[Snort-users] was--Matt Jonkman in the new Hakin9--now detecting infections

Matthew Jonkman jonkman at ...15020...
Thu Feb 3 10:07:41 EST 2011

Bothunter is a spectacular tool! I highly recommend it. They use a subset of the ET rules, so what we're all contributing to emerging threats is helping improve Bothunter. Although in a relatively small way, most of it's actions are based on much higher thought than static sigs. 

Metaflows.com is also a tool implementing bothunter for open and professional use with great results. I'm sure there will be more commercial uses of it very soon.


On Feb 3, 2011, at 9:42 AM, John York wrote:

> I agree wholeheartedly.  My biggest concern is getting to the infected machines ASAP, so that's what I *really* want alerts on.  The IPS, firewall, AV, web filter, no admin rights for users, etc all do what they can to prevent compromises.  If Joe Clueless clicks on enough bad things, one of them will get him eventually and the trick is to get the computer isolated immediately.
> BotHunter is a Snort-based system for detecting infections.  I've wanted to test it but have never had time.  Has anyone had good results with it?  ( I know I'm OT, but it is Snort based--maybe only one drink ;-)
> Thanks
> John
> -----Original Message-----
> From: Martin Holste [mailto:mcholste at ...11827...] 
> Sent: Wednesday, February 02, 2011 5:23 PM
> To: Matthew Jonkman
> Cc: snort-users at lists.sourceforge.net; emerging-sigs at ...14333...
> Subject: Re: [Snort-users] [Emerging-Sigs] Matt Jonkman in the new Hakin9
>> Yes, an infection is a failure. But we will always have failures. And you;ll have hosts that come in from the outside already infected. You MUST focus on CnC channels, I don't see any alternative.
> This is the key point.  We responded to over a thousand incidents last
> year alone, and in each case, AV had been completely overtaken (only
> even generating an alert about 1/3 of the time) and more than half of
> the cases were on fully patched machines.  This is IDS's core
> competency.  Packets will never lie (though you may misinterpret what
> they say).  The same cannot be said of anything on a host that may
> have been compromised.
> The NSS testing is becoming increasingly irrelevant because exploits
> aren't actionable--infections are.  If I told you that you could have
> the choice between a magic blinking box that told you whenever a host
> was infected versus a box that told you whenever someone tried to
> infect a box, wouldn't you go with the first one?  Most orgs aren't
> interested in attempts--they're interested in break-ins.  The idea of
> detecting exploits via IDS comes from way back in the 90's when CnC
> channels (or malware) didn't really exist like they do now.  Your only
> chance then was to detect the break-in.  There's been a complete
> reversal in the last few years and now your only real chance is to
> detect the CnC channel because the exploit doesn't really exist like
> it did then.
> Exploit code is far more likely to be encrypted/encoded than check-in
> traffic (URL's at least).  It is almost impossible to write signatures
> to catch the exploits in the wild for anything more than the PoC
> examples or the kit-of-the-day.  So many SF and ET signatures look for
> things like CLSID's for ActiveX objects, which will almost never hit
> on an actual exploit, because they will be heavily obfuscated with
> Javascript.  It's very unfortunate, because most Snort instances will
> be dropping packets because of the wasted cycles on those signatures,
> so they're missing the check-ins as well.  You can get far better
> results by running a handful of signatures to look for basic file
> types like executables, PDF, Flash, and Java, then matching those hits
> (which will be very numerous) with disreputable autonomous systems
> (AS's).  I bet anyone on this list a case of beer that the next JAR
> file coming out of Latvia to their corporate network is a malware
> loader (no cheating please!).
> The other critical component to that is regarding Jason's point about
> off-network infections.  CnC check-ins are your only hope at that
> point--try to spot the already-infected devices so that they can be
> cleaned.  Since the host has already failed to defend itself, the
> network IDS is your last chance.
> Both the Mandiant M-Trends and Verizon Data Breach Report each year
> have been illustrating how futile it is to expect to be able to defend
> all of your endpoints.  They do, however, show how damage isn't
> usually done for days or weeks after the initial infection, so if you
> can find the infected machines within a few business days, you've got
> a good chance of emerging unscathed (other than the re-images, of
> course).
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
> February 28th, so secure your free ArcSight Logger TODAY! 
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Snort-users mailing list