[Snort-users] Zero day attack protection
saintcrusty at ...11827...
Wed Feb 4 09:01:43 EST 2015
It's been a while but in the meantime I think I've found what makes stuff
like FireEye and others tick
Check out http://klee.github.io/ and/or
Also the pdf on AEG is insightful
This might be a serious downturn or upturn for open-source adoption if AEG
proves effective. Given the growing adoption for LLVM I assume it will make
open-source the way to go in both short and long term.
2013-10-29 21:23 GMT+01:00 Kevin Ross <kevross33 at ...14012...>:
> True zero day protection is very hard. There are some products that claim
> to be able to do it (i.e Fireeye
> although they did identify zero days in the wild early in the year in
> Java/Flash etc). I cannot comment on the effectiveness of these types of
> solutions though as I haven't used them.
> Well researched signatures looking for common features is a good way to do
> it. i.e if an exploit kit has certain characteristics that can be focused
> on regardless of the exploit/malware deliver or anomalies then that can be
> used to identify cases even where unknown attacks are used. In real terms
> signature based approaches are always to varying extents reactionary to
> observed malicious behaviours and the same problem effects most if not all
> security solutions from AV to IDS; the problem is you don't know what the
> bad guy will do next. I think the future though will be combinations of
> signature, big data/data mining and machine learning solutions. Personally
> I do find signatures available for Snort are excellent in getting that
> unknown as a lot of other vendors often are very specific to
> vulnerabilities so the actual catching badness potential of Snort sigs is
> very good.
> Another example could be generic catch alls. i.e outside of Snort and so
> on I have other tools; one of them I use is passiveDNS (
> https://github.com/gamelinux/passivedns) which I highly recommend to
> complement your monitoring. Where it comes into use is:
> - being able to maintain a record of DNS logs which is searchable through
> a web interface. This is highly useful because it means if you have an
> alert you can specifically in your environment see what domains were
> resolved in your network to look for (full packet capture using openfpc or
> something is better though). This also means if you have intelligence on an
> attack you can search for domains involved to see if you might have been
> hit and the time frame that the traffic occured first. Also because it
> shows first seen for a domain if it is malware it can help you determine
> the earliest point you should start looking for that particular CnC.
> - It can use blacklists to alert on (reactionary)
> - You can use regex. This is where it gets interesting.For instance using
> regex you can look roughly for common patterns in domain generation
> algorithms http://www.net-security.org/article.php?id=1844&p=1. I have
> regexes for zeus and generic ones looking at basic patterns (when you start
> passiveDNS make sure you use -X 46CDNPRSx to make sure you get NXDOMAINS.
> Then I feed that into a SIEM where I further pick out the pattern and make
> sure the response it NXDOMAIN. This helped me find unknown Zeus infected
> PCs in my network I had no idea were there as they were not calling out and
> also other malware. As DGAs are more and more prevalent in malware CnC
> using this method could help you detect zero day malware. You can also use
> Snort to look for suspicious patterns in NXDOMAINS (look for NXDOMAIN and
> then apply regex for patterns).
> Hope that helps,
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
- - -
Security Avert *
* If you think I deserve a rant, write me off-list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users