help on Custom signature base on the return traffic

Reply
Highlighted
L1 Bithead

help on Custom signature base on the return traffic

Dear Bros

 

     Anyone has the experience of create custom signature base on the return traffic? attached please find the PCAP file

 

     This is JBoss attack while custom want us to alert base on the server return traffic content pattern which means attack most likely successful

 

     Attacker:10.63.212.201 server:10.10.228.94

Highlighted
L5 Sessionator

Re: help on Custom signature base on the return traffic

Hi Kowu,

 

Welcome to our community.

 

When looking at this pcap - it seems to be a capture of communication to the localhost: Host: 127.0.0.1:9090; therefore I assume this was POC code. Firewall cannot help much in intercepting traffic from an endpoint to itself :)

 

I am not familiar with this attack, can you share more details on the attack technique itself? What is the attack doing, what are bits related to the attack... is the CVE associated with this technique or some other detail, is it described somewhere? Or, at least, what is the string you believe implies that server was attacked? I see pcap looks complete but I am not sure what is "good" and what is "bad" part of the response. It is better to find "bad" code to create signature for it, to avoid possible false positives.

 

Please share a bit more detail so we can help you better.

 

Best regards

Luciano

Highlighted
L1 Bithead

Re: help on Custom signature base on the return traffic

Thanks luck!

 

it is related with Jboss CVE vul(Red Hat JBoss Commons Collections Library Remote Code Execution Vulnerability) ID 38507,

 

Customer want a custom signature to combine this CVE with the related reply session from the vicitm which means the attack is most likely successful

 

let's if the attack session hit the CVE, while the response traffic in the session from vicitm contain "http 1.1 200 ok" means the attack session is established or successful

 

this signature is to create a signature that can match the reply/response traffic and combine them,

 

Attacker:10.63.212.201 vicitm:10.10.228.94 (reponse traffic should be from 10.10.228.94 to 10.63.212.201)

 

 

 

 

Highlighted
L1 Bithead

Re: help on Custom signature base on the return traffic

please filter the ip address in the pcap file

 

Attacker:10.63.212.201  http server:10.10.228.94

Highlighted
L1 Bithead

Re: help on Custom signature base on the return traffic

any advise?

Highlighted
L4 Transporter

Re: help on Custom signature base on the return traffic

Hi,


I never tried it, but I guess you could create a new vulnerability that looks at the HTTP response code 200 (http-rsp-code equals 200) and JBoss HTTP header (Pattern match http-rsp-headers on X-Powered-by ...). You could then create a combination signature that includes threat ID 38507 with the new signature you made.

 

Benjamin

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!