[Snort-users] Zero day attack protection

Crusty Saint saintcrusty at ...11827...
Wed Feb 4 09:01:43 EST 2015


It's been a while but in the meantime I think I've found what makes stuff
like FireEye and others tick

Check out http://klee.github.io/ and/or
http://srg.doc.ic.ac.uk/projects/katch/

Also the pdf on AEG is insightful
http://security.ece.cmu.edu/aeg/aeg-current.pdf

This might be a serious downturn or upturn for open-source adoption if AEG
proves effective. Given the growing adoption for LLVM I assume it will make
open-source the way to go in both short and long term.



2013-10-29 21:23 GMT+01:00 Kevin Ross <kevross33 at ...14012...>:

> True zero day protection is very hard. There are some products that claim
> to be able to do it (i.e Fireeye
> http://www.fireeye.com/blog/corporate/2013/09/needle-in-a-haystack-detecting-zero-day-attacks.html
> although they did identify zero days in the wild early in the year in
> Java/Flash etc). I cannot comment on the effectiveness of these types of
> solutions though as I haven't used them.
>
> Well researched signatures looking for common features is a good way to do
> it. i.e if an exploit kit has certain characteristics that can be focused
> on regardless of the exploit/malware deliver or anomalies then that can be
> used to identify cases even where unknown attacks are used. In real terms
> signature based approaches are always to varying extents reactionary to
> observed malicious behaviours and the same problem effects most if not all
> security solutions from AV to IDS; the problem is you don't know what the
> bad guy will do next. I think the future though will be combinations of
> signature, big data/data mining and machine learning solutions. Personally
> I do find signatures available for Snort are excellent in getting that
> unknown as a lot of other vendors often are very specific to
> vulnerabilities so the actual catching badness potential of Snort sigs is
> very good.
>
> Another example could be generic catch alls. i.e outside of Snort and so
> on I have other tools; one of them I use is passiveDNS (
> https://github.com/gamelinux/passivedns) which I highly recommend to
> complement your monitoring. Where it comes into use is:
>
> - being able to maintain a record of DNS logs which is searchable through
> a web interface. This is highly useful because it means if you have an
> alert you can specifically in your environment see what domains were
> resolved in your network to look for (full packet capture using openfpc or
> something is better though). This also means if you have intelligence on an
> attack you can search for domains involved to see if you might have been
> hit and the time frame that the traffic occured first. Also because it
> shows first seen for a domain if it is malware it can help you determine
> the earliest point you should start looking for that particular CnC.
> http://www.alienvault.com/open-threat-exchange/blog/identifying-suspicious-domains-using-dns-records
>
> - It can use blacklists to alert on (reactionary)
>
> - You can use regex. This is where it gets interesting.For instance using
> regex you can look roughly for common patterns in domain generation
> algorithms http://www.net-security.org/article.php?id=1844&p=1. I have
> regexes for zeus and generic ones looking at basic patterns (when you start
> passiveDNS make sure you use -X 46CDNPRSx to make sure you get NXDOMAINS.
> Then I feed that into a SIEM where I further pick out the pattern and make
> sure the response it NXDOMAIN. This helped me find unknown Zeus infected
> PCs in my network I had no idea were there as they were not calling out and
> also other malware. As DGAs are more and more prevalent in malware CnC
> using this method could help you detect zero day malware. You can also use
> Snort to look for suspicious patterns in NXDOMAINS (look for NXDOMAIN and
> then apply regex for patterns).
>
>
> https://www.damballa.com/downloads/a_pubs/Damballa_Throw-Away_Traffic_to_Bots.pdf
>
> https://www.damballa.com/downloads/r_pubs/Damballa_tdss_tdl4_case_study_public.pdf
> https://www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf
>
> http://www.anubisnetworks.com/from-the-botnet-battlegrounds-the-tale-of-unknown-dga17/
> https://www.cert.pl/news/4711/langswitch_lang/en
>
> https://www.damballa.com/downloads/r_pubs/RN_DGAs-and-Cyber-Criminals-A-Case-Study.pdf
> http://labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/
>
> Hope that helps,
> Kevin
>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 

- - -
Security Avert *

* If you think I deserve a rant, write me off-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150204/524d4588/attachment.html>


More information about the Snort-users mailing list