SlideShare una empresa de Scribd logo

Sourcefire Vulnerability Research Team Labs

losalamos
losalamos

Today's client side attack threats represent a boon for the attacker in ways to obfuscate, evade, and hide their attacks methods. Adobe PDF, Flash, Microsoft Office documents, and Javascript require a very deep understanding of the file format, how its interpreted in the Browser, and understanding of the byte code paths that some of these formats can generate. To effectively handle some of these types of attacks it requires processing of these files multiple times to deal with compression, obfuscation, program execution, etc. This requires a new type of system to handle this type of inspection. The NRT system allows for this deep file format understanding and inspection.

Tecnología
1 de 69
Descargar para leer sin conexión
What would you do with a pointer and a size?
Why do we need a new detection framework?
 Attacks have switched from server attacks to client attacks  Common attack vectors are easily obfuscated  JavaScript  Compression  File formats are made by insane people  Looking at you Flash and OLE guy…  Back-channel systems are increasingly difficult to detect
 Inline systems must emulate the processing of 1000s of desktops  Detection of many backchannels is most successful with statistical evaluation of network traffic
 Broadly speaking, IDS systems deal with packet-by-packet inspection with some level of reassembly  Broadly speaking, AV systems typically target indicators of known bad files or system states “…the argument put forward that there's something wrong with anti-virus products that don't detect metasploit output is fallacious on 2 counts: 1) the output isn't necessarily malware (usually only greyware), and 2) anti-virus products are not the proper defense against known exploits (patching is).” -- Kurt Wismer
 A system is needed that can handle varied detection needs  A system is needed that extensible, open and scalable  A system is needed that facilitates incident response, not just triggers it  So……
Near-Realtime Detection Framework or: “Anything is Possible”
 The heart of the NRT system  APIs to handle:  Deep Inspection Nugget registration  Data Handler registration  Detection requests  Alerting  Full analysis logging  Output to API compliant systems  Database driven
• Implements a database to provide a centralized set of file information and • Handles incoming queries for Data Handlers that have failed local cache hits • Handles detection requests from both Data Handlers and DINs • Handles incoming results from Deep Inspection Nuggets • Handles database updates based on DIN data • Writes out verbose logging based on DIN data • Provides alerting to Data Handlers
 Capture data and metadata  Contact dispatcher for handling  Has this file been evaluated before?  Where should I send it?  Pass that data set to a Deep Inspection Nugget  Accept feedback from the Dispatcher for detection request  Asynchronous alerting  Local cache of detection outcome
• Data (in this case a file) is captured • Metadata is captured (in this case URL and filename) • A local cache of MD5 sums and URLs of files previously collected • A library to handle managing the initial file evaluation, cache checks and communication with the Dispatcher
 Must handle data transfer from Data Handlers  Must communicate with Dispatcher  Register detection capability  Request for additional processing of subcomponents  Provide alerting feedback to Dispatcher
• Registers with the Dispatcher • Processes data provided by the Data Handlers, as instructed by the Dispatcher • Handles incoming queries for Data Handlers that have failed local cache hits • Handles detection requests from both Data Handlers and DINs • Handles incoming results from Deep Inspection Nuggets • Handles database updates based on DIN data • Writes out verbose logging based on DIN data • Provides alerting to Data Handlers
 Provide entry to the system for any arbitrary data type  Determine and manage detection based on a registered DIN  Provide alerting to any framework capable system  Provide verbose, detailed logging on the findings of the Nugget Farm  Make intelligent use of all data discovered during the evaluation process
An implementation of the NRT goals on a Snort platform Target: Malicious pdf files
Let’s pretend that the PDF nugget already has the data…
Why are we passing back files?
 MD5 is stored for files and subcomponents both bad and good  Primarily this is used to avoid reprocessing files we’ve already looked at  But after a update to any DIN, all known- good entries are “tainted”
 After an update to detection, previously analyzed files may be found to be bad  We don’t rescan all files  But if we see a match for md5 to a previous file, we will alert retroactively
 When a subcomponent alerts, it is stored for logging in its fully normalized state.  If a file is bad, when the DIN completes detection it passes the file to the Dispatcher  Response teams have the entire file as well as each portion that alerted in an easily analyzed format
 Verbose data back to Data Handler should also be as verbose as possible  In this case we place data into the payload and provide a custom message to Snort so we can use established methods of handling Snort alerts  04/16-16:38:48.1271450328 [**] [300:3221225473:1] URL:/users/pusscat/jbig2.pdf Hostname:metasploit.com Alert Info:Probable exploit of CVE-2009-0658 (JBIG2) detected in object 8, declared as /Length 33/Filter [/FlateDecode/ASCIIHexDecode/JBIG2Decode ] [**] {TCP} 64.214.53.2:0 -> 216.75.1.230:0 04/16-16:38:48.12714503280:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x0 64.214.53.2:0 -> 216.75.1.230:0 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1280 ***AP*** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20 55 52 4C 3A 2F 75 73 65 72 73 2F 70 75 73 73 63 URL:/users/pussc 61 74 2F 6A 62 69 67 32 2E 70 64 66 20 48 6F 73 at/jbig2.pdf Hos 74 6E 61 6D 65 3A 6D 65 74 61 73 70 6C 6F 69 74 tname:metasploit 2E 63 6F 6D 20 41 6C 65 72 74 20 49 6E 66 6F 3A .com Alert Info: 50 72 6F 62 61 62 6C 65 20 65 78 70 6C 6F 69 74 Probable exploit 20 6F 66 20 43 56 45 2D 32 30 30 39 2D 30 36 35 of CVE-2009-065 38 20 28 4A 42 49 47 32 29 20 64 65 74 65 63 74 8 (JBIG2) detect 65 64 20 69 6E 20 6F 62 6A 65 63 74 20 38 2C 20 ed in object 8, 64 65 63 6C 61 72 65 64 20 61 73 20 2F 4C 65 6E declared as /Len 67 74 68 20 33 33 2F 46 69 6C 74 65 72 20 5B 2F gth 33/Filter [/ 46 6C 61 74 65 44 65 63 6F 64 65 2F 41 53 43 49 FlateDecode/ASCI 49 48 65 78 44 65 63 6F 64 65 2F 4A 42 49 47 32 IHexDecode/JBIG2 44 65 63 6F 64 65 20 5D 20 Decode ]
Seriously, what would you do with a pointer and a size?
 Create file format templates which parse our elements and provide you a datastructure  Provide a full, common, scripting language interface to create rules (Ruby? Python? Both?)  Only do the heavy work (templating) once per file format.
JBIG, ASCII Hex Decoding & Inflation
04/21-11:17:58.1271873878 [**] [300:3221225473:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:Probable exploit of CVE-2009-0658 (JBIG2) detected in object 8, declared as /Length 29/Filter [/FlateDecode/ASCIIHexDecode/JBIG2Decode ] [**] {TCP} 192.168.0.1:0 -> 204.15.227.178:0 04/21-11:17:58.12718738780:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x0 192.168.0.1:0 -> 204.15.227.178:0 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1280 ***AP*** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20 55 52 4C 3A 2F 77 72 6C 2F 66 69 72 73 74 2E 70 URL:/wrl/first.p 64 66 20 48 6F 73 74 6E 61 6D 65 3A 77 72 6C 20 df Hostname:wrl 41 6C 65 72 74 20 49 6E 66 6F 3A 50 72 6F 62 61 Alert Info:Proba 62 6C 65 20 65 78 70 6C 6F 69 74 20 6F 66 20 43 ble exploit of C 56 45 2D 32 30 30 39 2D 30 36 35 38 20 28 4A 42 VE-2009-0658 (JB 49 47 32 29 20 64 65 74 65 63 74 65 64 20 69 6E IG2) detected in 20 6F 62 6A 65 63 74 20 38 2C 20 64 65 63 6C 61 object 8, decla 72 65 64 20 61 73 20 2F 4C 65 6E 67 74 68 20 32 red as /Length 2 39 2F 46 69 6C 74 65 72 20 5B 2F 46 6C 61 74 65 9/Filter [/Flate 44 65 63 6F 64 65 2F 41 53 43 49 49 48 65 78 44 Decode/ASCIIHexD 65 63 6F 64 65 2F 4A 42 49 47 32 44 65 63 6F 64 ecode/JBIG2Decod 65 20 5D 20 e ] =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+
What is that JavaScript up to?
[**] [300:2147483653:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:The JavaScript variables in object 6, declared as /Length 5994/Filter [/FlateDecode/ASCIIHexDecode ] , show a high degree of entropy [**] You tell me, does this string of variable names look weird to you? EvctenMNtrWDQVBKGrwGxrxKfMiZoYziRxAFEfjMdXRzjGNqVZYEAqogviSvzHp GpCkihcVtXRWcHphvhAnPOXnrxmTXJEUIkcYzelWZUCuIyKArtJvcEQXzUjHEzu SjGEJugOyFQnaSplNWwQsqOoV [**] [300:2147483649:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:Found in the Javascript block, while searching object 6: unescape [**] Wait, did someone say unescape…
 Sig up some common GetEIP techiniques…  Heuristically hunt down shellcode decoder stubs  Decode and parse shellcode  Give back some REAL data.
What is that unescape up to….
[**] [300:3221225482:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:Reverse TCP connectback shellcode detected. Connecting to 10.4.4.10 on port 4444 [**] Looking at the following: Gave us the shellcode type as well 10 d4 77 74 71 20 f6 d3 e0 70 66 0c 7a 40 73 72 as the IP and port combination the 78 2f be 37 04 91 a8 46 93 41 1c 24 b0 b4 b1 3d 43 b5 96 15 7d 4e 9b 7e 48 42 8d 12 f7 eb 4f 0d connect back goes to. 7b 4a 25 08 d5 1d 0b ff c6 c0 e3 03 f5 b3 b2 34 71 18 fd ba 75 77 25 3c b8 7b 30 d4 43 78 1c 2a . . Wouldn’t it be great if something . bf 98 35 a5 af 98 1d 1f e0 17 95 0a 3a 5f 1f f0 knew to start listening? 87 c2 71 f1 e5 a0 77 f5 fe 94 fc 13 85 d8 23 a2 87 51 d0 81 8e 37 a0 70 2f bc 79 0a a1 c0 00 19 87 38 c0 57 b9 37 a0 9f ef a2 71 a3 b8 a0 77 2c 27 97 8a 20 64 fe 1f b5 87 c8 65 f5 ef 9e 1f f5 87 90 d1 a6 0a 37 a0 66 bc a2 75 a3 bc 9f 1d f7 36 00 2a 0a 3a c9 b6 dc 29 4d 83 80 03 0b 75 f5
 Take that IP address and Port, and auto-tcpdump when you get an alert  Watch everything the attacker does over that back channel on the fly  Poor-man’s netwitness. (Can I say that?)
 How about a custom post-mortem debugger on every enterprise desktop?  Have it alert to your central dispatcher and dump whatever loaded file is the crash culprit.  Get both failed exploit attempts and possibly a few free 0-day to sell on the side!
 Make use of BinCrowd!  Yank down the a whole community’s set of symbols for that questionable sample you just got a hold of – malware reuses code too!  Not all of your machines have hardware DEP?  Run one machine with DEP, use that custom post mortem, still get near real time knowledge of attacks  DLP is serious business  Store more than one checksum type for sensitive data. Custom nuggets can make it easy.
Circus Tickets!
 We have hosted on http://labs.snort.org a package that contains:  Snort Preprocessor for snagging .exe, .dll and .pdf files from live traffic  A commented library that will allow you to thread calls to a detection function  A “Dumb Nugget” to simply write these files to disk  A “Clam Nugget” to pass these files to ClamAV  Local cache system to reduce detection overhead  Alerting system that fires Snort alerts with arbitrary data  Disclaimer  For serious, this code was put together to pitch the idea to management it is…well it is what it is  This project is a research project in the VRT no timeline for release either as open source or a Sourcefire product has been determined  We’ll update it as we integrate the full dispatcher->data handler- >deep inspection nugget code
 System Architects:  Matthew Olney  Lurene Grenier  Patrick Mullen  Nigel Houghton  Programmers:  Ryan Pentney (OMG CODE OUTPUT)  Alain Zidouemba (ClamAV integration)  Database:  Alex Kambis  File Format Research  Monica Sojeong Hong  Alex Kirk  Infrastructure Support  Kevin “McLovin” Miklavcic  Christopher McBee  Head Didn’t Fire Us During POC phase  Matthew Watchinski, Sr. Director, Vulnerability Research
Blog: http://vrt-sourcefire.blogspot.com/ Place we store bad ideas: http://labs.snort.org/ Twitter: @vrt_sourcefire (VRT Twitter Account) @kpyke (Matthew Olney) @pusscat (Lurene Grenier) @xram_lrak (Matthew Watchinski)
Sourcefire Vulnerability Research Team Labs

Recomendados

A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
Проблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир КирилловПроблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир КирилловAnthony Marchenko
 
Wireshar training
Wireshar trainingWireshar training
Wireshar trainingLuke Luo
 
Владимир Кириллов-TCP-Performance for-Mobile-Applications
Владимир Кириллов-TCP-Performance for-Mobile-ApplicationsВладимир Кириллов-TCP-Performance for-Mobile-Applications
Владимир Кириллов-TCP-Performance for-Mobile-ApplicationsUA Mobile
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
Wdt Test
Wdt TestWdt Test
Wdt TestLouis liu
 

Recomendados

A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
Проблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир КирилловПроблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир КирилловAnthony Marchenko
 
Wireshar training
Wireshar trainingWireshar training
Wireshar trainingLuke Luo
 
Владимир Кириллов-TCP-Performance for-Mobile-Applications
Владимир Кириллов-TCP-Performance for-Mobile-ApplicationsВладимир Кириллов-TCP-Performance for-Mobile-Applications
Владимир Кириллов-TCP-Performance for-Mobile-ApplicationsUA Mobile
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
Wdt Test
Wdt TestWdt Test
Wdt TestLouis liu
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pubCassio Ramos
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3Nutan Kumar Panda
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51martinvoelk
 
Network sockets
Network socketsNetwork sockets
Network socketsDenys Haryachyy
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Serveranandvaidya
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bwjktjpc
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustratedAlexander Krizhanovsky
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Nowjulievreeland
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Networking lab
Networking labNetworking lab
Networking labRagu Ram
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data Lex Nederbragt
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Shadow pad technical_description_pdf
Shadow pad technical_description_pdfShadow pad technical_description_pdf
Shadow pad technical_description_pdfAndrey Apuhtin
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationMehrdad Jingoism
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 

Más contenido relacionado

La actualidad más candente

Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51martinvoelk
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Serveranandvaidya
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bwjktjpc
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Nowjulievreeland
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Networking lab
Networking labNetworking lab
Networking labRagu Ram
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data Lex Nederbragt
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Shadow pad technical_description_pdf
Shadow pad technical_description_pdfShadow pad technical_description_pdf
Shadow pad technical_description_pdfAndrey Apuhtin
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationMehrdad Jingoism
 

La actualidad más candente (19)

2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pub
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51
 
Network sockets
Network socketsNetwork sockets
Network sockets
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Server
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bw
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustrated
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Now
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
Networking lab
Networking labNetworking lab
Networking lab
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
 
Shadow pad technical_description_pdf
Shadow pad technical_description_pdfShadow pad technical_description_pdf
Shadow pad technical_description_pdf
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
 

Similar a Sourcefire Vulnerability Research Team Labs

Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
BWC Supercomputing 2008 Presentation
BWC Supercomputing 2008 PresentationBWC Supercomputing 2008 Presentation
BWC Supercomputing 2008 Presentationlilyco
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemSneha Inguva
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPFIvan Babrou
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisDmitry Vostokov
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japanDan Kaminsky
 
Tamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using SteganographyTamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using SteganographyManishgant A Padmanabhan
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUICshigeki_ohtsu
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis AlienVault
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & TroubleshootingAPNIC
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 

Similar a Sourcefire Vulnerability Research Team Labs (20)

Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
BWC Supercomputing 2008 Presentation
BWC Supercomputing 2008 PresentationBWC Supercomputing 2008 Presentation
BWC Supercomputing 2008 Presentation
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 
Dpdk applications
Dpdk applicationsDpdk applications
Dpdk applications
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
 
Lab telematicos
Lab telematicosLab telematicos
Lab telematicos
 
Lab telematicos
Lab telematicosLab telematicos
Lab telematicos
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
 
Restfs internals
Restfs internalsRestfs internals
Restfs internals
 
Tamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using SteganographyTamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using Steganography
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NET
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NET
 

Más de losalamos

Exp user guide_4.6
Exp user guide_4.6Exp user guide_4.6
Exp user guide_4.6losalamos
 
Security flawsu pnp
Security flawsu pnpSecurity flawsu pnp
Security flawsu pnplosalamos
 
Zmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applicationsZmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applicationslosalamos
 
Effective Java Second Edition
Effective Java Second EditionEffective Java Second Edition
Effective Java Second Editionlosalamos
 
Swf File Format Spec V10
Swf File Format Spec V10Swf File Format Spec V10
Swf File Format Spec V10losalamos
 
Developing Adobe AIR 1.5 Applications with HTML and Ajax
Developing Adobe AIR 1.5 Applications with HTML and AjaxDeveloping Adobe AIR 1.5 Applications with HTML and Ajax
Developing Adobe AIR 1.5 Applications with HTML and Ajaxlosalamos
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006losalamos
 
"Performance Evaluation and Comparison of Westwood+, New Reno and Vegas TCP ...
"Performance Evaluation and Comparison of Westwood+, New Reno and Vegas TCP ... "Performance Evaluation and Comparison of Westwood+, New Reno and Vegas TCP ...
"Performance Evaluation and Comparison of Westwood+, New Reno and Vegas TCP ...losalamos
 
Tcp santa cruz
Tcp santa cruzTcp santa cruz
Tcp santa cruzlosalamos
 
"Start-up dynamics of TCP's Congestion Control and Avoidance Schemes"
"Start-up dynamics of TCP's Congestion Control and Avoidance Schemes""Start-up dynamics of TCP's Congestion Control and Avoidance Schemes"
"Start-up dynamics of TCP's Congestion Control and Avoidance Schemes"losalamos
 
Conficker summary-review-07may10-en
Conficker summary-review-07may10-enConficker summary-review-07may10-en
Conficker summary-review-07may10-enlosalamos
 
Jscriptdeviationsfromes3
Jscriptdeviationsfromes3Jscriptdeviationsfromes3
Jscriptdeviationsfromes3losalamos
 
Mixing Games And Applications
Mixing Games And ApplicationsMixing Games And Applications
Mixing Games And Applicationslosalamos
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelledlosalamos
 
Conociendo Db2 Express V9.5
Conociendo Db2 Express V9.5Conociendo Db2 Express V9.5
Conociendo Db2 Express V9.5losalamos
 
Mision De Cada Signo
Mision De Cada SignoMision De Cada Signo
Mision De Cada Signolosalamos
 
Lectura+Y+Mujeres%2c+Im%C3%81 Genes+De+Una+Aventura
Lectura+Y+Mujeres%2c+Im%C3%81 Genes+De+Una+AventuraLectura+Y+Mujeres%2c+Im%C3%81 Genes+De+Una+Aventura
Lectura+Y+Mujeres%2c+Im%C3%81 Genes+De+Una+Aventuralosalamos
 

Más de losalamos (20)

Exp user guide_4.6
Exp user guide_4.6Exp user guide_4.6
Exp user guide_4.6
 
Remote api
Remote apiRemote api
Remote api
 
Security flawsu pnp
Security flawsu pnpSecurity flawsu pnp
Security flawsu pnp
 
Zmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applicationsZmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applications
 
Effective Java Second Edition
Effective Java Second EditionEffective Java Second Edition
Effective Java Second Edition
 
Swf File Format Spec V10
Swf File Format Spec V10Swf File Format Spec V10
Swf File Format Spec V10
 
Developing Adobe AIR 1.5 Applications with HTML and Ajax
Developing Adobe AIR 1.5 Applications with HTML and AjaxDeveloping Adobe AIR 1.5 Applications with HTML and Ajax
Developing Adobe AIR 1.5 Applications with HTML and Ajax
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006
 
"Performance Evaluation and Comparison of Westwood+, New Reno and Vegas TCP ...
"Performance Evaluation and Comparison of Westwood+, New Reno and Vegas TCP ... "Performance Evaluation and Comparison of Westwood+, New Reno and Vegas TCP ...
"Performance Evaluation and Comparison of Westwood+, New Reno and Vegas TCP ...
 
Tcp santa cruz
Tcp santa cruzTcp santa cruz
Tcp santa cruz
 
"Start-up dynamics of TCP's Congestion Control and Avoidance Schemes"
"Start-up dynamics of TCP's Congestion Control and Avoidance Schemes""Start-up dynamics of TCP's Congestion Control and Avoidance Schemes"
"Start-up dynamics of TCP's Congestion Control and Avoidance Schemes"
 
Conficker summary-review-07may10-en
Conficker summary-review-07may10-enConficker summary-review-07may10-en
Conficker summary-review-07may10-en
 
Jscriptdeviationsfromes3
Jscriptdeviationsfromes3Jscriptdeviationsfromes3
Jscriptdeviationsfromes3
 
Mixing Games And Applications
Mixing Games And ApplicationsMixing Games And Applications
Mixing Games And Applications
 
Cryptointro
CryptointroCryptointro
Cryptointro
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelled
 
Apache Eng
Apache EngApache Eng
Apache Eng
 
Conociendo Db2 Express V9.5
Conociendo Db2 Express V9.5Conociendo Db2 Express V9.5
Conociendo Db2 Express V9.5
 
Mision De Cada Signo
Mision De Cada SignoMision De Cada Signo
Mision De Cada Signo
 
Lectura+Y+Mujeres%2c+Im%C3%81 Genes+De+Una+Aventura
Lectura+Y+Mujeres%2c+Im%C3%81 Genes+De+Una+AventuraLectura+Y+Mujeres%2c+Im%C3%81 Genes+De+Una+Aventura
Lectura+Y+Mujeres%2c+Im%C3%81 Genes+De+Una+Aventura
 

Último

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Último (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Sourcefire Vulnerability Research Team Labs

  • 1. What would you do with a pointer and a size?
  • 2. Why do we need a new detection framework?
  • 3. Attacks have switched from server attacks to client attacks  Common attack vectors are easily obfuscated  JavaScript  Compression  File formats are made by insane people  Looking at you Flash and OLE guy…  Back-channel systems are increasingly difficult to detect
  • 4. Inline systems must emulate the processing of 1000s of desktops  Detection of many backchannels is most successful with statistical evaluation of network traffic
  • 5. Broadly speaking, IDS systems deal with packet-by-packet inspection with some level of reassembly  Broadly speaking, AV systems typically target indicators of known bad files or system states “…the argument put forward that there's something wrong with anti-virus products that don't detect metasploit output is fallacious on 2 counts: 1) the output isn't necessarily malware (usually only greyware), and 2) anti-virus products are not the proper defense against known exploits (patching is).” -- Kurt Wismer
  • 6. A system is needed that can handle varied detection needs  A system is needed that extensible, open and scalable  A system is needed that facilitates incident response, not just triggers it  So……
  • 7. Near-Realtime Detection Framework or: “Anything is Possible”
  • 8. The heart of the NRT system  APIs to handle:  Deep Inspection Nugget registration  Data Handler registration  Detection requests  Alerting  Full analysis logging  Output to API compliant systems  Database driven
  • 9. • Implements a database to provide a centralized set of file information and • Handles incoming queries for Data Handlers that have failed local cache hits • Handles detection requests from both Data Handlers and DINs • Handles incoming results from Deep Inspection Nuggets • Handles database updates based on DIN data • Writes out verbose logging based on DIN data • Provides alerting to Data Handlers
  • 10. Capture data and metadata  Contact dispatcher for handling  Has this file been evaluated before?  Where should I send it?  Pass that data set to a Deep Inspection Nugget  Accept feedback from the Dispatcher for detection request  Asynchronous alerting  Local cache of detection outcome
  • 11. • Data (in this case a file) is captured • Metadata is captured (in this case URL and filename) • A local cache of MD5 sums and URLs of files previously collected • A library to handle managing the initial file evaluation, cache checks and communication with the Dispatcher
  • 12. Must handle data transfer from Data Handlers  Must communicate with Dispatcher  Register detection capability  Request for additional processing of subcomponents  Provide alerting feedback to Dispatcher
  • 13. • Registers with the Dispatcher • Processes data provided by the Data Handlers, as instructed by the Dispatcher • Handles incoming queries for Data Handlers that have failed local cache hits • Handles detection requests from both Data Handlers and DINs • Handles incoming results from Deep Inspection Nuggets • Handles database updates based on DIN data • Writes out verbose logging based on DIN data • Provides alerting to Data Handlers
  • 14. Provide entry to the system for any arbitrary data type  Determine and manage detection based on a registered DIN  Provide alerting to any framework capable system  Provide verbose, detailed logging on the findings of the Nugget Farm  Make intelligent use of all data discovered during the evaluation process
  • 15. An implementation of the NRT goals on a Snort platform Target: Malicious pdf files
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28. Let’s pretend that the PDF nugget already has the data…
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48. Why are we passing back files?
  • 49. MD5 is stored for files and subcomponents both bad and good  Primarily this is used to avoid reprocessing files we’ve already looked at  But after a update to any DIN, all known- good entries are “tainted”
  • 50.  After an update to detection, previously analyzed files may be found to be bad  We don’t rescan all files  But if we see a match for md5 to a previous file, we will alert retroactively
  • 51. When a subcomponent alerts, it is stored for logging in its fully normalized state.  If a file is bad, when the DIN completes detection it passes the file to the Dispatcher  Response teams have the entire file as well as each portion that alerted in an easily analyzed format
  • 52. Verbose data back to Data Handler should also be as verbose as possible  In this case we place data into the payload and provide a custom message to Snort so we can use established methods of handling Snort alerts  04/16-16:38:48.1271450328 [**] [300:3221225473:1] URL:/users/pusscat/jbig2.pdf Hostname:metasploit.com Alert Info:Probable exploit of CVE-2009-0658 (JBIG2) detected in object 8, declared as /Length 33/Filter [/FlateDecode/ASCIIHexDecode/JBIG2Decode ] [**] {TCP} 64.214.53.2:0 -> 216.75.1.230:0 04/16-16:38:48.12714503280:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x0 64.214.53.2:0 -> 216.75.1.230:0 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1280 ***AP*** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20 55 52 4C 3A 2F 75 73 65 72 73 2F 70 75 73 73 63 URL:/users/pussc 61 74 2F 6A 62 69 67 32 2E 70 64 66 20 48 6F 73 at/jbig2.pdf Hos 74 6E 61 6D 65 3A 6D 65 74 61 73 70 6C 6F 69 74 tname:metasploit 2E 63 6F 6D 20 41 6C 65 72 74 20 49 6E 66 6F 3A .com Alert Info: 50 72 6F 62 61 62 6C 65 20 65 78 70 6C 6F 69 74 Probable exploit 20 6F 66 20 43 56 45 2D 32 30 30 39 2D 30 36 35 of CVE-2009-065 38 20 28 4A 42 49 47 32 29 20 64 65 74 65 63 74 8 (JBIG2) detect 65 64 20 69 6E 20 6F 62 6A 65 63 74 20 38 2C 20 ed in object 8, 64 65 63 6C 61 72 65 64 20 61 73 20 2F 4C 65 6E declared as /Len 67 74 68 20 33 33 2F 46 69 6C 74 65 72 20 5B 2F gth 33/Filter [/ 46 6C 61 74 65 44 65 63 6F 64 65 2F 41 53 43 49 FlateDecode/ASCI 49 48 65 78 44 65 63 6F 64 65 2F 4A 42 49 47 32 IHexDecode/JBIG2 44 65 63 6F 64 65 20 5D 20 Decode ]
  • 53. Seriously, what would you do with a pointer and a size?
  • 54. Create file format templates which parse our elements and provide you a datastructure  Provide a full, common, scripting language interface to create rules (Ruby? Python? Both?)  Only do the heavy work (templating) once per file format.
  • 55. JBIG, ASCII Hex Decoding & Inflation
  • 56. 04/21-11:17:58.1271873878 [**] [300:3221225473:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:Probable exploit of CVE-2009-0658 (JBIG2) detected in object 8, declared as /Length 29/Filter [/FlateDecode/ASCIIHexDecode/JBIG2Decode ] [**] {TCP} 192.168.0.1:0 -> 204.15.227.178:0 04/21-11:17:58.12718738780:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x0 192.168.0.1:0 -> 204.15.227.178:0 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1280 ***AP*** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20 55 52 4C 3A 2F 77 72 6C 2F 66 69 72 73 74 2E 70 URL:/wrl/first.p 64 66 20 48 6F 73 74 6E 61 6D 65 3A 77 72 6C 20 df Hostname:wrl 41 6C 65 72 74 20 49 6E 66 6F 3A 50 72 6F 62 61 Alert Info:Proba 62 6C 65 20 65 78 70 6C 6F 69 74 20 6F 66 20 43 ble exploit of C 56 45 2D 32 30 30 39 2D 30 36 35 38 20 28 4A 42 VE-2009-0658 (JB 49 47 32 29 20 64 65 74 65 63 74 65 64 20 69 6E IG2) detected in 20 6F 62 6A 65 63 74 20 38 2C 20 64 65 63 6C 61 object 8, decla 72 65 64 20 61 73 20 2F 4C 65 6E 67 74 68 20 32 red as /Length 2 39 2F 46 69 6C 74 65 72 20 5B 2F 46 6C 61 74 65 9/Filter [/Flate 44 65 63 6F 64 65 2F 41 53 43 49 49 48 65 78 44 Decode/ASCIIHexD 65 63 6F 64 65 2F 4A 42 49 47 32 44 65 63 6F 64 ecode/JBIG2Decod 65 20 5D 20 e ] =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+
  • 57. What is that JavaScript up to?
  • 58. [**] [300:2147483653:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:The JavaScript variables in object 6, declared as /Length 5994/Filter [/FlateDecode/ASCIIHexDecode ] , show a high degree of entropy [**] You tell me, does this string of variable names look weird to you? EvctenMNtrWDQVBKGrwGxrxKfMiZoYziRxAFEfjMdXRzjGNqVZYEAqogviSvzHp GpCkihcVtXRWcHphvhAnPOXnrxmTXJEUIkcYzelWZUCuIyKArtJvcEQXzUjHEzu SjGEJugOyFQnaSplNWwQsqOoV [**] [300:2147483649:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:Found in the Javascript block, while searching object 6: unescape [**] Wait, did someone say unescape…
  • 59. Sig up some common GetEIP techiniques…  Heuristically hunt down shellcode decoder stubs  Decode and parse shellcode  Give back some REAL data.
  • 60. What is that unescape up to….
  • 61. [**] [300:3221225482:1] URL:/wrl/first.pdf Hostname:wrl Alert Info:Reverse TCP connectback shellcode detected. Connecting to 10.4.4.10 on port 4444 [**] Looking at the following: Gave us the shellcode type as well 10 d4 77 74 71 20 f6 d3 e0 70 66 0c 7a 40 73 72 as the IP and port combination the 78 2f be 37 04 91 a8 46 93 41 1c 24 b0 b4 b1 3d 43 b5 96 15 7d 4e 9b 7e 48 42 8d 12 f7 eb 4f 0d connect back goes to. 7b 4a 25 08 d5 1d 0b ff c6 c0 e3 03 f5 b3 b2 34 71 18 fd ba 75 77 25 3c b8 7b 30 d4 43 78 1c 2a . . Wouldn’t it be great if something . bf 98 35 a5 af 98 1d 1f e0 17 95 0a 3a 5f 1f f0 knew to start listening? 87 c2 71 f1 e5 a0 77 f5 fe 94 fc 13 85 d8 23 a2 87 51 d0 81 8e 37 a0 70 2f bc 79 0a a1 c0 00 19 87 38 c0 57 b9 37 a0 9f ef a2 71 a3 b8 a0 77 2c 27 97 8a 20 64 fe 1f b5 87 c8 65 f5 ef 9e 1f f5 87 90 d1 a6 0a 37 a0 66 bc a2 75 a3 bc 9f 1d f7 36 00 2a 0a 3a c9 b6 dc 29 4d 83 80 03 0b 75 f5
  • 62. Take that IP address and Port, and auto-tcpdump when you get an alert  Watch everything the attacker does over that back channel on the fly  Poor-man’s netwitness. (Can I say that?)
  • 63. How about a custom post-mortem debugger on every enterprise desktop?  Have it alert to your central dispatcher and dump whatever loaded file is the crash culprit.  Get both failed exploit attempts and possibly a few free 0-day to sell on the side!
  • 64. Make use of BinCrowd!  Yank down the a whole community’s set of symbols for that questionable sample you just got a hold of – malware reuses code too!  Not all of your machines have hardware DEP?  Run one machine with DEP, use that custom post mortem, still get near real time knowledge of attacks  DLP is serious business  Store more than one checksum type for sensitive data. Custom nuggets can make it easy.
  • 66. We have hosted on http://labs.snort.org a package that contains:  Snort Preprocessor for snagging .exe, .dll and .pdf files from live traffic  A commented library that will allow you to thread calls to a detection function  A “Dumb Nugget” to simply write these files to disk  A “Clam Nugget” to pass these files to ClamAV  Local cache system to reduce detection overhead  Alerting system that fires Snort alerts with arbitrary data  Disclaimer  For serious, this code was put together to pitch the idea to management it is…well it is what it is  This project is a research project in the VRT no timeline for release either as open source or a Sourcefire product has been determined  We’ll update it as we integrate the full dispatcher->data handler- >deep inspection nugget code
  • 67. System Architects:  Matthew Olney  Lurene Grenier  Patrick Mullen  Nigel Houghton  Programmers:  Ryan Pentney (OMG CODE OUTPUT)  Alain Zidouemba (ClamAV integration)  Database:  Alex Kambis  File Format Research  Monica Sojeong Hong  Alex Kirk  Infrastructure Support  Kevin “McLovin” Miklavcic  Christopher McBee  Head Didn’t Fire Us During POC phase  Matthew Watchinski, Sr. Director, Vulnerability Research
  • 68. Blog: http://vrt-sourcefire.blogspot.com/ Place we store bad ideas: http://labs.snort.org/ Twitter: @vrt_sourcefire (VRT Twitter Account) @kpyke (Matthew Olney) @pusscat (Lurene Grenier) @xram_lrak (Matthew Watchinski)