11-09-2016 12:58 AM
Dear Bros
Anyone has the experience of create custom signature base on the return traffic? attached please find the PCAP file
This is JBoss attack while custom want us to alert base on the server return traffic content pattern which means attack most likely successful
Attacker:10.63.212.201 server:10.10.228.94
11-09-2016 03:19 AM - edited 11-09-2016 03:21 AM
Hi Kowu,
Welcome to our community.
When looking at this pcap - it seems to be a capture of communication to the localhost: Host: 127.0.0.1:9090; therefore I assume this was POC code. Firewall cannot help much in intercepting traffic from an endpoint to itself 🙂
I am not familiar with this attack, can you share more details on the attack technique itself? What is the attack doing, what are bits related to the attack... is the CVE associated with this technique or some other detail, is it described somewhere? Or, at least, what is the string you believe implies that server was attacked? I see pcap looks complete but I am not sure what is "good" and what is "bad" part of the response. It is better to find "bad" code to create signature for it, to avoid possible false positives.
Please share a bit more detail so we can help you better.
Best regards
Luciano
11-09-2016 05:13 AM - edited 11-09-2016 05:14 AM
Thanks luck!
it is related with Jboss CVE vul(Red Hat JBoss Commons Collections Library Remote Code Execution Vulnerability) ID 38507,
Customer want a custom signature to combine this CVE with the related reply session from the vicitm which means the attack is most likely successful
let's if the attack session hit the CVE, while the response traffic in the session from vicitm contain "http 1.1 200 ok" means the attack session is established or successful
this signature is to create a signature that can match the reply/response traffic and combine them,
Attacker:10.63.212.201 vicitm:10.10.228.94 (reponse traffic should be from 10.10.228.94 to 10.63.212.201)
11-16-2016 08:06 AM
Hi,
I never tried it, but I guess you could create a new vulnerability that looks at the HTTP response code 200 (http-rsp-code equals 200) and JBoss HTTP header (Pattern match http-rsp-headers on X-Powered-by ...). You could then create a combination signature that includes threat ID 38507 with the new signature you made.
Benjamin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
