[Snort-users] [Emerging-Sigs] Matt Jonkman in the new Hakin9

Martin Holste mcholste at ...11827...
Wed Feb 2 17:23:12 EST 2011

> Yes, an infection is a failure. But we will always have failures. And you;ll have hosts that come in from the outside already infected. You MUST focus on CnC channels, I don't see any alternative.

This is the key point.  We responded to over a thousand incidents last
year alone, and in each case, AV had been completely overtaken (only
even generating an alert about 1/3 of the time) and more than half of
the cases were on fully patched machines.  This is IDS's core
competency.  Packets will never lie (though you may misinterpret what
they say).  The same cannot be said of anything on a host that may
have been compromised.

The NSS testing is becoming increasingly irrelevant because exploits
aren't actionable--infections are.  If I told you that you could have
the choice between a magic blinking box that told you whenever a host
was infected versus a box that told you whenever someone tried to
infect a box, wouldn't you go with the first one?  Most orgs aren't
interested in attempts--they're interested in break-ins.  The idea of
detecting exploits via IDS comes from way back in the 90's when CnC
channels (or malware) didn't really exist like they do now.  Your only
chance then was to detect the break-in.  There's been a complete
reversal in the last few years and now your only real chance is to
detect the CnC channel because the exploit doesn't really exist like
it did then.

Exploit code is far more likely to be encrypted/encoded than check-in
traffic (URL's at least).  It is almost impossible to write signatures
to catch the exploits in the wild for anything more than the PoC
examples or the kit-of-the-day.  So many SF and ET signatures look for
things like CLSID's for ActiveX objects, which will almost never hit
on an actual exploit, because they will be heavily obfuscated with
Javascript.  It's very unfortunate, because most Snort instances will
be dropping packets because of the wasted cycles on those signatures,
so they're missing the check-ins as well.  You can get far better
results by running a handful of signatures to look for basic file
types like executables, PDF, Flash, and Java, then matching those hits
(which will be very numerous) with disreputable autonomous systems
(AS's).  I bet anyone on this list a case of beer that the next JAR
file coming out of Latvia to their corporate network is a malware
loader (no cheating please!).

The other critical component to that is regarding Jason's point about
off-network infections.  CnC check-ins are your only hope at that
point--try to spot the already-infected devices so that they can be
cleaned.  Since the host has already failed to defend itself, the
network IDS is your last chance.

Both the Mandiant M-Trends and Verizon Data Breach Report each year
have been illustrating how futile it is to expect to be able to defend
all of your endpoints.  They do, however, show how damage isn't
usually done for days or weeks after the initial infection, so if you
can find the infected machines within a few business days, you've got
a good chance of emerging unscathed (other than the re-images, of

More information about the Snort-users mailing list