help on Custom signature base on the return traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

help on Custom signature base on the return traffic

L1 Bithead

Dear Bros

 

     Anyone has the experience of create custom signature base on the return traffic? attached please find the PCAP file

 

     This is JBoss attack while custom want us to alert base on the server return traffic content pattern which means attack most likely successful

 

     Attacker:10.63.212.201 server:10.10.228.94

5 REPLIES 5

L5 Sessionator

Hi Kowu,

 

Welcome to our community.

 

When looking at this pcap - it seems to be a capture of communication to the localhost: Host: 127.0.0.1:9090; therefore I assume this was POC code. Firewall cannot help much in intercepting traffic from an endpoint to itself 🙂

 

I am not familiar with this attack, can you share more details on the attack technique itself? What is the attack doing, what are bits related to the attack... is the CVE associated with this technique or some other detail, is it described somewhere? Or, at least, what is the string you believe implies that server was attacked? I see pcap looks complete but I am not sure what is "good" and what is "bad" part of the response. It is better to find "bad" code to create signature for it, to avoid possible false positives.

 

Please share a bit more detail so we can help you better.

 

Best regards

Luciano

Thanks luck!

 

it is related with Jboss CVE vul(Red Hat JBoss Commons Collections Library Remote Code Execution Vulnerability) ID 38507,

 

Customer want a custom signature to combine this CVE with the related reply session from the vicitm which means the attack is most likely successful

 

let's if the attack session hit the CVE, while the response traffic in the session from vicitm contain "http 1.1 200 ok" means the attack session is established or successful

 

this signature is to create a signature that can match the reply/response traffic and combine them,

 

Attacker:10.63.212.201 vicitm:10.10.228.94 (reponse traffic should be from 10.10.228.94 to 10.63.212.201)

 

 

 

 

please filter the ip address in the pcap file

 

Attacker:10.63.212.201  http server:10.10.228.94

any advise?

Hi,


I never tried it, but I guess you could create a new vulnerability that looks at the HTTP response code 200 (http-rsp-code equals 200) and JBoss HTTP header (Pattern match http-rsp-headers on X-Powered-by ...). You could then create a combination signature that includes threat ID 38507 with the new signature you made.

 

Benjamin

  • 3934 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!