Network

The Zeek Network Security Monitor

Run zeek against a pcap, create zeek log files in the current directory. Some of the following logs files may be created, depending on the pcap content and zeek configuration:

• conn.log

• dns.log

• files.log

• http.log

• irc.log

• packet_filter.log

• ssl.log

• weird.log

zeek -r /pcaps/Hancitor-Ficker-Cobalt-Strike.pcap

Carve all zeek-supported file types from a file:

sudo zeek -r /pcaps/Hancitor-Ficker-Cobalt-Strike.pcap /usr/local/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek

Display x.509 issuer subjects:

zeek -C -r /pcaps/normal/https/alexa-top-500.pcap
cat x509.log | zeek-cut certificate.subject

View Zeek logs without wrapping lines:

zeek -r /pcaps/tbot.pcap

less -S http.log 

ModSecurity Rules

Rules will need to be added to a .conf file that will be processed with ModSecurity starting up. On the SEC511 VM, this path is /etc/modsecurity. A new file for custom rules should generally be created rather than overwriting a Core Rule Set (CRS) provided file.

Basic Rule Structure:

SecRule VARIABLE "OPERATOR" "ACTION"

We will replace VARIABLE, OPERATOR, and ACTION with appropriate options provided by ModSecurity.

The default action we will use simply causes log information to be generated and a user defined message to be supplied. For example:

"log,auditlog,msg:'alert message'"

Detect an HTTP user agent containing the string 'sqlmap':

SecRule REQUEST_HEADERS:User-Agent "@contains sqlmap" "log,auditlog,msg:'alert message'"

Detect an HTTP user agent NOT containing the string 'sqlmap':

SecRule REQUEST_HEADERS:User-Agent "!@contains sqlmap" "log,auditlog,msg:'alert message'"

Match any HTTP user agents that begin with the string 'Mozilla/5':

SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5" "log,auditlog,msg:'alert message'"

Match an argument named 'ip' being set to an IPv4 address or any string of simply numbers and periods:

SecRule ARGS:ip "^[\d.]+$" "log,auditlog,msg:'alert message'"

Detect the Host header not being equal to the string www.sec511.org:

SecRule REQUEST_HEADERS:Host "!@streq www.sec511.org" "log,auditlog,msg:'alert message'"

Match the Host header being set to any IP address within 10.5.11.0-255:

SecRule REQUEST_HEADERS:Host "@ipMatch 10.5.11.0/24" "log,auditlog,msg:'alert message'"

Detect the OPTIONS method being used:

SecRule REQUEST_HEADERS:Method "@streq OPTIONS" "log,auditlog,msg:'alert message'"

Detect HTTP responses that lack a Content-Type header:

SecRule &RESPONSE_HEADERS:Content-Type "@eq 0" "log,auditlog,msg:'alert message'"

Detect HTTP requests without a User-Agent:

SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "log,auditlog,msg:'alert message'"

Detect HTTP requests with more than one parameter named password:

SecRule &ARGS:password "@gt 1" "id:'999999',log,auditlog,msg:'alert message'"

Detect HTTP requests without a Host header:

SecRule &REQUEST_HEADERS:Host "@eq 0" "log,auditlog,msg:'alert message'"

Detect HTTP requests without a Host header. Add the HTTP User Agent to the information provided in the error.log:

SecRule &REQUEST_HEADERS:Host "@eq 0" "log,auditlog,msg:'alert message',logdata:%{REQUEST_HEADERS.User-Agent}"

error.log - example:

[Sun Dec 13 20:06:18 2015] [error] [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\\'\"]) ?[=<>]+" at ARGS:name. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "427"] [id "959071"] [rev "2.2.0"] [msg "SQL Injection Attack"] [data "or 1="] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/scanners/pilots.php"] [unique_id "Vm3S7X8AAQEAAB@2CLQAAAAD"]

ngrep

ngrep brings basic power of grep to network traffic. We need ngrep because PCAPs are a binary structure. Although piping the output of strings to grep can work, grep will still not be PCAP aware in the way ngrep is. Rather than simply showing, for example, a line within the PCAP that includes a string match, ngrep understands which packet contains this string and will indicate high level packet details such as source and destination IP addresses, port numbers, and TCP flags.

Source: ngrep man page

man ngrep

Quietly search /pcaps/angler-java.pcap for user agents via the string 'User-Agent':

ngrep -qI /pcaps/angler-java.pcap "User-Agent"

Search /pcaps/angler-java.pcap for 'User-Agent' in TCP segments destined for port 80:

ngrep -qI /pcaps/angler-java.pcap "User-Agent" "tcp and dst port 80"

Note: In the above command line "tcp and dst port 80" is an example of using BPF (Berkely Packet Filter) expressions. Review the man page for pcap-filter for additional information.

Search /pcaps/styx.pcap for 'User-Agent' in TCP segments destined for traffic other than port 80:

ngrep -q -I /pcaps/styx.pcap "User-Agent" "tcp and not dst port 80"

Search /pcaps/angler-java.pcap for 'User-Agent' in TCP segments destined for port 80. Have the output honor any linefeeds encountered and wrap text.

ngrep -q -W byline -I /pcaps/angler-java.pcap "User-Agent" "tcp and dst port 80"

Note: To make the output of some traffic, most notably HTTP, easier to read, the -W switch can be set to byline.

Search /pcaps/angler-java.pcap for traffic with the ACK FIN and PUSH flags set:

ngrep -q -I /pcaps/angler-java.pcap "" "tcp[tcpflags]==(tcp-ack|tcp-fin|tcp-push)"

Note: When using BPF expressions, a search string, even if blank "" as above, is expected. Otherwise ngrep will treat the BPF expression itself as the regex search pattern.

Sniff on the eth0 interface and look for the string 'HoneyToken' without the quotes being passed in clear text:

sudo ngrep -q -d eth0 "HoneyToken"

Note: When using ngrep to bind to an interface, superuser privileges will generally be required.

Sniff on the eth0 interface and look for the string 'HoneyToken' without the quotes being passed in clear text. When found, kill the connection by sending a spoofed TCP RST:

sudo ngrep -q -d eth0 "HoneyToken" -K1

tcpdump

tcpdump man page:

man tcpdump

Read a pcap file:

tcpdump -r /pcaps/zeus-gameover-loader.pcap

Read a pcap, don't resolve names (layers 3 or 4):

tcpdump -nr /pcaps/zeus-gameover-loader.pcap

Read a pcap, show TCP SYN packets, don't resolve names:

tcpdump -r /pcaps/zeus-gameover-loader.pcap -n "tcp[tcpflags]==tcp-syn"

Read a pcap, show TCP SYN packets not sent to port 80, don't resolve names:

tcpdump -r /pcaps/zeus-gameover-loader.pcap -n "tcp[tcpflags]==tcp-syn and not tcp dst port 80"

Read a pcap without name resolution, /pcaps/angler-java.pcap, and show traffic with the ACK FIN and PUSH flags set.

tcpdump -r /pcaps/angler-java.pcap -n "tcp[tcpflags]==(tcp-ack|tcp-fin|tcp-push)"

TShark

tshark man page:

man tshark

Read a pcap file:

tshark -r /pcaps/zeus-gameover-loader.pcap

Read a pcap, don't resolve names (layers 3 or 4):

tshark -nr /pcaps/zeus-gameover-loader.pcap

Read a pcap, use the display filter "http.request.method==GET":

tshark -r /pcaps/zeus-gameover-loader.pcap -Y "http.request.method==GET"

Read a pcap, show TCP SYN packets not sent to port 80, don't resolve names:

tshark -r /pcaps/zeus-gameover-loader.pcap -n -Y "not tcp.port==80 and tcp.flags == 0x0002"

Print TCP conversations in a pcap:

tshark -n -r /pcaps/virut-worm.pcap -q -z conv,tcp

Print HTTP User-Agents in a pcap:

tshark -nr /pcaps/normal/http/normal-user-agent.pcap -Y "http.user_agent" -Tfields -e http.user_agent

Print X.509 certificates in a pcap:

tshark -r /pcaps/normal/https/alexa-top-500.pcap -T fields -Y "ssl.handshake.certificate" -e