[Snort-users] was--Matt Jonkman in the new Hakin9--now detecting infections
gmb95125 at ...131...
Thu Feb 3 12:57:31 EST 2011
Hi Matt, John
MATT: Thanks for the mention !
JOHN: Take a look at www.metaflows.com. We have taken BotHunter and integrated
it into our network monitoring solution kit. You can download a free, personal
use copy of it from our website.
Let me know I can be of more assistance to you. I included my metaflows email
From: Matthew Jonkman <jonkman at ...15020...>
To: John York <YorkJ at ...7109...>
Cc: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
Sent: Thu, February 3, 2011 7:07:41 AM
Subject: Re: [Snort-users] was--Matt Jonkman in the new Hakin9--now detecting
Bothunter is a spectacular tool! I highly recommend it. They use a subset of the
ET rules, so what we're all contributing to emerging threats is helping improve
Bothunter. Although in a relatively small way, most of it's actions are based on
much higher thought than static sigs.
Metaflows.com is also a tool implementing bothunter for open and professional
use with great results. I'm sure there will be more commercial uses of it very
On Feb 3, 2011, at 9:42 AM, John York wrote:
> I agree wholeheartedly. My biggest concern is getting to the infected machines
>ASAP, so that's what I *really* want alerts on. The IPS, firewall, AV, web
>filter, no admin rights for users, etc all do what they can to prevent
>compromises. If Joe Clueless clicks on enough bad things, one of them will get
>him eventually and the trick is to get the computer isolated immediately.
> BotHunter is a Snort-based system for detecting infections. I've wanted to
>test it but have never had time. Has anyone had good results with it? ( I know
>I'm OT, but it is Snort based--maybe only one drink ;-)
> -----Original Message-----
> From: Martin Holste [mailto:mcholste at ...11827...]
> Sent: Wednesday, February 02, 2011 5:23 PM
> To: Matthew Jonkman
> Cc: snort-users at lists.sourceforge.net; emerging-sigs at ...14333...
> Subject: Re: [Snort-users] [Emerging-Sigs] Matt Jonkman in the new Hakin9
>> Yes, an infection is a failure. But we will always have failures. And you;ll
>>have hosts that come in from the outside already infected. You MUST focus on CnC
>>channels, I don't see any alternative.
> This is the key point. We responded to over a thousand incidents last
> year alone, and in each case, AV had been completely overtaken (only
> even generating an alert about 1/3 of the time) and more than half of
> the cases were on fully patched machines. This is IDS's core
> competency. Packets will never lie (though you may misinterpret what
> they say). The same cannot be said of anything on a host that may
> have been compromised.
> The NSS testing is becoming increasingly irrelevant because exploits
> aren't actionable--infections are. If I told you that you could have
> the choice between a magic blinking box that told you whenever a host
> was infected versus a box that told you whenever someone tried to
> infect a box, wouldn't you go with the first one? Most orgs aren't
> interested in attempts--they're interested in break-ins. The idea of
> detecting exploits via IDS comes from way back in the 90's when CnC
> channels (or malware) didn't really exist like they do now. Your only
> chance then was to detect the break-in. There's been a complete
> reversal in the last few years and now your only real chance is to
> detect the CnC channel because the exploit doesn't really exist like
> it did then.
> Exploit code is far more likely to be encrypted/encoded than check-in
> traffic (URL's at least). It is almost impossible to write signatures
> to catch the exploits in the wild for anything more than the PoC
> examples or the kit-of-the-day. So many SF and ET signatures look for
> things like CLSID's for ActiveX objects, which will almost never hit
> on an actual exploit, because they will be heavily obfuscated with
> be dropping packets because of the wasted cycles on those signatures,
> so they're missing the check-ins as well. You can get far better
> results by running a handful of signatures to look for basic file
> types like executables, PDF, Flash, and Java, then matching those hits
> (which will be very numerous) with disreputable autonomous systems
> (AS's). I bet anyone on this list a case of beer that the next JAR
> file coming out of Latvia to their corporate network is a malware
> loader (no cheating please!).
> The other critical component to that is regarding Jason's point about
> off-network infections. CnC check-ins are your only hope at that
> point--try to spot the already-infected devices so that they can be
> cleaned. Since the host has already failed to defend itself, the
> network IDS is your last chance.
> Both the Mandiant M-Trends and Verizon Data Breach Report each year
> have been illustrating how futile it is to expect to be able to defend
> all of your endpoints. They do, however, show how damage isn't
> usually done for days or weeks after the initial infection, so if you
> can find the infected machines within a few business days, you've got
> a good chance of emerging unscathed (other than the re-images, of
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Emerging Threats Pro
Open Information Security Foundation (OISF)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users