signature and session analysis 20190529 · sudo tcpreplay-iens34 - m10 fake_av.pcap import the...
TRANSCRIPT
Issue Date:
Revision:
Signature &
Session Analysis
Signature analysis
• Distinctive marks of known bad traffic ~pattern matching– virus detection, – malicious website or – malware files
• Distinctive marks include:– IP addresses – Hostnames – Offsets – for example, memory related exploit – Debug information – “Ego” strings (strings left in the code) – Header information
Signature analysis
• An example could be detecting a nmap scan of a network by flags in a packet header:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"XMAS Scan Detected”; flow:stateless; flags:FPU; sid:1000002; rev:1;)
Session analysis
• Utilises the session metadata to determine what is happening during a session – which Ips (devices) are causing the traffic– the type of traffic or – what data is being transferred
• Analyses the behaviour of session(s) and looks for behaviour that is not normal.
Session analysis
• Ex:– Once a network has been compromised, DNS may be used
to exfiltrate data (obfuscation)• To stay there as long as possible without detection (triggering any
alarms)
Which technique?
• Signature analysis – can be used to create the alert; then
• Session analysis – can help investigate the alert further.
FOSS Tools
• Open source network monitoring and log management tools:– Elasticsearch– Logstash– Kibana– Snort– Suricata– Zeek (formerly Bro)– Sguil– Squert
* FOSS - Free Open Source Software
Log Management
• Logstash– used to gather data from multiple sources and transform it
for storage
• Elasticsearch– Ingest, index, and analytics engine
• Kibana– Visualisation tool for Elasticsearch and other data sets
https://www.elastic.co/products/
Intrusion Detection tools
• Snort– Intrusion detection system (IDS).
• Suricata– Intrusion detection system (IDS).
Network Monitoring
• Zeek (formerly Bro)– Network traffic analysis tool
• Sguil– collection of free software components for
• Network Security Monitoring (NSM) and event driven analysis of IDS alerts
– Provides visibility into the event data being collected and the context to validate the detection
• Squert– web interface to query and view event data stored in a Sguil
database.
Security Onion
• Linux-based open source intrusion detection, security monitoring and log management toolkit. – Can be installed as a Virtual Machine (VM) or natively
• Best practice is to use two network interfaces:1. Management Network2. Monitored Network
https://securityonion.net
Security Onion
https://securityonion.readthedocs.io/en/latest/architecture.html
How to Install
• Straight forward– Download and follow instructions
• https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
Security Onion - commands
https://securityonion.readthedocs.io/en/latest/cheat-sheet.html
Command Description
sudo soup Update Security Onion (and Ubuntu)
sudo so-status Check service status
sudo sostat Generate Security Onion statistics
sudo so-startsudo so-stopsudo so-restart
Start all servicesStop all servicesRestart all services
sudo so-user-add Add user for Sguil/Squert/Kibana
sudo rule-update Update rules after modifying file
sudo so-allowsudo so-allow-view
Open ports for ufwView current firewall rules
Security Onion - files
https://securityonion.readthedocs.io/en/latest/cheat-sheet.html
Folder / Files Description
/etc/nsm/ Location of configuration files
/etc/nsm/securityonion.conf Security Onion general settings
/opt/bro/nsm/bro/logs
Location of Bro filesLocation of Bro log files
/etc/elasticsearch Location of ElasticSearch files
/etc/logstash Location of LogStash files
/etc/kibana Location of Kibana files
/var/log Location of log files
/opt/samples Example packet capture files
Security Onion - rules
https://securityonion.readthedocs.io/en/latest/cheat-sheet.html
Folder / Files Description
/etc/nsm/rules/downloaded.rules Downloaded IDS rules
/etc/nsm/rules/local.rules Custom IDS rules
/etc/nsm/rules/threshold.conf Rule thresholds
/etc/nsm/pulledpork/disabledsid.conf
Disabled rules by SID
/etc/nsm/pulledpork/modifysid.conf
Modified rules
/etc/nsm/pulledpork/pulledpork.conf
Pulled Pork Configuration
/etc/elastalert/rules Query Elasticsearch and alert on user-defined anomalous behavior
Import packet captures
https://securityonion.readthedocs.io/en/latest/pcaps.htmlhttps://securityonion.readthedocs.io/en/latest/so-import-pcap.html
Command Description
sudo tcpreplay -i ens34 -M10 fake_av.pcap
Import the packet capture as new traffic with the current date and time, using interface ens34, limiting to 10MB throughput
sudo so-replay fake_av.pcap
Import the packet capture as new traffic with the current date and time.
sudo so-import-pcapfake_av.pcap
Import the traffic, whilst keeping the timestamp the same as the original packet capture date and times.
Import packet captures
https://securityonion.readthedocs.io/en/latest/so-import-pcap.html
Command Description
capinfos {pcap file} Display statistics about the packet capture file
tshark -F pcap -r {pcapng file} -w {pcap file}
Convert packet capture Next Gen file to earlier packet capture format
Lab Exercise
19
Exercise
• Follow the lab handout: securityonion_lab.pdf
Exercise 1: Squert
• File– fake_av.pcap
• Question– What type of malicious traffic is suspected?
• Q1: What is the top source IP and destination IP– Source __________, Destination __________ .
• Q2: What is the other IP address communicating with the top source IP?
Exercise 1: Squert
Exercise 1: Squert
Exercise 2: Sguil
• File– Fake_av.pcap
• Question: What was the rule that generated the original alert?
Exercise 2: Sguil