Jaime Blasco Blog

We added support to collect events via Security Device Event Exchange (SDEE) Protocol that lets us capture events from:

Cisco Network Prevention Systems (IPS)

Cisco Network Detection Systems (IPS)

Cisco Switch IDS

Cisco IOS routers with Inline Intrusion Prevention System (IPS) functions

Cisco IDS modules for routers

Cisco PIX Firewalls

Cisco Catalyst 6500 Series firewall services modules (FWSMs)

Cisco Management Center for Cisco security agents

CiscoWorks Monitoring Center for Security servers

This protocol replaces Remote Data Exchange Protocol (RDEP).

Ossim has the possibility of collecting via SDEE and supports inventory correlation (OS Correlation).

Configuration:

- Updating plugin sids with the latest IPS signature update package:

If you have your own update package from your vendor, you can populate the Ossim database with the new signatures.

To update plugin sid information, go to /usr/share/ossim/scripts/:

mac-jaime:scripts$ python createCiscoIPSSidmap.py IOS-S416-CLI.pkg.xml
DELETE FROM plugin WHERE id = "1597";

DELETE FROM plugin_sid where plugin_id = "1597";

INSERT INTO plugin (id, type, name, description) VALUES (1597, 1, 'Cisco-IPS', 'Cisco Intrusion Prevention System');

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5986, NULL, NULL, 'Cisco-IPS: Microsoft GDI+ GIF Parsing Vulnerability', 3, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5984, NULL, NULL, 'Cisco-IPS: IE COM Object Code Execution', 3, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5985, NULL, NULL, 'Cisco-IPS: Quicktime RTSP Content-Type  Excessive Length', 3, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 19159, NULL, NULL, 'Cisco-IPS: Green Dam Youth Escort Software Update Check', 1, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 19401, NULL, NULL, 'Cisco-IPS: Microsoft Publisher File Parsing Vulnerability', 3, 4);
...
...

This script will generate the needed SQL information to update Ossim database, to insert the information:

mac-jaime:scripts$ python createCiscoIPSSidmap.py IOS-S416-CLI.pkg.xml > sdee.sql
mac-jaime:scripts$ ossim-db < sdee.sql

If you want to update cross-correlation information:

mac-jaime:scripts$ python ciscoIPSOsMap.py IOS-S416-CLI.pkg.xml

replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 2156, 3001, 1);
replace into plugin_reference values (1597, 2157, 3001, 3);
replace into plugin_reference values (1597, 2157, 3001, 3);
replace into plugin_reference values (1597, 2157, 3001, 3);
...
...

mac-jaime:scripts$ python ciscoIPSOsMap.py IOS-S416-CLI.pkg.xml > sdee-os.sql
mac-jaime:scripts$ ossim-db < sdee-os.sql

Remember to restart ossim-server in order to update Ossim server cache.

- Configuring Ossim Agent to collect from SDEE capable device:

Add sdee reference to /etc/ossim/agent/config.cfg

Edit /etc/ossim/agent/plugins/cisco-ips.cfg:

[DEFAULT]
plugin_id=1597

[config]
type=detector
enable=yes

source=sdee
source_ip=
user=
password=
sleep=5

process=
start=no
stop=no

Insert your source_ip, user and password data.

Restart the ossim agent and it should begin receiving data from the SDEE device.

- Common problems:

When you begin a session with a SDEE device, it will provide you with a Subscription ID. Sometimes if the device close the connection or you loss connectivity you have to close the session in order to continue collecting from the device.

Ossim Agent will automatically do it but if for some reason it can't, you should manually close the session.

You will find the latest Subscription ID provided in /etc/ossim/agent/sdee_sid.data

Configure your device credentials on /usr/share/ossim/scripts/closeSDEEsession.py and execute:

mac-jaime:scripts$ python /usr/share/ossim/scripts/closeSDEEsession.py SubscriptionID

This should close the last session. If you still have problems you can execute:

mac-jaime:scripts$ grep subs /var/log/ossim/agent.log

To obtain a list of the last Subscription ID's used.

A 0-day exploit in Microsoft IIS 5/6 FTP was recently published on Milw0rm while HDMoore is porting the bug to Metasploit.

45046 :AV Possible 0day IIS FTP Exploit against DST_IP

http://isc.sans.org/diary.html?storyid=7039

UPDATE:

We have previously coverage with two directives present on Alienvault Professional Feed:

45024: AV Possible FTP Exploit attempt against DST_IP

45025: AV Possible FTP Exploit attempt against DST_IP (FTP preprocessor)

Microsoft has released an advisory related to Office Web Components Activex. The ISC has raised the Infocon to yellow due to the active exploitation of the vulnerability from several .cn domains.

45050: AV Possible Malicious Server exploiting Excel ActiveX Client against DST_IP (CVE-2009-1136)

45051: AV Possible Excel ActiveX Client side attack detected against SRC_IP (CVE-2009-1136)

45052: AV Possible Excel ActiveX Client Side Attack against DST_IP from a compromised host (CVE-2009-1136)

http://isc.sans.org/diary.html?storyid=6778

http://www.microsoft.com/technet/security/advisory/973472.mspx

Contact our Sales Team for more information about Alienvault Professional Feed. sales@alienvault.com

A 0-day exploit in Microsoft Video ActiveX Control is being exploited by malicious sites. Many people is covering this vulnerability and seems that will be widely deployed.

45046:AV Possible MSVidCtl Client side attack detected against SRC_IP (KB-972890)

45047:AV Possible Malicious Server exploiting MSVidCt against DST_IP (KB-972890)

45048:AV Possible MSVidCt Client Side Attack against DST_IP from a compromised host (KB-972890)

45049:AV Possible MSVidCtl Client side attack detected against SRC_IP (KB-972890) 2

http://isc.sans.org/diary.html?storyid=6733

http://www.microsoft.com/technet/security/advisory/972890.mspx

Contact our Sales Team for more information about Alienvault Professional Feed. sales@alienvault.com

I've wrote a little script to quickly test l7-filter protocol patterns used by ntop to detect protocol usage.

You have to install scapy, I' ve include some patterns from Ntop, include your owns on l7-patterns directory

You could read a pcap or capture from an interface.

Examples:

root@ubuntu:~/panalyzer# python l7Match.py -f http1.pcap
http
74.125.43.83 -> 192.168.1.131

root@ubuntu:~/proyectos/panalyzer# python l7Match.py -i eth0
ssl
88.221.225.51 -> 192.168.1.128
ssl
192.168.1.128 -> 88.221.225.51
ssl
88.221.225.51 -> 192.168.1.128
ssl
192.168.1.128 -> 88.221.225.51

Tomorrow Conficker will activate a P2P system to coordinate to other infected machines over TCP and UDP, we've published a directive to detect the P2P behaviour.

Donwload Directive

I'm glad to announce a new feature we have added to forensic console. We use libemu to make shellcode detection and analysis to help on forensic analysis and reduce false positives, an example:

I've just update the public CVS with some new directives as part of the effort we are doing to improve the upcoming installer:

Possible Successful Attack: Reverse Shell Access to the System

Possible POP3 Bruteforce against SRC_IP

Possible FTP Bruteforce against SRC_IP

Command execution against webserver on DST_IP

File /etc/passwd access on DST_IP

Possible SQL injection attempt against DST_IP

Possible attack against DST_IP (Symantec Remote Management RTVScan Exploit)

Possible sa account bruteforce against SRC_IP (SQL Server)

Possible VNC bruteforce against SRC_IP

Possible attack against DST_IP (Microsoft Server Service related attack)

Too many Cisco Firewall dropped events with destination DST_IP

Possible Worm Infection against DST_IP

Possible Worm Infection against DST_IP via DCOM RPC vulnerability

Possible Worm Infection against DST_IP via Kill-Bill ASN1 vulnerability

Possible Worm Infection against DST_IP via Lsasrv.dll RPC vulnerability

Possible Worm Infection against DST_IP via WINS vulnerability

Possible attack against DST_IP (Microsoft Server Service related attack)

Possible worm scanning behavior on port DST_PORT

Username gathering at SMTP server DST_IP