Upload
abel-boone
View
225
Download
0
Embed Size (px)
Citation preview
CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC)
UNCLAS
UNCLAS
Hakuna Suricata(it means no worries, except for APT)
LS PulsiferSurveillance Analyst5 May 2014
CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC)
UNCLAS
UNCLAS
Outline
• IDS Overview• First Thoughts• Rules of the Jungle
a. HTTP GETb. HTTP 200 OK
• BONUS ROUND!• Conclusion
CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC)
UNCLAS
UNCLAS
First Thoughts
1. Easy SetupA. 1400 (w/ comments) line configB. ET rules out of the boxC. Rule management?
2. TURN ON ALL THE THINGS!3. Output format(s)4. Fancy-lookin' rules
CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC)
UNCLAS
UNCLAS
Rules of the Jungle
# PULSIFER.CA / CATS TEST HTTP RULEalert http $HOME_NET any -> $EXTERNAL_NET any (msg:"THE INTERNET WANTS CATS"; content:"GET"; http_method; content:"/cats.html"; http_uri; content:"pulsifer.ca"; http_header; content:”Windows NT 6.1”; http_user_agent; urilen:<11; classtype:bad-unknown; sid:5000001; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"THE INTERNET GOT CATS"; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"iframe src"; http_server_body; classtype:bad-unknown; sid:5000000; rev:1;)
CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC)
UNCLAS
UNCLAS
First Rule of the Junglealert http $HOME_NET any -> $EXTERNAL_NET any (msg:"THE INTERNET WANTS CATS"; content:"GET"; http_method; content:"/cats.html"; http_uri; content:"pulsifer.ca"; http_header; content:”Windows NT 6.1”; http_user_agent; urilen:<11; classtype:bad-unknown; sid:5000001; rev:1;)
GET /cats.html HTTP/1.1
Host: pulsifer.ca
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC)
UNCLAS
UNCLAS
Debug cont.. PACKET:
0000 00 0C 29 DD B4 57 C8 60 00 CB 92 D9 08 00 45 00 ..)..W.` ......E.
0010 00 28 1E DF 40 00 80 06 50 7F 0A 0D 25 01 43 E7 .(..@... P...%.C.
0020 18 7D B3 A1 00 50 80 F4 76 B0 3A F1 3C 4A 50 10 .}...P.. v.:.<JP.
0030 00 FE 00 93 00 00 00 00 00 00 00 00 ........ ....
ALERT CNT: 1
ALERT MSG [00]: THE INTERNET WANTS CATS
ALERT GID [00]: 1
ALERT SID [00]: 5000001
ALERT REV [00]: 1
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 2
ALERT FOUND IN [00]: STATE
ALERT IN TX [00]: 0
STREAM DATA LEN: 294
STREAM DATA:
...
CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC)
UNCLAS
UNCLAS
Second Rule of the Junglealert http $EXTERNAL_NET any -> $HOME_NET any (msg:"THE INTERNET GOT CATS"; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"iframe src"; http_server_body; classtype:bad-unknown; sid:5000000; rev:1;)
HTTP/1.1 200 OK
Date: Tue, 06 May 2014 02:12:05 GMT
...
<!DOCTYPE html>
<html>
<body>
<script>
document.write('<iframe src="http://mjner.com/update/"></iframe>');
...
CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC)
UNCLAS
UNCLAS
First Rule DebugTIME: 05/05/2014-22:12:06.264225
PCAP PKT NUM: 8
PKT SRC: wire/pcap
SRC IP: 10.13.37.1
DST IP: 67.231.24.125
PROTO: 6
SRC PORT: 45985
DST PORT: 80
TCP SEQ: 2163504816
TCP ACK: 988888138
FLOW: to_server: TRUE, to_client: FALSE
FLOW Start TS: 05/05/2014-22:12:06.232835
FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION: DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER: DETECTED: TRUE, PROTO 1
FLOWBIT: ET.http.driveby.redkit.uri
PACKET LEN: 60
CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC)
UNCLAS
UNCLAS
Bonus Round! GUESS THE META!
05/05/2014-20:13:27.852789 [**] Query TX 214c [**] pulsifer.ca [**] A [**] 10.13.37.1:50922 -> 10.0.0.5:53
05/05/2014-20:13:27.852789 [**] Response TX 214c [**] Recursion Desired [**] 10.0.0.5:53 -> 10.13.37.1:50922
05/05/2014-20:13:27.852789 [**] Response TX 214c [**] pulsifer.ca [**] A [**] TTL 12128 [**] 67.231.24.125 [**] 10.0.0.5:53 -> 10.13.37.1:50922
05/05/2014-20:50:35.379305 172.16.0.10:38457 -> 67.231.24.125:993 TLS: Subject='serialNumber=tsWwnNhDJVx2sppFUBFdevYswWWbQOPg, OU=GT90807209, OU=See www.rapidssl.com/resources/cps (c)14, OU=Domain Control Validated - RapidSSL(R), CN=pulsifer.ca' Issuerdn='C=US, O=GeoTrust, Inc., CN=RapidSSL CA' SHA1='d1:0b:df:ca:39:a9:dc:50:79:cb:73:d0:0b:10:84:e9:92:e8:2d:fd' VERSION='TLSv1'
05/05/2014-20:13:27.921584 pulsifer.ca [**] /cats.html [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 156 bytes [**] 10.13.37.1:44739 -> 67.231.24.125:80
05/05/2014-20:13:28.259719 mjner.com [**] /update/ [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 [**] https://pulsifer.ca/cats.html [**] GET [**] HTTP/1.1 [**] 200 [**] 1123 bytes [**] 10.13.37.1:44740 -> 100.42.50.110:80
CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC)
UNCLAS
UNCLAS
Conclusion