[Snort-users] was--Matt Jonkman in the new Hakin9--now detecting infections

Marshall Bartoszek gmb95125 at ...131...
Thu Feb 3 12:57:31 EST 2011

Hi Matt, John

MATT:  Thanks for the mention !

JOHN:  Take a look at www.metaflows.com.  We have taken BotHunter and integrated 
it into our network monitoring solution kit.  You can download a free, personal 
use copy of it from our website.

Let me know I can be of more assistance to you.  I included my metaflows email 




From: Matthew Jonkman <jonkman at ...15020...>
To: John York <YorkJ at ...7109...>
Cc: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
Sent: Thu, February 3, 2011 7:07:41 AM
Subject: Re: [Snort-users] was--Matt Jonkman in the new Hakin9--now detecting 

Bothunter is a spectacular tool! I highly recommend it. They use a subset of the 
ET rules, so what we're all contributing to emerging threats is helping improve 
Bothunter. Although in a relatively small way, most of it's actions are based on 
much higher thought than static sigs. 

Metaflows.com is also a tool implementing bothunter for open and professional 
use with great results. I'm sure there will be more commercial uses of it very 


On Feb 3, 2011, at 9:42 AM, John York wrote:

> I agree wholeheartedly.  My biggest concern is getting to the infected machines 
>ASAP, so that's what I *really* want alerts on.  The IPS, firewall, AV, web 
>filter, no admin rights for users, etc all do what they can to prevent 
>compromises.  If Joe Clueless clicks on enough bad things, one of them will get 
>him eventually and the trick is to get the computer isolated immediately.
> BotHunter is a Snort-based system for detecting infections.  I've wanted to 
>test it but have never had time.  Has anyone had good results with it?  ( I know 
>I'm OT, but it is Snort based--maybe only one drink ;-)
> Thanks
> John
> -----Original Message-----
> From: Martin Holste [mailto:mcholste at ...11827...] 
> Sent: Wednesday, February 02, 2011 5:23 PM
> To: Matthew Jonkman
> Cc: snort-users at lists.sourceforge.net; emerging-sigs at ...14333...
> Subject: Re: [Snort-users] [Emerging-Sigs] Matt Jonkman in the new Hakin9
>> Yes, an infection is a failure. But we will always have failures. And you;ll 
>>have hosts that come in from the outside already infected. You MUST focus on CnC 
>>channels, I don't see any alternative.
> This is the key point.  We responded to over a thousand incidents last
> year alone, and in each case, AV had been completely overtaken (only
> even generating an alert about 1/3 of the time) and more than half of
> the cases were on fully patched machines.  This is IDS's core
> competency.  Packets will never lie (though you may misinterpret what
> they say).  The same cannot be said of anything on a host that may
> have been compromised.
> The NSS testing is becoming increasingly irrelevant because exploits
> aren't actionable--infections are.  If I told you that you could have
> the choice between a magic blinking box that told you whenever a host
> was infected versus a box that told you whenever someone tried to
> infect a box, wouldn't you go with the first one?  Most orgs aren't
> interested in attempts--they're interested in break-ins.  The idea of
> detecting exploits via IDS comes from way back in the 90's when CnC
> channels (or malware) didn't really exist like they do now.  Your only
> chance then was to detect the break-in.  There's been a complete
> reversal in the last few years and now your only real chance is to
> detect the CnC channel because the exploit doesn't really exist like
> it did then.
> Exploit code is far more likely to be encrypted/encoded than check-in
> traffic (URL's at least).  It is almost impossible to write signatures
> to catch the exploits in the wild for anything more than the PoC
> examples or the kit-of-the-day.  So many SF and ET signatures look for
> things like CLSID's for ActiveX objects, which will almost never hit
> on an actual exploit, because they will be heavily obfuscated with
> Javascript.  It's very unfortunate, because most Snort instances will
> be dropping packets because of the wasted cycles on those signatures,
> so they're missing the check-ins as well.  You can get far better
> results by running a handful of signatures to look for basic file
> types like executables, PDF, Flash, and Java, then matching those hits
> (which will be very numerous) with disreputable autonomous systems
> (AS's).  I bet anyone on this list a case of beer that the next JAR
> file coming out of Latvia to their corporate network is a malware
> loader (no cheating please!).
> The other critical component to that is regarding Jason's point about
> off-network infections.  CnC check-ins are your only hope at that
> point--try to spot the already-infected devices so that they can be
> cleaned.  Since the host has already failed to defend itself, the
> network IDS is your last chance.
> Both the Mandiant M-Trends and Verizon Data Breach Report each year
> have been illustrating how futile it is to expect to be able to defend
> all of your endpoints.  They do, however, show how damage isn't
> usually done for days or weeks after the initial infection, so if you
> can find the infected machines within a few business days, you've got
> a good chance of emerging unscathed (other than the re-images, of
> course).
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
> February 28th, so secure your free ArcSight Logger TODAY! 
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110203/7f3a9e1d/attachment.html>

More information about the Snort-users mailing list