[Snort-users] Zero day attack protection

[Anshuman Anil Deshmukh]

Hi,

 

Can I get some past references or examples where snort was able to protect from zero day (0 day) attacks, may be with open signatures or using subscriber/registered set of signatures?

 

 

Thanks and Regards,

Anshuman

 

 

 

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com

[sockstat]

One of the powerful features of snort is the posibility to write your own rules. Snort is able to protect from zero day attacks when there's a rule for it. You can either try yourself to write a rule for such an attack or take a subscription for snort rules that the snort team makes. Look on professor Google for a notorious attacks and for corresponding snort rules.

[Saint Crusty]

Snort signatures have repeatedly stopped a zero-day because they were
well researched. Meaning the signature was able to block a variation or
a progression of an allready covered attack. I believe this is what is
called virtual patching.

This does not mean snort has zero-day protection out-of-the-box. That
would require some futuristic piece of software to achieve ;-) Since
you'de have to compensate for every possible attack vector. Protecting
again buffer overflow, injection attacks, xss and others is probably the
only thing that can be done for now. To some extent.

On 28/10/13 06:10, Anshuman Anil Deshmukh wrote:
> Hi,
>
>
>
> Can I get some past references or examples where snort was able to
> protect from zero day (0 day) attacks, may be with open signatures or
> using subscriber/registered set of signatures?
>
>
>
>
>
> Thanks and Regards,
>
> Anshuman
>
>
>
>
>
>
>
>
> "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be
> privileged, confidential, or otherwise protected from disclosure. The
> information is intended to be for the addressee(s) only. If you are not
> an addressee, any disclosure, copy, distribution, or use of the contents
> of this message is strictly prohibited. If you have received this
> electronic message in error please notify the sender by reply e-mail to
> and destroy the original message and all copies. Cybage has taken every
> reasonable precaution to minimize the risk of malicious content in the
> mail, but is not liable for any damage you may sustain as a result of
> any malicious content in this e-mail. You should carry out your own
> malicious content checks before opening the e-mail or attachment."
> www.cybage.com
>
>
>

> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>

--
--
Saint Crusty ( a handle like any other, not a name )

[Joel Esler]

Correct. The VRT, when creating detection for various things throughout the weeks run across a vulnerability we already cover with an existing rule, quite often. We call this prior coverage and if the attack vector does not require us to write a new rule for the vulnerability or threat, we'll simply update the reference on an older rule.

Sent from my iPhone

> <saint_crusty.vcf>

[Saint Crusty]

Hi Anshuman,

Try and google on

site:vrt-blog.snort.org "zero-day" already covered

you'll see entries like "You've been protected for more than a week" etc.

I remember one Microsoft targeted attack which was blocked by a
protection for more than a year already, or so. No specifics stick to my
mind, ever.

Greetings

[Joel Esler]

A perfect recent example:

http://vrt-blog.snort.org/2013/10/ie-zero-day-cve-2013-3897-youve-been.html

--
Joel Esler
AEGIS Intelligence Lead
OpenSource Community Manager
Vulnerability Research Team, Sourcefire

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk_______________________________________________

[Kevin Ross]

True zero day protection is very hard. There are some products that claim to be able to do it (i.e Fireeye http://www.fireeye.com/blog/corporate/2013/09/needle-in-a-haystack-detecting-zero-day-attacks.html although they did identify zero days in the wild early in the year in Java/Flash etc). I cannot comment on the effectiveness of these types of solutions though as I haven't used them.

Well researched signatures looking for common features is a good way to do it. i.e if an exploit kit has certain characteristics that can be focused on regardless of the exploit/malware deliver or anomalies then that can be used to identify cases even where unknown attacks are used. In real terms signature based approaches are always to varying extents reactionary to observed malicious behaviours and the same problem effects most if not all security solutions from AV to IDS; the problem is you don't know what the bad guy will do next. I think the future though will be combinations of signature, big data/data mining and machine learning solutions. Personally I do find signatures available for Snort are excellent in getting that unknown as a lot of other vendors often are very specific to vulnerabilities so the actual catching badness potential of Snort sigs is very good.

Another example could be generic catch alls. i.e outside of Snort and so on I have other tools; one of them I use is passiveDNS (https://github.com/gamelinux/passivedns) which I highly recommend to complement your monitoring. Where it comes into use is:

- being able to maintain a record of DNS logs which is searchable through a web interface. This is highly useful because it means if you have an alert you can specifically in your environment see what domains were resolved in your network to look for (full packet capture using openfpc or something is better though). This also means if you have intelligence on an attack you can search for domains involved to see if you might have been hit and the time frame that the traffic occured first. Also because it shows first seen for a domain if it is malware it can help you determine the earliest point you should start looking for that particular CnC. http://www.alienvault.com/open-threat-exchange/blog/identifying-suspicious-domains-using-dns-records

- It can use blacklists to alert on (reactionary)

- You can use regex. This is where it gets interesting.For instance using regex you can look roughly for common patterns in domain generation algorithms http://www.net-security.org/article.php?id=1844&p=1. I have regexes for zeus and generic ones looking at basic patterns (when you start passiveDNS make sure you use -X 46CDNPRSx to make sure you get NXDOMAINS. Then I feed that into a SIEM where I further pick out the pattern and make sure the response it NXDOMAIN. This helped me find unknown Zeus infected PCs in my network I had no idea were there as they were not calling out and also other malware. As DGAs are more and more prevalent in malware CnC using this method could help you detect zero day malware. You can also use Snort to look for suspicious patterns in NXDOMAINS (look for NXDOMAIN and then apply regex for patterns).

https://www.damballa.com/downloads/a_pubs/Damballa_Throw-Away_Traffic_to_Bots.pdf
https://www.damballa.com/downloads/r_pubs/Damballa_tdss_tdl4_case_study_public.pdf
https://www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf
http://www.anubisnetworks.com/from-the-botnet-battlegrounds-the-tale-of-unknown-dga17/
https://www.cert.pl/news/4711/langswitch_lang/en
https://www.damballa.com/downloads/r_pubs/RN_DGAs-and-Cyber-Criminals-A-Case-Study.pdf
http://labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/

Hope that helps,
Kevin