Time
10 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
12

Video Transcription

00:05
are reviewing alerts.
00:07
That's the fun part, right?
00:08
And anybody looked at an ideas alert log. All right,
00:12
Sometimes you could be mind blowing mind melting. That's a better word.
00:16
So what do you often see in alerts? Aaron? So, um, we'll use we're gonna end up using snorting his example. So a rule in an idea's a couple things. One, it tells you
00:27
what you're looking for.
00:29
And then what to do with it,
00:31
Okay. Rules saying common things on the rules
00:34
source and destination address. Importance.
00:37
Okay, I want from any i p address to this i p address in port, or I want only this range of I p address coming into this I p range or whatever. Maybe
00:48
only on T c. P. And I only want it on
00:51
53. So I want to know. I want to be alerted on any TCP connections being attempted in Port 53 on this system
00:59
and whatever package contents. So that's that stuff. The other part is what to do with the alert or what to do when the rule is tripped.
01:07
So, in an I. D. S, the common things air alert their log there in a couple different
01:12
versions or variations of those seams on the I P s side, you could block,
01:17
you can drop. There's different kind of functions for each of those. If I drop a packet, I'm not telling. I'm not giving a response by block. It gets a message back. Sorry. Service unavailable tells the attack or something, depending on how it's configured.
01:32
Um,
01:33
so your actions So those of that. You know, we're talking about the actions to be taken the packet. And then what does the alert say or do? There's a lot of messages. There's priorities for them. There is is, you know, on snort rule to have references. You put right in there. Okay, reference this girl. And here is the c E for this vulnerability
01:51
that this a rule is meant to trip.
01:55
Ah, and then, you know, again on the message side, whatever information you want to put in there, So here is a simple rule and how it alerts. So the first part tells it how it works.
02:06
So the first part says alert.
02:07
Okay, now in snore. And I think many of its a simple text file the rules are really simple there. Long text files open up some time. First part says, What's it gonna do? It's gonna alert. Okay, got it.
02:22
This I know if you see a crunch or the Octo Thorpe
02:27
pound sign
02:29
in front of a rule means it's commented out in a lot of theirs. Most have different versions of that, but and snort, it's a comment.
02:35
So this alert second part says, What kind of protocol am I looking at? So TCP udp that icmp What is it? You know, what am I looking at?
02:45
And then you'll see
02:46
the source i p address
02:50
source. Port
02:51
Hero says, going this way.
02:53
So it's from
02:54
any i p address in any port coming in to the home. That snort allows you to configure ranges of I PS and different things and kind of use Ah, variable global variable to describe so home that could be anything. Or you could put an I p address or cider notation 192168.1 dot
03:13
those last 24. So anything coming into that,
03:15
that's something at that range
03:17
and then on any port.
03:20
So
03:21
let's talk about with us. Just walked through talking about in a sentence for me.
03:25
Okay, so if a packet comes in from any I p address on report insider networks, any port,
03:31
I'm gonna alert on it. Okay? What else must there are the requirements. It must meet
03:37
flags. Okay. Familiar with TCP packets? They have flags. There's a lot of different ones. Um, so flags is the mechanism. Say these are the ones. If it's if it meets these criteria, Sugar, this case s for sin. Sin flag.
03:53
So any packet coming in any at all from any API address? Any port coming inside on any port where the sin flag.
04:00
I just want a log, a message or an alert. And the message will say sin packet.
04:05
This you will get a lot of false positives.
04:08
Not a lot of things will actually do this if you have home that configured.
04:15
So this in tax, in general,
04:17
where it's coming, what to do, Where it comes from, where it's going to. What do I look for? And then what do I tell you about it? What is the message
04:27
in the case of an I. P. S or its Norton I PS mode, you might see drop
04:30
at the beginning. Drop TCP any any toe home met any of these flags, and then they're not gonna go through. In this case, they'll go through. All this stuff will go through, which is probably good, but your log file will get a little ridiculous.
04:45
All right, So how do we use an idea, sir? Knight PS to detect different attack faces. Faces of the attack. So someone's doing reconnaissance. You could look for and map scans.
04:55
And you can use that either heuristic scanning or anomaly scanning or specific strings in a scan they might see from before paying sweeps. We're seeing lots of ICMP traffic across the whole bunch of different ports or airports.
05:09
Hosts I p addresses
05:12
exploitation. So if we're trying to see sequel injection, you know, if a
05:15
I. D. S and P S is reading packets and it's seeing the typical you know, tactic for one equals one or some sort of sequel command going through,
05:27
um, you know, if it's a
05:30
let's see, depending a word, is there? I mean, there's a lot of other different things, like a Web application
05:34
firewall on some other filtering, that'll find that as well
05:39
Buffer overflow is looking for no ups leads. You look for directory, traverse a ll attacks the common thing you'll see in some rules Are doc got slashed, doctor slashdot dot slash
05:48
et cetera. If a rule that if a pack of matches that good chance there's an attempted directory reversal attack
05:56
So then transmits where the callbacks backdoors Is there something going out
06:00
on a port that is not normally going out?
06:02
We, you know, do we know that this malware or this a PT or actor whoever their servers Listen on poor 12345 And it's TCP and whatever the case may be. So if I see outgoing traffic on 12345
06:16
Perhaps that's something I need to be interested in. You'd be alerted on
06:20
pivoting inside the network if somebody gets in. You know, once they're through that, if you have an I p s in place, their firewall in place in there through now they're already inside. So depending on where the locations are, you can see them maybe pivoting throughout the network.
06:31
You have them in different segments of the network, you might say. Okay, well, why is this person in 192 space. Accessing this, you know, in management system or administrative system over here in 10 space, they're not supposed to not supposed to be able to, but they shouldn't be trying to do it Anyway. What's going on? Why are we seeing that traffic
06:49
And then data exfiltration of you looking at
06:53
large packets or large quantities of packets? You know, that's kind of that behavior, behavioral anomaly, traffic, normally outbound. We only see two Gabe to gig a day now from you know, 9 p.m. to 3 a.m. In the morning. We're seeing five gig
07:09
traffic,
07:10
you know. Where is it coming from? Where is it going to?
07:13
Maybe we shouldn't be transferring any files out to these rain. To my P addresses. You condone either log alert or block those using an I. D. S or an I. P. S.
07:28
You have any questions?
07:29
Automation of correlating those alert for his actress Emmanuel process. So Attackers gone through those phases, maybe they've done a couple different things,
07:41
so there'd be a correlation, you know, from that source of yours,
07:46
it could be automated. You could script that you could use tools to sort through and filter and follow it through.
07:55
So, for example, if you have a single like the address that is attacked the system or that you saw on alert on, we can filter that through,
08:05
I think snort someone is they have a kind of an interface front, and I can't remember the name of it off the top of my head
08:11
Barn something face Barnyard Barn based is their base of the interface.
08:20
Thank you.
08:22
So you know there's there's ways to goto Take that and look at it. You can do text file log analysis. You're actually good with scripting and command line. It's actually a pretty effective wayto parse through some stuff.
08:35
But when we get into on the log side cause these air logs just like anything other Ellison, you may be able to look into an I. D. S R. I. P s logs and find a bunch of stuff. But the real fun comes trying to correlate that with everything else you see, and that's that's the part that is not entirely automated, like a UTI UTI M or a scene will help with that
08:56
because you may have alerts triggered or assist log server
08:58
alerts from the all these different things or logs from this going in one location that you could part, sir.
09:03
Um,
09:05
but a lot of it's a I found one thing. Let me follow a trail. What else can I find? What other systems? So on and so forth?

Up Next