Re: was--Matt Jonkman in the new Hakin9--now detecting infections

[Marshall Bartoszek <gmb95125 () yahoo com>]

Hi Matt, John

MATT:  Thanks for the mention !

JOHN:  Take a look at www.metaflows.com.  We have taken BotHunter and integrated 
it into our network monitoring solution kit.  You can download a free, personal 
use copy of it from our website.

Let me know I can be of more assistance to you.  I included my metaflows email 
address.

Cheers,

MB

 



________________________________
From: Matthew Jonkman <jonkman () emergingthreatspro com>
To: John York <YorkJ () brcc edu>
Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>
Sent: Thu, February 3, 2011 7:07:41 AM
Subject: Re: [Snort-users] was--Matt Jonkman in the new Hakin9--now detecting 
infections

Bothunter is a spectacular tool! I highly recommend it. They use a subset of the 
ET rules, so what we're all contributing to emerging threats is helping improve 
Bothunter. Although in a relatively small way, most of it's actions are based on 
much higher thought than static sigs. 


Metaflows.com is also a tool implementing bothunter for open and professional 
use with great results. I'm sure there will be more commercial uses of it very 
soon.

Matt


On Feb 3, 2011, at 9:42 AM, John York wrote:

> I agree wholeheartedly.  My biggest concern is getting to the infected machines 
> ASAP, so that's what I *really* want alerts on.  The IPS, firewall, AV, web 
> filter, no admin rights for users, etc all do what they can to prevent 
> compromises.  If Joe Clueless clicks on enough bad things, one of them will get 
> him eventually and the trick is to get the computer isolated immediately.
>
> BotHunter is a Snort-based system for detecting infections.  I've wanted to 
> test it but have never had time.  Has anyone had good results with it?  ( I know 
> I'm OT, but it is Snort based--maybe only one drink ;-)
>
> Thanks
> John
>
>
> -----Original Message-----
> From: Martin Holste [mailto:mcholste () gmail com] 
> Sent: Wednesday, February 02, 2011 5:23 PM
> To: Matthew Jonkman
> Cc: snort-users () lists sourceforge net; emerging-sigs () emergingthreats net
> Subject: Re: [Snort-users] [Emerging-Sigs] Matt Jonkman in the new Hakin9
>
> > Yes, an infection is a failure. But we will always have failures. And you;ll 
> > have hosts that come in from the outside already infected. You MUST focus on CnC 
> > channels, I don't see any alternative.
>
> This is the key point.  We responded to over a thousand incidents last
> year alone, and in each case, AV had been completely overtaken (only
> even generating an alert about 1/3 of the time) and more than half of
> the cases were on fully patched machines.  This is IDS's core
> competency.  Packets will never lie (though you may misinterpret what
> they say).  The same cannot be said of anything on a host that may
> have been compromised.
>
> The NSS testing is becoming increasingly irrelevant because exploits
> aren't actionable--infections are.  If I told you that you could have
> the choice between a magic blinking box that told you whenever a host
> was infected versus a box that told you whenever someone tried to
> infect a box, wouldn't you go with the first one?  Most orgs aren't
> interested in attempts--they're interested in break-ins.  The idea of
> detecting exploits via IDS comes from way back in the 90's when CnC
> channels (or malware) didn't really exist like they do now.  Your only
> chance then was to detect the break-in.  There's been a complete
> reversal in the last few years and now your only real chance is to
> detect the CnC channel because the exploit doesn't really exist like
> it did then.
>
> Exploit code is far more likely to be encrypted/encoded than check-in
> traffic (URL's at least).  It is almost impossible to write signatures
> to catch the exploits in the wild for anything more than the PoC
> examples or the kit-of-the-day.  So many SF and ET signatures look for
> things like CLSID's for ActiveX objects, which will almost never hit
> on an actual exploit, because they will be heavily obfuscated with
> Javascript.  It's very unfortunate, because most Snort instances will
> be dropping packets because of the wasted cycles on those signatures,
> so they're missing the check-ins as well.  You can get far better
> results by running a handful of signatures to look for basic file
> types like executables, PDF, Flash, and Java, then matching those hits
> (which will be very numerous) with disreputable autonomous systems
> (AS's).  I bet anyone on this list a case of beer that the next JAR
> file coming out of Latvia to their corporate network is a malware
> loader (no cheating please!).
>
> The other critical component to that is regarding Jason's point about
> off-network infections.  CnC check-ins are your only hope at that
> point--try to spot the already-infected devices so that they can be
> cleaned.  Since the host has already failed to defend itself, the
> network IDS is your last chance.
>
> Both the Mandiant M-Trends and Verizon Data Breach Report each year
> have been illustrating how futile it is to expect to be able to defend
> all of your endpoints.  They do, however, show how damage isn't
> usually done for days or weeks after the initial infection, so if you
> can find the infected machines within a few business days, you've got
> a good chance of emerging unscathed (other than the re-images, of
> course).
>
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
> February 28th, so secure your free ArcSight Logger TODAY! 
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc


------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users