OSSIM hands-on 7: Detecting network attacks with Snort IDS

In this practical exercise we are going to analyze a botnet traffic with different tools, using Snort IDS to alert OSSIM. For distributed deployments, please follow these steps at your OSSIM sensor (in our case 10.0.0.31).

1.-  Setting up a dummy interface in promiscuous

# lsmod | grep dummy (checking that dummy module is loaded)
# ifconfig dummy0 up (waking up dummy0)
# ifconfig dummy0 promisc (setting the interface to promiscuous mode)

2.- Analyzing a traffic sample with tcpdump and tshark

a) Download the traffic sample: zeus-sample-3.pcap (more samples can be found in https://www.openpacket.org)
b) tcpdump -r /root/zeus-sample-3.pcap (reading the pcap file)
c) tcpdump -s 0 -AA -r /root/zeus-sample-3.pcap (showing the packet payloads)
d) tshark -R "tcp.port==80" -r /root/zeus-sample-3.pcap (filtering port 80 traffic)
e) Filtering HTTP POST and GET methods:
# tshark -R 'http.request.method == "GET" || http.request.method == "POST"' -r /root/zeus-sample-3.pcap

 4  0.110877 192.168.3.65 -> 188.72.243.72 HTTP 229 GET /kartos/kartos.bin HTTP/1.1   
 239 30.255596 192.168.3.65 -> 188.72.243.72 HTTP 527 POST /kartos/youyou.php HTTP/1.1   
 240 30.255632 192.168.3.65 -> 188.72.243.72 HTTP 611 POST /kartos/youyou.php HTTP/1.1   
 247 30.749280 192.168.3.65 -> 188.72.243.72 HTTP 226 GET /kartos/krt.exe HTTP/1.1   
 386 33.850475 192.168.3.65 -> 188.72.243.72 HTTP 425 POST /kartos/youyou.php HTTP/1.1   
 394 35.078393 192.168.3.65 -> 188.72.243.72 HTTP 221 GET /ser.exe HTTP/1.1   
 1099 51.216823 192.168.3.65 -> 188.72.243.72 HTTP 425 POST /kartos/youyou.php HTTP/1.1  

3.- Enabling Snort plugin

a) Configure Snort to listen in dummy0 interface (using ossim-setup)
b) Enable snortunified plugin (using ossim-setup)
c) Check previous configurations in /etc/ossim/ossim_setup.conf
[sensor]
detectors=snortunified
interfaces=dummy0
d) Check that Snort process is running on dummy0 interface:
sensor1:~# ps aux | grep -i snort

 root   9247 0.0 9.9 506352 392020 ?    Ssl 20:59  0:00 /usr/sbin/snort_dummy0 -m 027 -D -d -l /var/log/snort -u root -g snort -c /etc/snort/snort.dummy0.conf -S HOME_NET=[192.168.0.0/16,172.16.0.0/12,10.0.0.0/8] -i dummy0  

4.- Configuring Snort IDS

a) Enable fast syslog output (editing /etc/snort/snort.dummy0.conf)
output alert_fast: /var/log/snort/snort.alert 
b) Check that the following rules are loaded
include $RULE_PATH/emerging-trojan.rules (or emerging_pro-trojan.rules)
include $RULE_PATH/emerging-info.rules (or emerging_pro-info.rules)
include $RULE_PATH/file-identify.rules
include $RULE_PATH/shellcode.rules
c) Restart snort process
# /etc/init.d/snort_dummy0 restart
d) Check that ossim-agent process is reading snort unified output
#sensor1:~# lsof +d /var/log/snort
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF      NODE NAME
snort_dum  9247 root    4w   REG  202,1     3185 184565605 /var/log/snort/snort.alert
snort_dum  9247 root    8w   REG  202,1    48284 184565614 /var/log/snort/snort_dummy0.1348372798
ossim-age 18247 root   38r   REG  202,1    48284 184565614 /var/log/snort/snort_dummy0.1348372798

5.- Injecting the network traffic

a) Use tcpreplay to inject the network traffic (-t for top speed)
# tcpreplay -i dummy0 -t zeus-sample-3.pcap 
b) See alerts in /var/log/snort/snort.alert

 09/22-21:03:36.305795 [**] [1:2013976:10] ET TROJAN Zeus POST Request to CnC - URL agnostic [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1033 -> 188.72.243.72:80  
 09/22-21:03:36.305834 [**] [1:2013976:10] ET TROJAN Zeus POST Request to CnC - URL agnostic [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1034 -> 188.72.243.72:80  
 09/22-21:03:36.306197 [**] [1:2014819:1] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033  
 09/22-21:03:36.306197 [**] [1:15306:12] FILE-IDENTIFY Portable Executable binary file magic detection [**] [Classification: Misc activity] [Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033  
 09/22-21:03:36.314984 [**] [1:2013976:10] ET TROJAN Zeus POST Request to CnC - URL agnostic [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1034 -> 188.72.243.72:80  
 09/22-21:03:36.316004 [**] [1:16435:6] FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detection [**] [Classification: Misc activity] [Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035  
 09/22-21:03:36.317775 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035  
 09/22-21:03:36.317808 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035  
 09/22-21:03:36.341320 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035  
 09/22-21:03:36.341381 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035  
 09/22-21:03:36.341565 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035  
 09/22-21:03:36.341625 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035  
 09/22-21:03:36.341958 [**] [1:2013976:10] ET TROJAN Zeus POST Request to CnC - URL agnostic [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1036 -> 188.72.243.72:80  

6.- Using the SIEM interface to analyze the attack

a) Go to Analysis -> Security Events and search for IP address 192.168.3.65 (use IDM search filters)
b) Click on Unique Events to see the different types of alerts collected

c) Check payload of alerts with the signature snort: "ET TROJAN Zeus POST Request to CnC - URL agnostic"
POST /kartos/youyou.php
Host: ishi-bati.com

7.- Searching for the domain name in CLEAN MX database

a) Go to http://support.clean-mx.de/clean-mx/viruses.php
b) Search domain: ishi-bati.com

8.- Outcome analysis

In the results table we have a link to virustotal (click here for direct access), where we can download a malware sample for reverse engineering. As well we can see that 25 antivirus out of 41 detected it as malware, most of them naming it as a Zeus bot. Actually, in the latest scan, the number of antivirus detecting it goes up to 39. 

References

http://alienvault.com
http://communities.alienvault.com
http://virustotal.com
http://support.clean-mx.de