Content-neutral, compact; encryption no problem

– Full content data (Tcpdump, Tethereal, Snort as packet logger)• All packet details, including application layer

• Expensive to save, but always most granular analysis

– Alert data (Snort, Bro, other IDSs)• Traditional IDS alerts or judgments (“RPC call!”)

• Context-sensitive, either by signature or anomaly

• Sguil (www.sguil.net) is an interface to much of this in a single open source suite

Alert data

Session data

Full content data Statistical data

• Revisit intrusion scenario when NSM data is available

• Analysts have much more data to review

* if unencrypted (more common than you might think)

Event Example IDS Action Helpful NSM Collection

Event 1 Ping Web site IP address Ignore Session

Event 2 Visit Web site Ignore Session, Full Content

Event 3 Exploit Web site flaw Alert Alert, Session

Event 4 FTP to retrieve tools Ignore Session, Full Content

Event 5 Install back door Ignore Session, Full Content

Event 6 Communicate with back door Ignore Session, Full Content *

Event 7 Connect via SSH to another site Ignore Session

Event 8 Transfer local exploit via SCP Ignore Session

Event ... And so on... ?

• Investigations with NSM present many more options

ALERT ALERT

Queries database for alerts

Analyst sees original alert

Database returns single alert

Queries database for

sessions

SESSIONS

Analyst sees FTP to retrieve tools

Reconstructs FTP control and data channels

FULL CONTENT

Queries database for

sessions

FTP data channel allows analysis of intruder back door

SESSIONS

Analyst sees connections to other IPs

and so on...

• NSM does not try to anticipate attacks• NSM uses a "dumb is smart" approach

– NSM does not rely on fancy systems to pass judgements on network traffic, to the exclusion of all other collection mechanisms

– NSM does leverage smart systems (IDS, network anomaly detection, etc.) for initial clues

• NSM session and full content collection is completely content neutral– Session and full content data are collected whether or not any

other system thinks they are interesting

• NSM is not SIM/SEM: a SIM/SEM collects and correlates log sources which may or may not have any value

• Sguil is an open source interface to NSM data• Lead developer: Bamm Visscher• Ancestry: Snort Personal REal-time GUI (SPREG), circa

2001• Sguil released as open source at sguil.sf.net in 2003• Version 0.6.0p1 released 1 Dec 2005• Coded mainly in Tcl/Tk• Integrates:

– Alert data from Snort– Session data from SANCP– Full content data from a second instance of Snort

Sensor watches traffic

Sguil client is dynamic Tcl/Tk GUI on Windows or UNIX

Network traffic on monitored link

MySQL database stores alert and session data

Log_packets.sh collects full content data, provided on demand via sensor_agent.tcl

SANCP (www.metre.net/sancp.html) collects session data, sent to database via sensor_agent.tcl

Snort sends alert data output to Barnyard (www.sf.net/projects/barnyard)

Barnyard sends output to sensor_agent.tcl

Sensor_agent.tcl coordinates data flow with sguild

On Sguil server, sguild answers requests from Sguil client

Launch sguil.tk, and enter Sguild host, port,

username, and password

Select a sensor, then Start Sguil

FTP Data Channel shows source code FTP control channel shows commands

How to Pwn a Million PCs Without Breaking a Sweat

A Sguil Case Study

Sguil/NSM Case Study

• Study based on an exploit encountered “in the wild”• The exploit used the WMF vulnerability• Delivered via a popunder ad while victim was visiting an

otherwise legit website• This case study recreates my incident research process

to show off the power of sguil• High-level writeup available on my blog:

– http://infosecpotpourri.blogspot.com/2006/01/how-to-pwn-million-computers-without.html

– Aimed towards users/managers

• Saved the good stuff for ShmooCon!

Important Notes

• The victim’s identity has been obfuscated to protect the innocent

• The ad servers’ identities have been obfuscated to protect the guilty and the not-so-guilty

• Some URLs have been obfuscated to protect the silly• Legitimate website names appearing in this presentation

have nothing to do with this exploit and are only there to provide context for understanding the web session

“It was a dark and stormy night…”

Was that a real exploit I just saw?

What other events were generated?

Quick session check (source)

Quick session check (victim)

“I will hunt you down…”

• Also cross-checked other sources, such as:– Antivirus logs – Manual AV update and scan– Checked system for c:\n.exe as specified in WMF file

• Exploit attempt seems to have been unsuccessful• Crisis averted, but let’s have some fun!• All the sessions are HTTP, so we can leverage that to

help us reconstruct the sequence of events• Begin with the transcript of the exploit session• Match up “Referrer” tags with requests and work

backwards– Like climbing a ladder

Victim’s Session List

Rung #1: Exploit Delivered

Rung #2: Spf99 Serves the Ad

Rung #3: Cash4popupads Handoff to Spf99

Rung #4: Cash4popupads creates a popunder

Rung #5: A Legit Site (HTMHelper)

HTMHelper Page Source

<!– Cash4popupads.com Advertising Code Begin --><SCRIPT LANGUAGE="JavaScript1.1" SRC="http://popunder.Cash4popupads.com/popup.php?id=XXXX"></SCRIPT> <!– Cash4popupads.com Advertising Code End -->

Rung #6: Another Legit Site (MySpace)

MySpace Page Source

<div style="position:absolute; left:0px;

top:0px; width:88px; height:31px;">

“Insert Tab A into Slot B…”

• Victim browses a MySpace profile page– The page owner or one of the commenters is online, and has the

“online status” icon showing by their name.– The status icon is provided by and linked back to the HTMHelper

• The HTMHelper page is ad-supported and contains a JavaScript snippet to display popunder ads from Cash4popupads. This may be annoying, but not intrinsically malicious

• Cash4popupads establishes the popunder window but not the ad content– It’s acting more as a conduit for the ads, which are provided by

“Score along line C and fold to meet side D…”

• Spf99 served the actual infected file– 101.wmf

• Internal codes indicate this was provided by “affiliate 101” – Could be an individual– Could be another ad network– Who knows?

• This is the top of the ladder (for now)• How would you continue the investigation?

• Simplest way to try Sguil: use Win client, demo server– Install ActiveState TCL (www.activestate.com/Products/Download/Download.plex?id=ActiveTcl)

– Visit www.sguil.net, download, extract sguil-client-0.6.0p1.zip– Create a c:\tmp directory– Edit sguil.tk set VERSION "SGUIL-0.6.0"

– Edit sguil.conf to match Windows environment# win32 exampleset ETHEREAL_PATH "c:/progra~1/ethereal/ethereal.exe"# Where to save the temporary raw data files on the client system# You need to remember to delete these yourself.# set ETHEREAL_STORE_DIR /tmp# win32 exampleset ETHEREAL_STORE_DIR "c:/tmp"# Favorite browser for looking at sig info on snort.org# set BROWSER_PATH /usr/bin/mozilla# win32 example (IE)set BROWSER_PATH c:/progra~1/intern~1/iexplore.exe

– Launch Sguil client, connect to demo.sguil.net on port 7734 with any username and password

• Simplest way to try Sguil with a local setup: use Sguil server VM or client and server VM– Described here: sguil.sourceforge.net/index.php?page=vm– Use Sguil client as described on previous slide to connect to VM– Use complete Sguil VM

• Other options– InstantNSM (instantnsm.sf.net)– FreeBSD installation script

(taosecurity.blogspot.com/2006/01/sguil-installation-script-v0.html)

• Help available on irc.freenode.net #snort-gui channel• Free Tao of Network Security Monitoring chapters on

NSM & Sguil in .pdf at www.taosecurity.com/books.html

Questions?

• Richard Bejtlich• richard@taosecurity.com• www.taosecurity.com / taosecurity.blogspot.com

• David Bianco• david@vorant.com• www.vorant.com / infosecpotpourri.blogspot.com

• www.sguil.net• irc.freenode.net / #snort-gui

Copyright 2006 Richard Bejtlich and David Bianco 1 Network Security Monitoring with Sguil Richard...

Documents

Richard Bernstein Advisors - Main - Richard Bernstein …...About Richard Bernstein Advisors Richard Bernstein Advisors LLC is an investment manager focusing on long-only, global equity

Richard Wagner Richard-Wagner-Denkmal Leipzig Projektpräsentation wagner-denkmal.com

Bejtlich- Network Forensics

The History of Management Thought Management 336 Mike Bejtlich Based on The History of Management Thought, 5th edition, 2005 by Daniel A. Wren

Rural Ramble: Richard Burton Trail - Travel Adventurestraveladventures.wales/.../2017/10/Richard-Burton-Trail.pdfRural Ramble: Richard Burton Trail The Legendary Richard Burton The

Richard Alan Suter Appellant Richard Alan Suter Appelant v

LW God Attunements Richard Eisenberg - Ningapi.ning.com/.../23038605GodAttunementsbyRichardEisenberg.pdf · Dental Shakti System (Richard Eisenberg) ... God Attunements (Richard Eisenberg)

RICHARD J. BENNETT Richard J. Bennett Education

Richard Cobden, vol. 2 - Richard Cobden

McCormick, Richard: Richard McCormick's Pariisi (Tammi)

Keeping FreeBSD Up-To-Date - TaoSecurity · File: /tmp/kfbutd7.txt Page 1 of 33 Keeping FreeBSD Up-To-Date Richard Bejtlich (taosecurity at gmail dot com) 25 August 2009 Sections:-----Introduction

Network Security Monitoring with Sguil - BSDCan · Network Security Monitoring with Sguil Richard Bejtlich richard@taosecurity.com ... • They only query, display, and store Snort

Richard H. Yamada, D.D.S. Richard F. Marinello, D.D.S

The History of Management Thought MGT336 Michael L. Bejtlich Based on The History of Management Thought, 5th edition, 2005 by Daniel A. Wren

Richard Johnson ACF DIRECT Associate DirectorRichard Johnson Associate Director richard@acfdirect.co.uk 07976 228 588 Richard Johnson Finance Solutions for Business richard@acfdirect.co.uk

Presented by Richard Hill Richard Hill MA

BULLY RICHARD - Tara-Artstara-arts.com/media/files/Bully Richard Education...Ratcliffe (Sir Richard Ratcliffe) and Lovel (Lord Lovel) loyal supporters of Richard. BULLY RICHARD Education

Présentation de l'IDPS Suricata · 2012-01-12 · Richard Bejtlich, Dr. Jose Nazario, Joel Ebrahimi, Marc Norton, Stuart Wilson... Éric Leblond (OISF) Présentation de l’ID P

Richard Phillips - Previews€¦ · BY RICHARD PHILLIPS Mathew Gallery, New York 20 November — 27 December, 2015 left: Richard Phillips 2015, Canyons right: Richard Phillips 2015,

Copyright 2005 Richard Bejtlich 1 Network Forensics Primer Richard Bejtlich richard@taosecurity.com / taosecurity.blogspot.com Look