Snort mailing list archives
Re: was--Matt Jonkman in the new Hakin9--now detecting infections
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Thu, 3 Feb 2011 10:07:41 -0500
Bothunter is a spectacular tool! I highly recommend it. They use a subset of the ET rules, so what we're all contributing to emerging threats is helping improve Bothunter. Although in a relatively small way, most of it's actions are based on much higher thought than static sigs. Metaflows.com is also a tool implementing bothunter for open and professional use with great results. I'm sure there will be more commercial uses of it very soon. Matt On Feb 3, 2011, at 9:42 AM, John York wrote:
I agree wholeheartedly. My biggest concern is getting to the infected machines ASAP, so that's what I *really* want alerts on. The IPS, firewall, AV, web filter, no admin rights for users, etc all do what they can to prevent compromises. If Joe Clueless clicks on enough bad things, one of them will get him eventually and the trick is to get the computer isolated immediately. BotHunter is a Snort-based system for detecting infections. I've wanted to test it but have never had time. Has anyone had good results with it? ( I know I'm OT, but it is Snort based--maybe only one drink ;-) Thanks John -----Original Message----- From: Martin Holste [mailto:mcholste () gmail com] Sent: Wednesday, February 02, 2011 5:23 PM To: Matthew Jonkman Cc: snort-users () lists sourceforge net; emerging-sigs () emergingthreats net Subject: Re: [Snort-users] [Emerging-Sigs] Matt Jonkman in the new Hakin9Yes, an infection is a failure. But we will always have failures. And you;ll have hosts that come in from the outside already infected. You MUST focus on CnC channels, I don't see any alternative.This is the key point. We responded to over a thousand incidents last year alone, and in each case, AV had been completely overtaken (only even generating an alert about 1/3 of the time) and more than half of the cases were on fully patched machines. This is IDS's core competency. Packets will never lie (though you may misinterpret what they say). The same cannot be said of anything on a host that may have been compromised. The NSS testing is becoming increasingly irrelevant because exploits aren't actionable--infections are. If I told you that you could have the choice between a magic blinking box that told you whenever a host was infected versus a box that told you whenever someone tried to infect a box, wouldn't you go with the first one? Most orgs aren't interested in attempts--they're interested in break-ins. The idea of detecting exploits via IDS comes from way back in the 90's when CnC channels (or malware) didn't really exist like they do now. Your only chance then was to detect the break-in. There's been a complete reversal in the last few years and now your only real chance is to detect the CnC channel because the exploit doesn't really exist like it did then. Exploit code is far more likely to be encrypted/encoded than check-in traffic (URL's at least). It is almost impossible to write signatures to catch the exploits in the wild for anything more than the PoC examples or the kit-of-the-day. So many SF and ET signatures look for things like CLSID's for ActiveX objects, which will almost never hit on an actual exploit, because they will be heavily obfuscated with Javascript. It's very unfortunate, because most Snort instances will be dropping packets because of the wasted cycles on those signatures, so they're missing the check-ins as well. You can get far better results by running a handful of signatures to look for basic file types like executables, PDF, Flash, and Java, then matching those hits (which will be very numerous) with disreputable autonomous systems (AS's). I bet anyone on this list a case of beer that the next JAR file coming out of Latvia to their corporate network is a malware loader (no cheating please!). The other critical component to that is regarding Jason's point about off-network infections. CnC check-ins are your only hope at that point--try to spot the already-infected devices so that they can be cleaned. Since the host has already failed to defend itself, the network IDS is your last chance. Both the Mandiant M-Trends and Verizon Data Breach Report each year have been illustrating how futile it is to expect to be able to defend all of your endpoints. They do, however, show how damage isn't usually done for days or weeks after the initial infection, so if you can find the infected machines within a few business days, you've got a good chance of emerging unscathed (other than the re-images, of course). ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9, (continued)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Dale Handy (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Michael Lubinski (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Joel Esler (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Michael Lubinski (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Jan 31)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Jason Wallace (Feb 01)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Feb 02)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Martin Holste (Feb 02)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections John York (Feb 03)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections Matthew Jonkman (Feb 03)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections Marshall Bartoszek (Feb 04)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections Jefferson, Shawn (Feb 03)
- Re: was--Matt Jonkman in the new Hakin9--now detecting infections John York (Feb 03)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Jason Wallace (Feb 03)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Martin Holste (Feb 03)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Will Metcalf (Feb 04)
- Re: [Emerging-Sigs] Matt Jonkman in the new Hakin9 Matthew Jonkman (Feb 04)