topic Re: help on Custom signature base on the return traffic in Custom Signatures

help on Custom signature base on the return traffic

kowu — Wed, 09 Nov 2016 08:58:52 GMT

Dear Bros

Anyone has the experience of create custom signature base on the return traffic? attached please find the PCAP file

This is JBoss attack while custom want us to alert base on the server return traffic content pattern which means attack most likely successful

Attacker:10.63.212.201 server:10.10.228.94

Re: help on Custom signature base on the return traffic

Lucky — Wed, 09 Nov 2016 11:21:22 GMT

Hi Kowu,

Welcome to our community.

When looking at this pcap - it seems to be a capture of communication to the localhost: Host: 127.0.0.1:9090; therefore I assume this was POC code. Firewall cannot help much in intercepting traffic from an endpoint to itself 🙂

I am not familiar with this attack, can you share more details on the attack technique itself? What is the attack doing, what are bits related to the attack... is the CVE associated with this technique or some other detail, is it described somewhere? Or, at least, what is the string you believe implies that server was attacked? I see pcap looks complete but I am not sure what is "good" and what is "bad" part of the response. It is better to find "bad" code to create signature for it, to avoid possible false positives.

Please share a bit more detail so we can help you better.

Best regards

Luciano

Re: help on Custom signature base on the return traffic

kowu — Wed, 09 Nov 2016 13:14:23 GMT

Thanks luck!

it is related with Jboss CVE vul(Red Hat JBoss Commons Collections Library Remote Code Execution Vulnerability) ID 38507,

Customer want a custom signature to combine this CVE with the related reply session from the vicitm which means the attack is most likely successful

let's if the attack session hit the CVE, while the response traffic in the session from vicitm contain "http 1.1 200 ok" means the attack session is established or successful

this signature is to create a signature that can match the reply/response traffic and combine them,

Attacker:10.63.212.201 vicitm:10.10.228.94 (reponse traffic should be from 10.10.228.94 to 10.63.212.201)

Re: help on Custom signature base on the return traffic

kowu — Wed, 09 Nov 2016 13:16:01 GMT

please filter the ip address in the pcap file

Attacker:10.63.212.201 http server:10.10.228.94

Re: help on Custom signature base on the return traffic

kowu — Wed, 09 Nov 2016 18:51:19 GMT

any advise?

Re: help on Custom signature base on the return traffic

BenjAudy.MTL — Wed, 16 Nov 2016 16:06:23 GMT

Hi,

I never tried it, but I guess you could create a new vulnerability that looks at the HTTP response code 200 (http-rsp-code equals 200) and JBoss HTTP header (Pattern match http-rsp-headers on X-Powered-by ...). You could then create a combination signature that includes threat ID 38507 with the new signature you made.

Benjamin