Snort mailing list archives
Re: Zero day attack protection
From: Kevin Ross <kevross33 () googlemail com>
Date: Tue, 29 Oct 2013 20:23:51 +0000
True zero day protection is very hard. There are some products that claim to be able to do it (i.e Fireeye http://www.fireeye.com/blog/corporate/2013/09/needle-in-a-haystack-detecting-zero-day-attacks.htmlalthough they did identify zero days in the wild early in the year in Java/Flash etc). I cannot comment on the effectiveness of these types of solutions though as I haven't used them. Well researched signatures looking for common features is a good way to do it. i.e if an exploit kit has certain characteristics that can be focused on regardless of the exploit/malware deliver or anomalies then that can be used to identify cases even where unknown attacks are used. In real terms signature based approaches are always to varying extents reactionary to observed malicious behaviours and the same problem effects most if not all security solutions from AV to IDS; the problem is you don't know what the bad guy will do next. I think the future though will be combinations of signature, big data/data mining and machine learning solutions. Personally I do find signatures available for Snort are excellent in getting that unknown as a lot of other vendors often are very specific to vulnerabilities so the actual catching badness potential of Snort sigs is very good. Another example could be generic catch alls. i.e outside of Snort and so on I have other tools; one of them I use is passiveDNS ( https://github.com/gamelinux/passivedns) which I highly recommend to complement your monitoring. Where it comes into use is: - being able to maintain a record of DNS logs which is searchable through a web interface. This is highly useful because it means if you have an alert you can specifically in your environment see what domains were resolved in your network to look for (full packet capture using openfpc or something is better though). This also means if you have intelligence on an attack you can search for domains involved to see if you might have been hit and the time frame that the traffic occured first. Also because it shows first seen for a domain if it is malware it can help you determine the earliest point you should start looking for that particular CnC. http://www.alienvault.com/open-threat-exchange/blog/identifying-suspicious-domains-using-dns-records - It can use blacklists to alert on (reactionary) - You can use regex. This is where it gets interesting.For instance using regex you can look roughly for common patterns in domain generation algorithms http://www.net-security.org/article.php?id=1844&p=1. I have regexes for zeus and generic ones looking at basic patterns (when you start passiveDNS make sure you use -X 46CDNPRSx to make sure you get NXDOMAINS. Then I feed that into a SIEM where I further pick out the pattern and make sure the response it NXDOMAIN. This helped me find unknown Zeus infected PCs in my network I had no idea were there as they were not calling out and also other malware. As DGAs are more and more prevalent in malware CnC using this method could help you detect zero day malware. You can also use Snort to look for suspicious patterns in NXDOMAINS (look for NXDOMAIN and then apply regex for patterns). https://www.damballa.com/downloads/a_pubs/Damballa_Throw-Away_Traffic_to_Bots.pdf https://www.damballa.com/downloads/r_pubs/Damballa_tdss_tdl4_case_study_public.pdf https://www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf http://www.anubisnetworks.com/from-the-botnet-battlegrounds-the-tale-of-unknown-dga17/ https://www.cert.pl/news/4711/langswitch_lang/en https://www.damballa.com/downloads/r_pubs/RN_DGAs-and-Cyber-Criminals-A-Case-Study.pdf http://labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/ Hope that helps, Kevin
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Zero day attack protection Anshuman Anil Deshmukh (Oct 27)
- Re: Zero day attack protection Saint Crusty (Oct 28)
- Re: Zero day attack protection Joel Esler (Oct 28)
- Re: Zero day attack protection Saint Crusty (Oct 29)
- Re: Zero day attack protection Joel Esler (Oct 29)
- Re: Zero day attack protection Kevin Ross (Oct 29)
- <Possible follow-ups>
- Re: Zero day attack protection sockstat (Oct 28)
- Re: Zero day attack protection Saint Crusty (Oct 28)