tralse positive
play

TRALSE POSITIVE Simple Methods for Confirming IDS/IPS Alerts - PowerPoint PPT Presentation

Nov 26, 2023 •272 likes •517 views

TRALSE POSITIVE Simple Methods for Confirming IDS/IPS Alerts Introduc3on Geoffrey Serrao Currently Employed at Sourcefire, Inc. Tier I Technical Support Engineer Typical work day for a Tier 1 Hardware

  1. TRALSE ¡POSITIVE ¡ Simple Methods for Confirming IDS/IPS Alerts

  2. Introduc3on ¡ § Geoffrey Serrao § Currently Employed at Sourcefire, Inc. ▸ Tier I Technical Support Engineer § Typical work day for a Tier 1 ▸ Hardware questions ▸ Configuration questions ▸ False positive analysis 2

  3. IDS/IPS ¡Alerts ¡ • Big Three • Snort • Suricata • Bro IDS • IDS/IPS systems generate alerts based on: ▸ Signatures ▸ Network Anomalies § We will be dealing mostly with signature based events today 3

  4. A ¡Trend ¡ § More data is being analyzed § More events are being generated § What do we do with all of these events? 10 Mbps 100 Mbps 500 Mbps 1 Gbps 10 Gbps 40 Gbps 4

  5. Current ¡Incident ¡Handling ¡Process ¡ § Preparation § Detection and Notification § Investigation And Qualification § Communication § Containment and Recovery § Lessons Learned 5

  6. Exis3ng ¡Techniques ¡ Best Automated Informed Analysis Manual Analysis Guessing Hope/Pray Worst 6

  7. The ¡Current ¡Method ¡ § Step 1: Verify Rule Context ▸ Rule Header ▸ Content Matches § Step 2: Verify Endpoints ▸ Who ’ s talking § Step 3: Verify Conversation ▸ What ’ s being said – gets technical § Step 4: Verify Operational Context ▸ How does this type of attack affect my network deployment? – also gets technical 7

  8. A ¡Happy ¡Example ¡ 8

  9. Drawbacks ¡of ¡the ¡Current ¡Method ¡ § Limited by the amount of information available to the analyst at the time § Time intensive § Tedious § Reactive approach 9

  10. Real ¡World ¡Example ¡ 10

  11. How ¡to ¡Improve ¡ § Let ’ s take a more proactive approach § Increase the amount of information available to the analyst § Increase the quality of the dissected payload § Use automation tools § The best methods are the most informed methods § We need a bigger source of information 11

  12. What ¡I ’ d ¡Like ¡to ¡See ¡ IP ’ s rDNS Verdict … 54.243.156.140 sourcefire.com Clean 64.214.53.2 sf-nat.sourcefire.com Clean 205.178.189.131 flocon.org Clean 167.216.129.13 immunet.com Clean 23.23.170.170 snort.org Clean 69.43.161.180 antivirus-online21.com +Investigate 192.88.209.252 cert.org Clean 10.20.57.16 <none> RFC 1918 … http://dns-bh.sagadc.org/domains.txt 12

  13. Informa3on ¡Sources ¡ IP Reputation Field URL Intelligence Reputation PCAPalyze IP Emerging Geolocation Threats Database 13

  14. Informa3on ¡Sources, ¡Cont. ¡ § Common ▸ http://www.malwaredomains.com ▸ www.mxtoolbox.com ▸ https://www.dnsstuff.com/ ▸ http://www.siteadvisor.com/ ▸ https://www.phishtank.com/ § Not so common ▸ Pastebin.com ▸ Twitter.com 14

  15. Favorite ¡Informa3on ¡Source ¡ § http://support.clean-mx.de/clean-mx/viruses § They ’ ve been really tolerating my automated testing § Easily encoded POST http requests for ▸ IP ▸ Domain 15

  16. Python! ¡ https://xkcd.com/353/ 16

  17. The ¡Code ¡1 ¡of ¡3 ¡ from scapy.all import * from scapy.utils import * … print "Reading PCAP(s):" for x in range(num_pcaps): try: pkts.extend(rdpcap(caps[x])) except Exception, e: print e print "Collecting IPs.." for pkt in pkts: if pkt.haslayer(IP): if not pkt[IP].src in ip_list: ip_list.append(pkt[IP].src) if not pkt[IP].dst in ip_list: ip_list.append(pkt[IP].dst) print len(ip_list), " unique IPs collected from pcap(s) ” … 17

  18. The ¡Code ¡2 ¡of ¡3 ¡ for i in ip_list: if check_country: try: location = str(GEOIP.lookup(i)).split('country')[1].strip('[] \n ’ ) except Exception, e: print "country lookup failure.", e if check_hostname: try: hostname = socket.getfqdn(i) except Exception, e: hostname = "Couldn't find hostname", e 18

  19. The ¡Code ¡3 ¡of ¡3 ¡ response = urlopen('http://support.clean-mx.de/clean-mx/viruses.php') forms = ParseResponse(response, backwards_compat=False) form = forms[0] try: br = mechanize.Browser() … form['ip'] = i response = urlopen(form.click()).read() if not response.find('<br><br><div align="center"><b>For this query is nothing recorded in our database.</b><br>') > -1: reputation = "- Investigate" else: reputation = "+ Clean" 19

  20. Finished ¡Output ¡ 20

  21. Caveats ¡and ¡PiRalls ¡ § Customers with secure networks and tight data retention policies may not be able to take full advantage § Working with encryption § Tuning for accuracy 21

  22. Future ¡Development ¡ • PCAPalyze • PHP web application (HTTPS) interface • Flask + Python back end • SCAPY used for extrapolating PCAP data • Uses more sources of data • Available for the public to use • Works with more protocols 22

  23. In ¡Summa3on ¡ 23

  24. Ques3ons ¡ 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Becky Coffin Kingfisher plc Net Positive 2 Net Positive 3 Net Positive 4 Creating the

Becky Coffin Kingfisher plc Net Positive 2 Net Positive 3 Net Positive 4 Creating the

Achieving Net Positive through responsible sourcing Becky Coffin Kingfisher plc Net Positive 2 Net Positive 3 Net Positive 4 Creating the leader Net Positive 5 Net Positive 6 WHAT HAVE WE LEARNED ABOUT RESPONSIBLE SOURCING?

450 views • 19 slides
Positive Discipline The Solution Studio What is Positive Discipline? Positive discipline is a

Positive Discipline The Solution Studio What is Positive Discipline? Positive discipline is a

Positive Discipline The Solution Studio What is Positive Discipline? Positive discipline is a key to helping children develop self-discipline, responsibility, cooperation, and problem-solving skills. It is a discipline model used by schools,

381 views • 6 slides
Module 5 Positive Influence Module Five: Positive Influence Objectives Understand the need

Module 5 Positive Influence Module Five: Positive Influence Objectives Understand the need

In the last module we discussed why Character and Ethics are important, we now turn to how to make those results happen. Your positive influence on others daily. 0 Module 5 Positive Influence Module Five: Positive Influence Objectives

250 views • 13 slides
Remove negative environments Promote positive growth Reward good / positive and

Remove negative environments Promote positive growth Reward good / positive and

New positive promotion campaign Remove negative environments Promote positive growth Reward good / positive and punish unacceptable behaviours Empower all clubs to take action with the support of the RFL

457 views • 22 slides
CSE not every positive integer is prime 311 some positive integer is not prime prime

CSE not every positive integer is prime 311 some positive integer is not prime prime

Negations of quantifiers CSE not every positive integer is prime 311 some positive integer is not prime prime numbers do not exist Foundations of every positive integer is not prime Computing I Fall 2014 Negations of

351 views • 6 slides
Disparities in HIV positive men of color HIV positive men of color: Constitute a

Disparities in HIV positive men of color HIV positive men of color: Constitute a

Amenability of HIV-positive African American Men to Shared Medical Appointments for Primary Care Colin Gershon, N.P., M.P.H.; Matthew Siegel, B.S.; Matthew Masankay, B.S.; Michael Arnold, Ph.D., Malcolm John, M.D., M.P.H. Division of Infectious

544 views • 8 slides
Social Innovation Hub in Skopje What is Positive Deviance and when and how to use it Positive

Social Innovation Hub in Skopje What is Positive Deviance and when and how to use it Positive

Social Innovation Hub in Skopje What is Positive Deviance and when and how to use it Positive Deviance is one of a number of asset-based approaches to change. It is based on the observation that in every community, there are a few people, the

836 views • 21 slides
Positive Ageing &amp; Resilience Training Guy Robertson Director Positive Ageing Associates

Positive Ageing &amp; Resilience Training Guy Robertson Director Positive Ageing Associates

Positive Ageing &amp; Resilience Training Guy Robertson Director Positive Ageing Associates Positive Ageing &amp; Resilience Training Delivery Miriam Akhtar Guy Robertson Major Life Events Retirement Relationship breakdown

648 views • 63 slides
Living a Positive Life in Challenging Times Sonya Corbin Dwyer, Ph.D. Positive Psychology

Living a Positive Life in Challenging Times Sonya Corbin Dwyer, Ph.D. Positive Psychology

Living a Positive Life in Challenging Times Sonya Corbin Dwyer, Ph.D. Positive Psychology Promotes the best in human behaviour Promotes the understanding of healthy human functioning Positive emotions seem to help restore or preserve

366 views • 24 slides
Mental health can be a positive thing! Positive mental health truly is a &quot;state of

Mental health can be a positive thing! Positive mental health truly is a &quot;state of

Mental health can be a positive thing! Positive mental health truly is a &quot;state of mind&quot; and a feeling of well-being. It is linked to greater productivity, improved cognitive functioning, and has even been shown to improve the immune

443 views • 28 slides
LHH LHH Po Positive Car Care Pr Program LHH Positive Care Program 1989 1996 The Early Years O4

LHH LHH Po Positive Car Care Pr Program LHH Positive Care Program 1989 1996 The Early Years O4

LHH LHH Po Positive Car Care Pr Program LHH Positive Care Program 1989 1996 The Early Years O4 unit LHH Positive Care Program 1996 2010 Expansion of treatment options Increase in survival and discharge Second unit opens (F3)

226 views • 21 slides
Outline What is positive psychology? Major research areas Criticisms of the discipline

Outline What is positive psychology? Major research areas Criticisms of the discipline

Outline What is positive psychology? Major research areas Criticisms of the discipline Future directions Questions Defining Positive Psychology Positive psychology is the scientific study of optimal human functioning

854 views • 47 slides
The Power Of Positive Thoughts By : Andrew Bennett What Y ou Think About Thinking Do you think

The Power Of Positive Thoughts By : Andrew Bennett What Y ou Think About Thinking Do you think

The Power Of Positive Thoughts By : Andrew Bennett What Y ou Think About Thinking Do you think Good Thinking Brings good things in your life? What is positive thinking? What is negative thinking? Positive Thinking Positive thinking is a

229 views • 18 slides
Positive feedback regulation Rodolphe Sepulchre -- University of Cambridge LCCC workshop on

Positive feedback regulation Rodolphe Sepulchre -- University of Cambridge LCCC workshop on

LCCC is a positive environment (i.e. the metric of positive systems) Positive feedback regulation Rodolphe Sepulchre -- University of Cambridge LCCC workshop on Learning and Adaptation for Sensorimotor Control - Lund - October 2018 ! 2

367 views • 8 slides
Pyramid 101 Positive Behavior Support Pyramid Model Components Introduction to Positive Behavior

Pyramid 101 Positive Behavior Support Pyramid Model Components Introduction to Positive Behavior

Pyramid 101 Positive Behavior Support Pyramid Model Components Introduction to Positive Behavior Support in Early Childhood Settings Effective Workforce better-trained caregivers are the foundation Patti Mahrt-Roberts Nurturing and

588 views • 27 slides
Electronic Components Battery A portable power source that has a positive and negative.

Electronic Components Battery A portable power source that has a positive and negative.

Electronic Components Battery A portable power source that has a positive and negative. Electronics works on Direct Current (DC) where electrons flow from negative to positive. These are the symbols that will be used for Positive and

240 views • 12 slides
M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco

M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco

M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco Information Assurance Research G roup National Security Agency Co-author: Stephen D. Smalley, NAI Labs 1 roup Inform ation A ssurance R esearch G

476 views • 43 slides
Welcome to NJMHAPP 1.0 NJ Mental Health Application for Payment Processing Provider Information

Welcome to NJMHAPP 1.0 NJ Mental Health Application for Payment Processing Provider Information

Welcome to NJMHAPP 1.0 NJ Mental Health Application for Payment Processing Provider Information Session November 16, 2016 Release Date January 2017 Brian Regan Assistant Divisional Director (OIS) Nitin Garg OIS Manager Mahesh Phadke

572 views • 41 slides
UPLOAD VIDEOS TO MICROSOFT STREAM VIA ACCESSUH To upload a video on Microsoft Stream, go to

UPLOAD VIDEOS TO MICROSOFT STREAM VIA ACCESSUH To upload a video on Microsoft Stream, go to

UPLOAD VIDEOS TO MICROSOFT STREAM VIA ACCESSUH To upload a video on Microsoft Stream, go to AccessUH, login with your Cougarnet credentials and then click Office 365. Search for Stream to find the Microsoft Stream app.

138 views • 3 slides
APPLY TEXAS 101 Dual2Degree Department IN YOUR WEB BROWSER TYPE : WWW.APPLYTEXAS.ORG CLICK

APPLY TEXAS 101 Dual2Degree Department IN YOUR WEB BROWSER TYPE : WWW.APPLYTEXAS.ORG CLICK

APPLY TEXAS 101 Dual2Degree Department IN YOUR WEB BROWSER TYPE : WWW.APPLYTEXAS.ORG CLICK CREATE YOUR ACCOUNT NOW MY PROFILE Check Box Suffix means if your name (for males) ends with Jr., III, etc. Under place of birth, select a

788 views • 40 slides
Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC 20554 In the Matter of ) ) WC

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC 20554 In the Matter of ) ) WC

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC 20554 In the Matter of ) ) WC Docket 17-108 Restoring Internet Freedom ) To: The Commission MOTION FOR ACCEPTANCE OF LATE-FILED SUBMISSION The Wireless Internet Service

831 views • 23 slides
Crypto Mining CHRISTOS HADJISTYLLIS EPL682 - ADVANCED SECURITY TOPICS, SPRING 2018/2019

Crypto Mining CHRISTOS HADJISTYLLIS EPL682 - ADVANCED SECURITY TOPICS, SPRING 2018/2019

Crypto Mining CHRISTOS HADJISTYLLIS EPL682 - ADVANCED SECURITY TOPICS, SPRING 2018/2019 UNIVERSITY OF CYPRUS Introduction Cryptocurrency: virtual currency usually not controlled by any government or physical entity Examples: Bitcoin,

623 views • 36 slides
Context-Sensitive Analysis of Obfuscated x86 Executables Arun Lakhotia(1), Davidson Boccardo(2),

Context-Sensitive Analysis of Obfuscated x86 Executables Arun Lakhotia(1), Davidson Boccardo(2),

Context-Sensitive Analysis of Obfuscated x86 Executables Arun Lakhotia(1), Davidson Boccardo(2), Anshuman Singh(1), and Aleardo Manacero Jr.(2) (1)University of Louisiana at Lafayette, USA (2)Paulista State University (UNESP), Brazil PEPM 2010

309 views • 29 slides
Runnable JAR archives % java -cp eharold.jar MainClassName Inner Classes Inner Classes

Runnable JAR archives % java -cp eharold.jar MainClassName Inner Classes Inner Classes

Runnable JAR archives % java -cp eharold.jar MainClassName Inner Classes Inner Classes Inner classes may also contain methods. They may not contain static members. Inner classes in a class scope can be public, private, protected,

1.2k views • 99 slides

More recommend