tralse positive
play

TRALSE POSITIVE Simple Methods for Confirming IDS/IPS Alerts - PowerPoint PPT Presentation

Nov 26, 2023 •272 likes •517 views

TRALSE POSITIVE Simple Methods for Confirming IDS/IPS Alerts Introduc3on Geoffrey Serrao Currently Employed at Sourcefire, Inc. Tier I Technical Support Engineer Typical work day for a Tier 1 Hardware

  1. TRALSE ¡POSITIVE ¡ Simple Methods for Confirming IDS/IPS Alerts

  2. Introduc3on ¡ § Geoffrey Serrao § Currently Employed at Sourcefire, Inc. ▸ Tier I Technical Support Engineer § Typical work day for a Tier 1 ▸ Hardware questions ▸ Configuration questions ▸ False positive analysis 2

  3. IDS/IPS ¡Alerts ¡ • Big Three • Snort • Suricata • Bro IDS • IDS/IPS systems generate alerts based on: ▸ Signatures ▸ Network Anomalies § We will be dealing mostly with signature based events today 3

  4. A ¡Trend ¡ § More data is being analyzed § More events are being generated § What do we do with all of these events? 10 Mbps 100 Mbps 500 Mbps 1 Gbps 10 Gbps 40 Gbps 4

  5. Current ¡Incident ¡Handling ¡Process ¡ § Preparation § Detection and Notification § Investigation And Qualification § Communication § Containment and Recovery § Lessons Learned 5

  6. Exis3ng ¡Techniques ¡ Best Automated Informed Analysis Manual Analysis Guessing Hope/Pray Worst 6

  7. The ¡Current ¡Method ¡ § Step 1: Verify Rule Context ▸ Rule Header ▸ Content Matches § Step 2: Verify Endpoints ▸ Who ’ s talking § Step 3: Verify Conversation ▸ What ’ s being said – gets technical § Step 4: Verify Operational Context ▸ How does this type of attack affect my network deployment? – also gets technical 7

  8. A ¡Happy ¡Example ¡ 8

  9. Drawbacks ¡of ¡the ¡Current ¡Method ¡ § Limited by the amount of information available to the analyst at the time § Time intensive § Tedious § Reactive approach 9

  10. Real ¡World ¡Example ¡ 10

  11. How ¡to ¡Improve ¡ § Let ’ s take a more proactive approach § Increase the amount of information available to the analyst § Increase the quality of the dissected payload § Use automation tools § The best methods are the most informed methods § We need a bigger source of information 11

  12. What ¡I ’ d ¡Like ¡to ¡See ¡ IP ’ s rDNS Verdict … 54.243.156.140 sourcefire.com Clean 64.214.53.2 sf-nat.sourcefire.com Clean 205.178.189.131 flocon.org Clean 167.216.129.13 immunet.com Clean 23.23.170.170 snort.org Clean 69.43.161.180 antivirus-online21.com +Investigate 192.88.209.252 cert.org Clean 10.20.57.16 <none> RFC 1918 … http://dns-bh.sagadc.org/domains.txt 12

  13. Informa3on ¡Sources ¡ IP Reputation Field URL Intelligence Reputation PCAPalyze IP Emerging Geolocation Threats Database 13

  14. Informa3on ¡Sources, ¡Cont. ¡ § Common ▸ http://www.malwaredomains.com ▸ www.mxtoolbox.com ▸ https://www.dnsstuff.com/ ▸ http://www.siteadvisor.com/ ▸ https://www.phishtank.com/ § Not so common ▸ Pastebin.com ▸ Twitter.com 14

  15. Favorite ¡Informa3on ¡Source ¡ § http://support.clean-mx.de/clean-mx/viruses § They ’ ve been really tolerating my automated testing § Easily encoded POST http requests for ▸ IP ▸ Domain 15

  16. Python! ¡ https://xkcd.com/353/ 16

  17. The ¡Code ¡1 ¡of ¡3 ¡ from scapy.all import * from scapy.utils import * … print "Reading PCAP(s):" for x in range(num_pcaps): try: pkts.extend(rdpcap(caps[x])) except Exception, e: print e print "Collecting IPs.." for pkt in pkts: if pkt.haslayer(IP): if not pkt[IP].src in ip_list: ip_list.append(pkt[IP].src) if not pkt[IP].dst in ip_list: ip_list.append(pkt[IP].dst) print len(ip_list), " unique IPs collected from pcap(s) ” … 17

  18. The ¡Code ¡2 ¡of ¡3 ¡ for i in ip_list: if check_country: try: location = str(GEOIP.lookup(i)).split('country')[1].strip('[] \n ’ ) except Exception, e: print "country lookup failure.", e if check_hostname: try: hostname = socket.getfqdn(i) except Exception, e: hostname = "Couldn't find hostname", e 18

  19. The ¡Code ¡3 ¡of ¡3 ¡ response = urlopen('http://support.clean-mx.de/clean-mx/viruses.php') forms = ParseResponse(response, backwards_compat=False) form = forms[0] try: br = mechanize.Browser() … form['ip'] = i response = urlopen(form.click()).read() if not response.find('<br><br><div align="center"><b>For this query is nothing recorded in our database.</b><br>') > -1: reputation = "- Investigate" else: reputation = "+ Clean" 19

  20. Finished ¡Output ¡ 20

  21. Caveats ¡and ¡PiRalls ¡ § Customers with secure networks and tight data retention policies may not be able to take full advantage § Working with encryption § Tuning for accuracy 21

  22. Future ¡Development ¡ • PCAPalyze • PHP web application (HTTPS) interface • Flask + Python back end • SCAPY used for extrapolating PCAP data • Uses more sources of data • Available for the public to use • Works with more protocols 22

  23. In ¡Summa3on ¡ 23

  24. Ques3ons ¡ 24

Recommend

Becky Coffin Kingfisher plc Net Positive 2 Net Positive 3 Net Positive 4 Creating the

Becky Coffin Kingfisher plc Net Positive 2 Net Positive 3 Net Positive 4 Creating the

Achieving Net Positive through responsible sourcing Becky Coffin Kingfisher plc Net Positive 2 Net Positive 3 Net Positive 4 Creating the leader Net Positive 5 Net Positive 6 WHAT HAVE WE LEARNED ABOUT RESPONSIBLE SOURCING?

450 views • 19 slides
Positive Discipline The Solution Studio What is Positive Discipline? Positive discipline is a

Positive Discipline The Solution Studio What is Positive Discipline? Positive discipline is a

Positive Discipline The Solution Studio What is Positive Discipline? Positive discipline is a key to helping children develop self-discipline, responsibility, cooperation, and problem-solving skills. It is a discipline model used by schools,

381 views • 6 slides
Module 5 Positive Influence Module Five: Positive Influence Objectives Understand the need

Module 5 Positive Influence Module Five: Positive Influence Objectives Understand the need

In the last module we discussed why Character and Ethics are important, we now turn to how to make those results happen. Your positive influence on others daily. 0 Module 5 Positive Influence Module Five: Positive Influence Objectives

250 views • 13 slides
Remove negative environments Promote positive growth Reward good / positive and

Remove negative environments Promote positive growth Reward good / positive and

New positive promotion campaign Remove negative environments Promote positive growth Reward good / positive and punish unacceptable behaviours Empower all clubs to take action with the support of the RFL

457 views • 22 slides
CSE not every positive integer is prime 311 some positive integer is not prime prime

CSE not every positive integer is prime 311 some positive integer is not prime prime

Negations of quantifiers CSE not every positive integer is prime 311 some positive integer is not prime prime numbers do not exist Foundations of every positive integer is not prime Computing I Fall 2014 Negations of

351 views • 6 slides
Disparities in HIV positive men of color HIV positive men of color: Constitute a

Disparities in HIV positive men of color HIV positive men of color: Constitute a

Amenability of HIV-positive African American Men to Shared Medical Appointments for Primary Care Colin Gershon, N.P., M.P.H.; Matthew Siegel, B.S.; Matthew Masankay, B.S.; Michael Arnold, Ph.D., Malcolm John, M.D., M.P.H. Division of Infectious

544 views • 8 slides
Social Innovation Hub in Skopje What is Positive Deviance and when and how to use it Positive

Social Innovation Hub in Skopje What is Positive Deviance and when and how to use it Positive

Social Innovation Hub in Skopje What is Positive Deviance and when and how to use it Positive Deviance is one of a number of asset-based approaches to change. It is based on the observation that in every community, there are a few people, the

836 views • 21 slides
Positive Ageing &amp; Resilience Training Guy Robertson Director Positive Ageing Associates

Positive Ageing &amp; Resilience Training Guy Robertson Director Positive Ageing Associates

Positive Ageing &amp; Resilience Training Guy Robertson Director Positive Ageing Associates Positive Ageing &amp; Resilience Training Delivery Miriam Akhtar Guy Robertson Major Life Events Retirement Relationship breakdown

648 views • 63 slides
Living a Positive Life in Challenging Times Sonya Corbin Dwyer, Ph.D. Positive Psychology

Living a Positive Life in Challenging Times Sonya Corbin Dwyer, Ph.D. Positive Psychology

Living a Positive Life in Challenging Times Sonya Corbin Dwyer, Ph.D. Positive Psychology Promotes the best in human behaviour Promotes the understanding of healthy human functioning Positive emotions seem to help restore or preserve

366 views • 24 slides
Mental health can be a positive thing! Positive mental health truly is a &quot;state of

Mental health can be a positive thing! Positive mental health truly is a &quot;state of

Mental health can be a positive thing! Positive mental health truly is a &quot;state of mind&quot; and a feeling of well-being. It is linked to greater productivity, improved cognitive functioning, and has even been shown to improve the immune

443 views • 28 slides
LHH LHH Po Positive Car Care Pr Program LHH Positive Care Program 1989 1996 The Early Years O4

LHH LHH Po Positive Car Care Pr Program LHH Positive Care Program 1989 1996 The Early Years O4

LHH LHH Po Positive Car Care Pr Program LHH Positive Care Program 1989 1996 The Early Years O4 unit LHH Positive Care Program 1996 2010 Expansion of treatment options Increase in survival and discharge Second unit opens (F3)

226 views • 21 slides
Outline What is positive psychology? Major research areas Criticisms of the discipline

Outline What is positive psychology? Major research areas Criticisms of the discipline

Outline What is positive psychology? Major research areas Criticisms of the discipline Future directions Questions Defining Positive Psychology Positive psychology is the scientific study of optimal human functioning

854 views • 47 slides
The Power Of Positive Thoughts By : Andrew Bennett What Y ou Think About Thinking Do you think

The Power Of Positive Thoughts By : Andrew Bennett What Y ou Think About Thinking Do you think

The Power Of Positive Thoughts By : Andrew Bennett What Y ou Think About Thinking Do you think Good Thinking Brings good things in your life? What is positive thinking? What is negative thinking? Positive Thinking Positive thinking is a

229 views • 18 slides
Positive feedback regulation Rodolphe Sepulchre -- University of Cambridge LCCC workshop on

Positive feedback regulation Rodolphe Sepulchre -- University of Cambridge LCCC workshop on

LCCC is a positive environment (i.e. the metric of positive systems) Positive feedback regulation Rodolphe Sepulchre -- University of Cambridge LCCC workshop on Learning and Adaptation for Sensorimotor Control - Lund - October 2018 ! 2

367 views • 8 slides
Pyramid 101 Positive Behavior Support Pyramid Model Components Introduction to Positive Behavior

Pyramid 101 Positive Behavior Support Pyramid Model Components Introduction to Positive Behavior

Pyramid 101 Positive Behavior Support Pyramid Model Components Introduction to Positive Behavior Support in Early Childhood Settings Effective Workforce better-trained caregivers are the foundation Patti Mahrt-Roberts Nurturing and

588 views • 27 slides
Electronic Components Battery A portable power source that has a positive and negative.

Electronic Components Battery A portable power source that has a positive and negative.

Electronic Components Battery A portable power source that has a positive and negative. Electronics works on Direct Current (DC) where electrons flow from negative to positive. These are the symbols that will be used for Positive and

240 views • 12 slides
Middle Manager Maestro CHCM Symposium 2013 Positive Deviants Positive Deviants: Are

Middle Manager Maestro CHCM Symposium 2013 Positive Deviants Positive Deviants: Are

Middle Manager Maestro CHCM Symposium 2013 Positive Deviants Positive Deviants: Are individuals who have the same resources, challenges, and influences as their peers, yet have approached a problem differently using out of the box and

309 views • 19 slides
Whos doing digital content well? Positive News positive.news Pitchfork pitchfork.com

Whos doing digital content well? Positive News positive.news Pitchfork pitchfork.com

Whos doing digital content well? Positive News positive.news Pitchfork pitchfork.com Stories For Good storiesforgood.org Love for Iceland loveforiceland.com Patagonia bearsears.patagonia.com Know your lemons worldwidebreastcancer.org

426 views • 24 slides
Positive Train Control June 28, 2018 PTC Overview Positive train control uses GPS, radio

Positive Train Control June 28, 2018 PTC Overview Positive train control uses GPS, radio

Positive Train Control June 28, 2018 PTC Overview Positive train control uses GPS, radio communications, and onboard and wayside computer equipment to enforce speed limits and authority limits should the operating engineer fail to take

647 views • 17 slides
A tropical approach to a generalized Hodge conjecture for positive currents Farhad Babaee

A tropical approach to a generalized Hodge conjecture for positive currents Farhad Babaee

A tropical approach to a generalized Hodge conjecture for positive currents Farhad Babaee SNSF/Universit e de Fribourg February 20, 2017 - Toblach Are all positive currents with Hodge classes approximable by positive sums of integration

791 views • 33 slides
New science, clear guidance better for my health With HIV testing If I am HIV positive, I

New science, clear guidance better for my health With HIV testing If I am HIV positive, I

New science, clear guidance better for my health With HIV testing If I am HIV positive, I can demand My doctor should If I am HIV and counselling I can start my simpler, safer, check my viral positive and being provided treatment

401 views • 3 slides
CONSUMER AFFAIRS CLINIC &amp; SELF HELP CENTER PEER SUPPORT POSITIVE THINKING Jennifer Jones,

CONSUMER AFFAIRS CLINIC &amp; SELF HELP CENTER PEER SUPPORT POSITIVE THINKING Jennifer Jones,

CONSUMER AFFAIRS CLINIC &amp; SELF HELP CENTER PEER SUPPORT POSITIVE THINKING Jennifer Jones, MA, ASW Positive Psychology Based on Shaun Achors Positive Psychology that comes out of Harvard University. Shawn Achor is the winner of over a

455 views • 21 slides
Building Positive Ensembles: Canadian Positive Psychology Association Shannon M. Polly, MAPP

Building Positive Ensembles: Canadian Positive Psychology Association Shannon M. Polly, MAPP

June16, 2016 Building Positive Ensembles: Canadian Positive Psychology Association Shannon M. Polly, MAPP Ritual and Play Jan Stanley, MAPP Agenda Some RES RESEAR EARCH CH on play Lets PLA PLAY Y together How to DE DESIGN IGN

861 views • 40 slides
WELCOME! THANK YOU FOR BRAVING THE SNOW! Making a positive difference in the lives of our

WELCOME! THANK YOU FOR BRAVING THE SNOW! Making a positive difference in the lives of our

WELCOME! THANK YOU FOR BRAVING THE SNOW! Making a positive difference in the lives of our clients Rockford Housing Authority Environment and Transition Model Making a positive difference in the lives of our clients Making a positive

822 views • 47 slides

More recommend