From 636c515a89453758187695dbef9d587328beed77 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Thu, 19 Nov 2015 14:45:49 +0000 Subject: [PATCH 1/2] Add in extra cnc checks Add in some less reliable checks and scoring system hopefully for later extraction of potential CnC server hostnames. For now just build and test common features. --- modules/signatures/network_cnc_http.py | 93 ++++++++++++++++++++------ 1 file changed, 72 insertions(+), 21 deletions(-) diff --git a/modules/signatures/network_cnc_http.py b/modules/signatures/network_cnc_http.py index 7155257..f8f151f 100644 --- a/modules/signatures/network_cnc_http.py +++ b/modules/signatures/network_cnc_http.py @@ -22,12 +22,21 @@ def run(self): "http://.*\.adobe\.com/.*", ] - # HTTP request Features. Done like this due to for loop appending data each time instead of once so we wait to end of checks to add summary of anomalies + # HTTP feature checks post_noreferer = 0 - post_nouseragent = 0 - get_nouseragent = 0 + nouseragent = 0 version1 = 0 - long_uri = 0 + low_params = 0 + high_params = 0 + useragent = 0 + + # scoring + cnc_score = 0 + cnc_count = 0 + + low_fidelity_params = ["&os=","&win=","&winver=","&winversion=","&win_ver=","win_version=","&windows=","&user=","&username=","&uid=","&gpu=","&ram=","&nat=","&computer=","&compname=","&productid="] + highrisk_params = ["bot=","botnet=","botid=","bot_id=","&antivirus=","&antiv=","&av="] + useragents = ["NSIS","WinHttpRequest","WinInet","InetURL"] if "network" in self.results and "http" in self.results["network"]: for req in self.results["network"]["http"]: @@ -37,35 +46,77 @@ def run(self): is_whitelisted = True # Check HTTP features - if not is_whitelisted and req["method"] == "POST" and "Referer:" not in req["data"]: - post_noreferer += 1 - - if not is_whitelisted and req["method"] == "POST" and "User-Agent:" not in req["data"]: - post_nouseragent += 1 - - if not is_whitelisted and req["method"] == "GET" and "User-Agent:" not in req["data"]: - get_nouseragent += 1 - - if not is_whitelisted and req["version"] == "1.0": - version1 += 1 + if not is_whitelisted: + if req["method"] == "POST" and "Referer:" not in req["data"]: + post_noreferer += 1 + cnc_score += 1 + if len(req["body"]) < 50 and len(req["body"]) > 0: + cnc_score += 1 + if len(req["path"]) < 15 and len(req["path"]) > 1: + cnc_score += 2 + if "/gate.php" in req["path"]: + cnc_score += 3 + if req["path"].endswith(".php") or req["path"].endswith("="): + cnc_score += 1 + + if req["method"] == "POST" and "User-Agent:" not in req["data"]: + nouseragent += 1 + cnc_score += 2 + + if req["method"] == "GET" and "User-Agent:" not in req["data"]: + nouseragent += 1 + cnc_score += 2 + + if req["version"] == "1.0": + version1 += 1 + + for low_fidelity_params in low_fidelity_params: + low_params += req["path"].count(low_fidelity_params) + for low_fidelity_params in low_fidelity_params: + low_params += req["body"].count(low_fidelity_params) + for highrisk_params in highrisk_params: + high_params += req["path"].count(highrisk_params) + for highrisk_params in highrisk_params: + high_params += req["body"].count(highrisk_params) + + for useragents in useragents: + if useragents in req["user-agent"]: + useragent += 1 + cnc_count += 1 + + if cnc_score > 2: + cnc_count += 1 if post_noreferer > 0: self.data.append({"post_no_referer" : "HTTP traffic contains a POST request with no referer header" }) self.severity = 3 self.weight += 1 - if post_nouseragent > 0: - self.data.append({"post_no_useragent" : "HTTP traffic contains a POST request with no user-agent header" }) + if nouseragent > 0: + self.data.append({"no_useragent" : "HTTP traffic contains a request with no user-agent header" }) self.severity = 3 self.weight += 1 - if get_nouseragent > 0: - self.data.append({"post_no_useragent" : "HTTP traffic contains a GET request with no user-agent header" }) + if version1 > 0: + self.data.append({"http_version_old" : "HTTP traffic uses version 1.0" }) + self.weight += 1 + + if high_params > 0: + self.data.append({"malicious_params" : "Detected commonly used malicious parameter names in the HTTP request URI or body" }) self.severity = 3 self.weight += 1 - if version1 > 0: - self.data.append({"http_version_old" : "HTTP traffic uses version 1.0" }) + if low_params > 0: + self.data.append({"suspicious_params" : "Detected suspicious parameters names in the HTTP request URI or body" }) + self.weight += 1 + + if useragent > 0: + self.data.append({"useragent" : "A suspicious user agent was seen in HTTP traffic" }) + self.weight += 1 + + if cnc_count > 0: + self.data.append({"cnc_connections" : "%s requests displayed multiple signs of being CnC related" % (cnc_count)}) + self.severity = 3 self.weight += 1 if self.weight: From 2b451f3bfc8035642f270c8cb8a0d51b627259d3 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Thu, 26 Nov 2015 09:48:03 +0000 Subject: [PATCH 2/2] Remove checks which are currently FPing sometimes Removed parameter and UA checks. Will add back in later after cause and other better checks added. --- modules/signatures/network_cnc_http.py | 30 -------------------------- 1 file changed, 30 deletions(-) diff --git a/modules/signatures/network_cnc_http.py b/modules/signatures/network_cnc_http.py index f8f151f..395b1ce 100644 --- a/modules/signatures/network_cnc_http.py +++ b/modules/signatures/network_cnc_http.py @@ -26,9 +26,6 @@ def run(self): post_noreferer = 0 nouseragent = 0 version1 = 0 - low_params = 0 - high_params = 0 - useragent = 0 # scoring cnc_score = 0 @@ -70,20 +67,6 @@ def run(self): if req["version"] == "1.0": version1 += 1 - for low_fidelity_params in low_fidelity_params: - low_params += req["path"].count(low_fidelity_params) - for low_fidelity_params in low_fidelity_params: - low_params += req["body"].count(low_fidelity_params) - for highrisk_params in highrisk_params: - high_params += req["path"].count(highrisk_params) - for highrisk_params in highrisk_params: - high_params += req["body"].count(highrisk_params) - - for useragents in useragents: - if useragents in req["user-agent"]: - useragent += 1 - cnc_count += 1 - if cnc_score > 2: cnc_count += 1 @@ -101,19 +84,6 @@ def run(self): self.data.append({"http_version_old" : "HTTP traffic uses version 1.0" }) self.weight += 1 - if high_params > 0: - self.data.append({"malicious_params" : "Detected commonly used malicious parameter names in the HTTP request URI or body" }) - self.severity = 3 - self.weight += 1 - - if low_params > 0: - self.data.append({"suspicious_params" : "Detected suspicious parameters names in the HTTP request URI or body" }) - self.weight += 1 - - if useragent > 0: - self.data.append({"useragent" : "A suspicious user agent was seen in HTTP traffic" }) - self.weight += 1 - if cnc_count > 0: self.data.append({"cnc_connections" : "%s requests displayed multiple signs of being CnC related" % (cnc_count)}) self.severity = 3