SlideShare a Scribd company logo

A New Framework for Detection

Sourcefire VRT
Sourcefire VRT

Project Razorback(tm) is an undertaking by the Sourcefire VRT. This is the initial presentation of the new framework for detection.

Technology
1 of 69
A New Detection Framework What would you do with a pointer and a size?
Define the problem Why do we need a new detection framework?
The Challenge is Different Attacks have switched from server attacks to client attacks Common attack vectors are easily obfuscated JavaScript Compression File formats are made by insane people Looking at you Flash and OLE guy… Back-channel systems are increasingly difficult to detect
Network Systems… Inline systems must emulate the processing of 1000s of desktops Detection of many backchannels is most successful with statistical evaluation of network traffic
Coverage Gap Broadly speaking, IDS systems deal with packet-by-packet inspection with some level of reassembly Broadly speaking, AV systems typically target indicators of known bad files or system states “…the argument put forward that there's something wrong with anti-virus products that don't detect metasploit output is fallacious on 2 counts: 1) the output isn't necessarily malware (usually only greyware), and 2) anti-virus products are not the proper defense against known exploits (patching is).” -- Kurt Wismer
Fill the Gap A system is needed that can handle varied detection needs A system is needed that extensible, open and scalable A system is needed that facilitates incident response, not just triggers it So……
NRT Framework Near-Realtime Detection Framework or: “Anything is Possible”
The Dispatcher The heart of the NRT system APIs to handle: Deep Inspection Nugget registration Data Handler registration Detection requests Alerting Full analysis logging Output to API compliant systems Database driven
The Dispatcher ,[object Object]
Handles incoming queries for Data Handlers that have failed local cache hits
Handles detection requests from both Data Handlers and DINs
Handles incoming results from Deep Inspection Nuggets
Handles database updates based on DIN data
Writes out verbose logging based on DIN data
Provides alerting to Data Handlers,[object Object]
The Data Handler ,[object Object]
Metadata is captured (in this case URL and filename)
A local cache of MD5 sums and URLs of files previously collected
A library to handle managing the initial file evaluation, cache checks and communication with the Dispatcher,[object Object]
The Deep Inspection Nugget ,[object Object]
Processes data provided by the Data Handlers, as instructed by the Dispatcher
Handles incoming queries for Data Handlers that have failed local cache hits
Handles detection requests from both Data Handlers and DINs
Handles incoming results from Deep Inspection Nuggets
Handles database updates based on DIN data
Writes out verbose logging based on DIN data
Provides alerting to Data Handlers,[object Object]
The Design An implementation of the NRT goals on a Snort platform Target: Malicious pdf files
More info about the nuggets Let’s pretend that the PDF nugget already has the data…
The Dispatcher Why are we passing back files?
We Like Data MD5 is stored for files and subcomponents both bad and good Primarily this is used to avoid reprocessing files we’ve already looked at But after a update to any DIN, all known-good entries are “tainted”
Why Taint known good? After an update to detection, previously analyzed files may be found to be bad We don’t rescan all files But if we see a match for md5 to a previous file, we will alert retroactively
We Like to Provide Data When a subcomponent alerts, it is stored for logging in its fully normalized state. If a file is bad, when the DIN completes detection it passes the file to the Dispatcher Response teams have the entire file as well as each portion that alerted in an easily analyzed format
We Really Like to Provide Data Verbose data back to Data Handler should also be as verbose as possible In this case we place data into the payload and provide a custom message to Snort so we can use established methods of handling Snort alerts 04/16-16:38:48.1271450328 [**] [300:3221225473:1]URL:/users/pusscat/jbig2.pdf Hostname:metasploit.com AlertInfo:Probable exploit of CVE-2009-0658 (JBIG2) detected in object 8,declared as /Length 33/Filter [/FlateDecode/ASCIIHexDecode/JBIG2Decode]  [**] {TCP} 64.214.53.2:0 -> 216.75.1.230:004/16-16:38:48.12714503280:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x064.214.53.2:0 -> 216.75.1.230:0 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1280***AP*** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 2055 52 4C 3A 2F 75 73 65 72 73 2F 70 75 73 73 63  URL:/users/pussc61 74 2F 6A 62 69 67 32 2E 70 64 66 20 48 6F 73  at/jbig2.pdfHos74 6E 61 6D 65 3A 6D 65 74 61 73 70 6C 6F 69 74  tname:metasploit2E 63 6F 6D 20 41 6C 65 72 74 20 49 6E 66 6F 3A  .com Alert Info:50 72 6F 62 61 62 6C 65 20 65 78 70 6C 6F 69 74  Probable exploit20 6F 66 20 43 56 45 2D 32 30 30 39 2D 30 36 35   of CVE-2009-06538 20 28 4A 42 49 47 32 29 20 64 65 74 65 63 74  8 (JBIG2) detect65 64 20 69 6E 20 6F 62 6A 65 63 74 20 38 2C 20  ed in object 8,64 65 63 6C 61 72 65 64 20 61 73 20 2F 4C 65 6E  declared as /Len67 74 68 20 33 33 2F 46 69 6C 74 65 72 20 5B 2F  gth 33/Filter [/46 6C 61 74 65 44 65 63 6F 64 65 2F 41 53 43 49  FlateDecode/ASCI49 48 65 78 44 65 63 6F 64 65 2F 4A 42 49 47 32  IHexDecode/JBIG244 65 63 6F 64 65 20 5D 20                       Decode ]
Nugget Brain Storm… Seriously, what would you do with a pointer and a size?
The basic idea Create file format templates which parse our elements and provide you a datastructure Provide a full, common, scripting language interface to create rules (Ruby? Python? Both?) Only do the heavy work (templating) once per file format.
Demo One JBIG, ASCII Hex Decoding & Inflation
What just happened? 04/21-11:17:58.1271873878 [**] [300:3221225473:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:Probable exploit of CVE-2009-0658 (JBIG2) detected in object 8, declared as /Length 29/Filter [/FlateDecode/ASCIIHexDecode/JBIG2Decode ] [**] {TCP} 192.168.0.1:0 -> 204.15.227.178:0 04/21-11:17:58.12718738780:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x0 192.168.0.1:0 -> 204.15.227.178:0 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1280 ***AP*** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20 55 52 4C 3A 2F 77 72 6C 2F 66 69 72 73 74 2E 70 URL:/wrl/first.p 64 66 20 48 6F 73 74 6E 61 6D 65 3A 77 72 6C 20 dfHostname:wrl 41 6C 65 72 74 20 49 6E 66 6F 3A 50 72 6F 62 61 Alert Info:Proba 62 6C 65 20 65 78 70 6C 6F 69 74 20 6F 66 20 43 ble exploit of C 56 45 2D 32 30 30 39 2D 30 36 35 38 20 28 4A 42 VE-2009-0658 (JB 49 47 32 29 20 64 65 74 65 63 74 65 64 20 69 6E IG2) detected in 20 6F 62 6A 65 63 74 20 38 2C 20 64 65 63 6C 61 object 8, decla 72 65 64 20 61 73 20 2F 4C 65 6E 67 74 68 20 32 red as /Length 2 39 2F 46 69 6C 74 65 72 20 5B 2F 46 6C 61 74 65 9/Filter [/Flate 44 65 63 6F 64 65 2F 41 53 43 49 49 48 65 78 44 Decode/ASCIIHexD 65 63 6F 64 65 2F 4A 42 49 47 32 44 65 63 6F 64 ecode/JBIG2Decod 65 20 5D 20 e ] =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Recommended

Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labslosalamos
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Cybersecurity Education and Research Centre
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavthc2cat
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
Wireshar training
Wireshar trainingWireshar training
Wireshar trainingLuke Luo
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Wdt Test
Wdt TestWdt Test
Wdt TestLouis liu
 

Recommended

Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labslosalamos
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Cybersecurity Education and Research Centre
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavthc2cat
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
Wireshar training
Wireshar trainingWireshar training
Wireshar trainingLuke Luo
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Wdt Test
Wdt TestWdt Test
Wdt TestLouis liu
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Проблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир КирилловПроблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир КирилловAnthony Marchenko
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside WinnypFFRI, Inc.
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersTazdrumm3r
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustratedAlexander Krizhanovsky
 
Владимир Кириллов-TCP-Performance for-Mobile-Applications
Владимир Кириллов-TCP-Performance for-Mobile-ApplicationsВладимир Кириллов-TCP-Performance for-Mobile-Applications
Владимир Кириллов-TCP-Performance for-Mobile-ApplicationsUA Mobile
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pubCassio Ramos
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bwjktjpc
 
Mem forensic
Mem forensicMem forensic
Mem forensicChong-Kuan Chen
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
BWC Supercomputing 2008 Presentation
BWC Supercomputing 2008 PresentationBWC Supercomputing 2008 Presentation
BWC Supercomputing 2008 Presentationlilyco
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 

More Related Content

What's hot

Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Проблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир КирилловПроблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир КирилловAnthony Marchenko
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersTazdrumm3r
 
Владимир Кириллов-TCP-Performance for-Mobile-Applications
Владимир Кириллов-TCP-Performance for-Mobile-ApplicationsВладимир Кириллов-TCP-Performance for-Mobile-Applications
Владимир Кириллов-TCP-Performance for-Mobile-ApplicationsUA Mobile
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bwjktjpc
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 

What's hot (20)

Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Проблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир КирилловПроблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир Кириллов
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustrated
 
Владимир Кириллов-TCP-Performance for-Mobile-Applications
Владимир Кириллов-TCP-Performance for-Mobile-ApplicationsВладимир Кириллов-TCP-Performance for-Mobile-Applications
Владимир Кириллов-TCP-Performance for-Mobile-Applications
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pub
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bw
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 

Similar to A New Framework for Detection

BWC Supercomputing 2008 Presentation
BWC Supercomputing 2008 PresentationBWC Supercomputing 2008 Presentation
BWC Supercomputing 2008 Presentationlilyco
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japanDan Kaminsky
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...DefconRussia
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
D03601023026
D03601023026D03601023026
D03601023026theijes
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPFIvan Babrou
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionCloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
 

Similar to A New Framework for Detection (20)

BWC Supercomputing 2008 Presentation
BWC Supercomputing 2008 PresentationBWC Supercomputing 2008 Presentation
BWC Supercomputing 2008 Presentation
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Dpdk applications
Dpdk applicationsDpdk applications
Dpdk applications
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NET
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NET
 
D03601023026
D03601023026D03601023026
D03601023026
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionCloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
 

Recently uploaded

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 

Recently uploaded (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 

A New Framework for Detection

  • 1. A New Detection Framework What would you do with a pointer and a size?
  • 2. Define the problem Why do we need a new detection framework?
  • 3. The Challenge is Different Attacks have switched from server attacks to client attacks Common attack vectors are easily obfuscated JavaScript Compression File formats are made by insane people Looking at you Flash and OLE guy… Back-channel systems are increasingly difficult to detect
  • 4. Network Systems… Inline systems must emulate the processing of 1000s of desktops Detection of many backchannels is most successful with statistical evaluation of network traffic
  • 5. Coverage Gap Broadly speaking, IDS systems deal with packet-by-packet inspection with some level of reassembly Broadly speaking, AV systems typically target indicators of known bad files or system states “…the argument put forward that there's something wrong with anti-virus products that don't detect metasploit output is fallacious on 2 counts: 1) the output isn't necessarily malware (usually only greyware), and 2) anti-virus products are not the proper defense against known exploits (patching is).” -- Kurt Wismer
  • 6. Fill the Gap A system is needed that can handle varied detection needs A system is needed that extensible, open and scalable A system is needed that facilitates incident response, not just triggers it So……
  • 7. NRT Framework Near-Realtime Detection Framework or: “Anything is Possible”
  • 8. The Dispatcher The heart of the NRT system APIs to handle: Deep Inspection Nugget registration Data Handler registration Detection requests Alerting Full analysis logging Output to API compliant systems Database driven
  • 9.
  • 10. Handles incoming queries for Data Handlers that have failed local cache hits
  • 11. Handles detection requests from both Data Handlers and DINs
  • 12. Handles incoming results from Deep Inspection Nuggets
  • 13. Handles database updates based on DIN data
  • 14. Writes out verbose logging based on DIN data
  • 15.
  • 16.
  • 17. Metadata is captured (in this case URL and filename)
  • 18. A local cache of MD5 sums and URLs of files previously collected
  • 19.
  • 20.
  • 21. Processes data provided by the Data Handlers, as instructed by the Dispatcher
  • 22. Handles incoming queries for Data Handlers that have failed local cache hits
  • 23. Handles detection requests from both Data Handlers and DINs
  • 24. Handles incoming results from Deep Inspection Nuggets
  • 25. Handles database updates based on DIN data
  • 26. Writes out verbose logging based on DIN data
  • 27.
  • 28. The Design An implementation of the NRT goals on a Snort platform Target: Malicious pdf files
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41. More info about the nuggets Let’s pretend that the PDF nugget already has the data…
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61. The Dispatcher Why are we passing back files?
  • 62. We Like Data MD5 is stored for files and subcomponents both bad and good Primarily this is used to avoid reprocessing files we’ve already looked at But after a update to any DIN, all known-good entries are “tainted”
  • 63. Why Taint known good? After an update to detection, previously analyzed files may be found to be bad We don’t rescan all files But if we see a match for md5 to a previous file, we will alert retroactively
  • 64. We Like to Provide Data When a subcomponent alerts, it is stored for logging in its fully normalized state. If a file is bad, when the DIN completes detection it passes the file to the Dispatcher Response teams have the entire file as well as each portion that alerted in an easily analyzed format
  • 65. We Really Like to Provide Data Verbose data back to Data Handler should also be as verbose as possible In this case we place data into the payload and provide a custom message to Snort so we can use established methods of handling Snort alerts 04/16-16:38:48.1271450328 [**] [300:3221225473:1]URL:/users/pusscat/jbig2.pdf Hostname:metasploit.com AlertInfo:Probable exploit of CVE-2009-0658 (JBIG2) detected in object 8,declared as /Length 33/Filter [/FlateDecode/ASCIIHexDecode/JBIG2Decode]  [**] {TCP} 64.214.53.2:0 -> 216.75.1.230:004/16-16:38:48.12714503280:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x064.214.53.2:0 -> 216.75.1.230:0 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1280***AP*** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 2055 52 4C 3A 2F 75 73 65 72 73 2F 70 75 73 73 63  URL:/users/pussc61 74 2F 6A 62 69 67 32 2E 70 64 66 20 48 6F 73  at/jbig2.pdfHos74 6E 61 6D 65 3A 6D 65 74 61 73 70 6C 6F 69 74  tname:metasploit2E 63 6F 6D 20 41 6C 65 72 74 20 49 6E 66 6F 3A  .com Alert Info:50 72 6F 62 61 62 6C 65 20 65 78 70 6C 6F 69 74  Probable exploit20 6F 66 20 43 56 45 2D 32 30 30 39 2D 30 36 35   of CVE-2009-06538 20 28 4A 42 49 47 32 29 20 64 65 74 65 63 74  8 (JBIG2) detect65 64 20 69 6E 20 6F 62 6A 65 63 74 20 38 2C 20  ed in object 8,64 65 63 6C 61 72 65 64 20 61 73 20 2F 4C 65 6E  declared as /Len67 74 68 20 33 33 2F 46 69 6C 74 65 72 20 5B 2F  gth 33/Filter [/46 6C 61 74 65 44 65 63 6F 64 65 2F 41 53 43 49  FlateDecode/ASCI49 48 65 78 44 65 63 6F 64 65 2F 4A 42 49 47 32  IHexDecode/JBIG244 65 63 6F 64 65 20 5D 20                       Decode ]
  • 66. Nugget Brain Storm… Seriously, what would you do with a pointer and a size?
  • 67. The basic idea Create file format templates which parse our elements and provide you a datastructure Provide a full, common, scripting language interface to create rules (Ruby? Python? Both?) Only do the heavy work (templating) once per file format.
  • 68. Demo One JBIG, ASCII Hex Decoding & Inflation
  • 69. What just happened? 04/21-11:17:58.1271873878 [**] [300:3221225473:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:Probable exploit of CVE-2009-0658 (JBIG2) detected in object 8, declared as /Length 29/Filter [/FlateDecode/ASCIIHexDecode/JBIG2Decode ] [**] {TCP} 192.168.0.1:0 -> 204.15.227.178:0 04/21-11:17:58.12718738780:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x0 192.168.0.1:0 -> 204.15.227.178:0 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1280 ***AP*** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20 55 52 4C 3A 2F 77 72 6C 2F 66 69 72 73 74 2E 70 URL:/wrl/first.p 64 66 20 48 6F 73 74 6E 61 6D 65 3A 77 72 6C 20 dfHostname:wrl 41 6C 65 72 74 20 49 6E 66 6F 3A 50 72 6F 62 61 Alert Info:Proba 62 6C 65 20 65 78 70 6C 6F 69 74 20 6F 66 20 43 ble exploit of C 56 45 2D 32 30 30 39 2D 30 36 35 38 20 28 4A 42 VE-2009-0658 (JB 49 47 32 29 20 64 65 74 65 63 74 65 64 20 69 6E IG2) detected in 20 6F 62 6A 65 63 74 20 38 2C 20 64 65 63 6C 61 object 8, decla 72 65 64 20 61 73 20 2F 4C 65 6E 67 74 68 20 32 red as /Length 2 39 2F 46 69 6C 74 65 72 20 5B 2F 46 6C 61 74 65 9/Filter [/Flate 44 65 63 6F 64 65 2F 41 53 43 49 49 48 65 78 44 Decode/ASCIIHexD 65 63 6F 64 65 2F 4A 42 49 47 32 44 65 63 6F 64 ecode/JBIG2Decod 65 20 5D 20 e ] =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
  • 70. Demo Two What is that JavaScript up to?
  • 71. What just happened? [**] [300:2147483653:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:The JavaScript variables in object 6, declared as /Length 5994/Filter [/FlateDecode/ASCIIHexDecode ] , show a high degree of entropy [**] You tell me, does this string of variable names look weird to you? EvctenMNtrWDQVBKGrwGxrxKfMiZoYziRxAFEfjMdXRzjGNqVZYEAqogviSvzHpGpCkihcVtXRWcHphvhAnPOXnrxmTXJEUIkcYzelWZUCuIyKArtJvcEQXzUjHEzuSjGEJugOyFQnaSplNWwQsqOoV [**] [300:2147483649:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:Found in the Javascript block, while searching object 6: unescape [**] Wait, did someone say unescape…
  • 72. Get a little crazy? Sig up some common GetEIPtechiniques… Heuristically hunt down shellcode decoder stubs Decode and parse shellcode Give back some REAL data.
  • 73. Demo Three What is that unescape up to….
  • 74. Wait, did that really just happen? [**] [300:3221225482:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:Reverse TCP connectbackshellcode detected. Connecting to 10.4.4.10 on port 4444 [**] Looking at the following: 10 d4 77 74 71 20 f6 d3 e0 70 66 0c 7a 40 73 72 78 2f be 37 04 91 a8 46 93 41 1c 24 b0 b4 b1 3d 43 b5 96 15 7d 4e 9b 7e 48 42 8d 12 f7 eb 4f 0d 7b 4a 25 08 d5 1d 0b ff c6 c0 e3 03 f5 b3 b2 34 71 18 fdba 75 77 25 3c b8 7b 30 d4 43 78 1c 2a . . . bf 98 35 a5 af 98 1d 1f e0 17 95 0a 3a 5f 1f f0 87 c2 71 f1 e5 a0 77 f5 fe 94 fc 13 85 d8 23 a2 87 51 d0 81 8e 37 a0 70 2f bc 79 0a a1 c0 00 19 87 38 c0 57 b9 37 a0 9f ef a2 71 a3 b8 a0 77 2c 27 97 8a 20 64 fe 1f b5 87 c8 65 f5 ef 9e 1f f5 87 90 d1 a6 0a 37 a0 66 bc a2 75 a3 bc 9f 1d f7 36 00 2a 0a 3a c9 b6 dc 29 4d 83 80 03 0b 75 f5 Gave us the shellcode type as well as the IP and port combination the connect back goes to. Wouldn’t it be great if something knew to start listening?
  • 75. Go nuts. Take that IP address and Port, and auto-tcpdump when you get an alert Watch everything the attacker does over that back channel on the fly Poor-man’s netwitness. (Can I say that?)
  • 76. Seriously. Lick every window in Dubai. How about a custom post-mortem debugger on every enterprise desktop? Have it alert to your central dispatcher and dump whatever loaded file is the crash culprit. Get both failed exploit attempts and possibly a few free 0-day to sell on the side!
  • 77. Start now. Dubai has a lot of windows. Make use of BinCrowd! Yank down the a whole community’s set of symbols for that questionable sample you just got a hold of – malware reuses code too! Not all of your machines have hardware DEP? Run one machine with DEP, use that custom post mortem, still get near real time knowledge of attacks DLP is serious business Store more than one checksum type for sensitive data. Custom nuggets can make it easy.
  • 78. We Brought Presents Circus Tickets!
  • 79. What can you do with a u_char * and an u_int_32? We have hosted on http://labs.snort.org a package that contains: Snort Preprocessor for snagging .exe, .dll and .pdf files from live traffic A commented library that will allow you to thread calls to a detection function A “Dumb Nugget” to simply write these files to disk A “Clam Nugget” to pass these files to ClamAV Local cache system to reduce detection overhead Alerting system that fires Snort alerts with arbitrary data Disclaimer For serious, this code was put together to pitch the idea to management it is…well it is what it is This project is a research project in the VRT no timeline for release either as open source or a Sourcefire product has been determined We’ll update it as we integrate the full dispatcher->data handler->deep inspection nugget code
  • 80. Project Team System Architects: Matthew Olney Lurene Grenier Patrick Mullen Nigel Houghton Programmers: Ryan Pentney (OMG CODE OUTPUT) Alain Zidouemba (ClamAV integration) Database: Alex Kambis File Format Research Monica Sojeong Hong Alex Kirk Infrastructure Support Kevin “McLovin” Miklavcic Christopher McBee Head Didn’t Fire Us During POC phase Matthew Watchinski, Sr. Director, Vulnerability Research
  • 81. VRT Blog: http://vrt-sourcefire.blogspot.com/ Place we store bad ideas: http://labs.snort.org/ Twitter: @vrt_sourcefire (VRT Twitter Account) @kpyke (Matthew Olney) @pusscat (Lurene Grenier) @xram_lrak (Matthew Watchinski)
  • 82. Fin