Category Archives: Use Cases

System Use Cases helping you to detect attacks against your infrastructures. These System Use Cases are classified by Attacker Classes (Opportunists, Targeting Opportunists, Professional or State Founded). This classification is inspired by Thierry Zoller work “Attacker Classes and Pyramid (Version 2)”.

SUC017 : WEB Proxy CONNECT Request

  • Use Case Reference : SUC017
  • Use Case Title : Web Proxy CONNECT Request
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : No
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP
Possible(s) correlation(s) :
  • Apache web open proxy scans

Source(s) :

We have detect some increasing Web Proxy CONNECT Request from Russia. Majority of the source IPs are from 95.24.0.0/13 CORBINA-BROADBAND. As you can see in the yearly events graph, we have around 7 more time scans events than previous months. Also the monthly TOP 10 source IPs graph show us that all the IPs are coming from the same range located in Russia.

 

1 month SIG 2001675 IDS Events
1 month SIG 2001675 IDS Events

 

1 year SIG 2001675 IDS Events
1 year SIG 2001675 IDS Events
1 Month TOP 10 source IPs for SIG 2001675
1 Month TOP 10 source IPs for SIG 2001675
TOP 20 source countries for SIG 2001675
TOP 20 source countries for SIG 2001675

SUC016 : RCE & SQL injection attempts on xmlrpc.php

  • Use Case Reference : SUC016
  • Use Case Title : RCE & SQL injection attempts on xmlrpc.php
  • Use Case Detection : IDS / Web logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : No, but User-Agent Mozilla/5.0
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP
Possible(s) correlation(s) :
  • Joomla XML-RPC vulnerability
  • Multi functions Web scanner (RFI, LFI, XMLRPC, etc.)

Source(s) :

Since one week, we have detect some increasing RCE (Remote Code Execution) and SQL injection attempts on xmlrpc.php. These attempts are detected by ET rule 2002158, with last modification on the rule the 2009-03-13.

You can find here under the payload how is called by the attempts.

test.method’,”));echo ‘XxXDIOCANEXxX’;exit;/*

Despite the source IPs are completely random, the User Agent is still Mozilla/5.0 and the payload is all the time the same. These attempts seems to be generated by a tool using some Google dorking capabilities. Also the source IPs are also involved in other exploits attempts, members of RFI or LFI botnets.

24 hours SIG 2002158 events activities
24 hours SIG 2002158 events activities
1 week SIG 2002158 events activities
1 week SIG 2002158 events activities
1 Month SIG 2002158 events activities
1 Month SIG 2002158 events activities
One year SIG 2002158 events activities
One year SIG 2002158 events activities
1 Month TOP 10 source IPs for SIG 2002158
1 Month TOP 10 source IPs for SIG 2002158

SUC016 : User-Agent “Toata dragostea mea pentru diavola” scanner

  • Use Case Reference : SUC016
  • Use Case Title : User-Agent “Toata dragostea mea pentru diavola” Scanner
  • Use Case Detection : HTTP Logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Toata Scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • Toata scanner

Source(s) :

Surely during your daily HTTP log check, you have detect theses kind of patterns.

...
208.109.154.147 - - [25/May/2010:01:20:15 +0200] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:15 +0200] "GET /e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:16 +0200] "GET /db/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:17 +0200] "GET /e107/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:18 +0200] "GET /site/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:18 +0200] "GET /web/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
208.109.154.147 - - [25/May/2010:01:20:19 +0200] "GET /forum/e107_files/e107.css HTTP/1.1" 404 27348 "-" "Toata dragostea mea pentru diavola"
...

Theses patterns are related to Toata Scanner, an Web scanner specialized in Web applications discovery. Originally this Web scanner was targeting Roundcube Webmail installation files in order to exploit CVE-2008-5619. You can see with theses logs samples that Toata is no more only targeting Roundcube, but is also used to detect installation of e107, for example. We have publish yesterday (24 Mai 2010) an security alert regarding e107, toata is surely using a google dorking feature to find his target.

Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009159SCAN Toata Scanner User-Agent Detected“.

Here under you can find the latest statistics for Toata scanner activities.

1 Month SIG 2009159 events activities
1 Month SIG 2009159 events activities
One year SIG 2009159 events activities
One year SIG 2009159 events activities
1 Month TOP 10 source IPs for SIG 2009159
1 Month TOP 10 source IPs for SIG 2009159
TOP 20 source countries for SIG 2009159
TOP 20 source countries for SIG 2009159

SUC015 : Potential SSH Scan

  • Use Case Reference : SUC015
  • Use Case Title : Potential SSH Scan
  • Use Case Detection : Firewall logs / IDS / SSH logs
  • Attacker Class : Opportunists / Targeting Opportunists
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : Most of time libssh based
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 22/TCP
Possible(s) correlation(s) :
  • SSH fingerprinting
  • SSH brute forcing

Source(s) :

We have compile a list of more of 5 000 user name how have been used to try to brute force login our HoneyNet servers. This list is updated every day.

Emerging Threats SIG 2001219 create an alert if we have 5 destination port 22/TCP connexions during the interval of 120 seconds. If we see, for example, 10 connexions during the interval of 120 seconds, 2 alerts will be triggered. This SIG could be used to detect SSH Brute Force Attack.

Emerging Threats SIG 2006546 create an alert if the content of the packet in destination of port 22/TCP contain “SSH-” and “libssh”. In addition the alert is triggered if we detect 5 connexions during the interval of 30 seconds. If we see, for example, 10 connexions during the interval of 30 seconds, only 1 alert will be triggered. This SIG could be used to detect SSH Brute Force Attack, but based on strict recognition of tools how are using “libssh”.

Emerging Threats SIG 2006345 create an alert if the content of the packet in destination of port 22/TCP contain “SSH-” and “libssh”. In addition the alert is triggered if we detect 1 connexion during the interval of 30 seconds. If we see, for example, 10 connexions during the interval of 30 seconds, only 1 alert will be triggered. This SIG could be used to detect SSH fingerprinting, but based on strict recognition of tools how are using “libssh”. This SIG is not useful for SSH Brute Force Attack recognition due to the limit type threshold.

In parallel you could correlate theses alerts with your firewall logs and / or SSH daemon logs, to create a real correlated alert. But still the attacker is not logged in your system, these alerts should not have a high priority level, cause most of time these scans are done by bots. Maybe you could add the attacker IP address in a “Suspicious Attacker” list for furthers trends and correlations activities.

Another operation you could do, is to compare the username provided from the SSH brute forcing dictionary with yours existing SSH usernames. If your username is present into the dictionary, we recommend you to change it.

24 hours SIG 2001219 events activities
24 hours SIG 2001219 events activities
1 week SIG 2001219 events activities
1 week SIG 2001219 events activities
1 Month SIG 2001219 events activities
1 Month SIG 2001219 events activities
One year SIG 2001219 events activities
One year SIG 2001219 events activities
1 Month TOP 10 source IPs for SIG 2001219
1 Month TOP 10 source IPs for SIG 2001219
TOP 20 source countries for SIG 2001219
TOP 20 source countries for SIG 2001219