Pivoting on SQL Injection notices from bro
226 views
Skip to first unread message
Pete
May 29, 2015, 5:03:08 PM5/29/15
to securit...@googlegroups.com
Gents,
Any suggested methods for pivoting on a BRO_NOTICE about SQL injections? The notice itself isn't very helpful, as it only has a single IP address and the timestamp to go on. I'd ultimately like to see the PCAP, or at least the HTTP request if that's the method used. Valid IPs and ports in the notice, or better yet a connection uid, would make this a cinch...
Examples below.
--
Pete
1432821813.190978 - - - - - - - - - HTTP::SQL_Injection_Attacker An SQL injection attacker was discovered! - 192.168.xxx.yyy - -hostname1-eth3-2 Notice::ACTION_LOG 3600.000000 F - - - - -
1432821923.292778 - - - - - - - - - HTTP::SQL_Injection_Victim An SQL injection victim was discovered! - 54.2xx.yyy.zzz - - -hostname1-eth3-6 Notice::ACTION_LOG 3600.000000 F - - - - -
Any suggested methods for pivoting on a BRO_NOTICE about SQL injections? The notice itself isn't very helpful, as it only has a single IP address and the timestamp to go on. I'd ultimately like to see the PCAP, or at least the HTTP request if that's the method used. Valid IPs and ports in the notice, or better yet a connection uid, would make this a cinch...
Examples below.
--
Pete
1432821813.190978 - - - - - - - - - HTTP::SQL_Injection_Attacker An SQL injection attacker was discovered! - 192.168.xxx.yyy - -hostname1-eth3-2 Notice::ACTION_LOG 3600.000000 F - - - - -
1432821923.292778 - - - - - - - - - HTTP::SQL_Injection_Victim An SQL injection victim was discovered! - 54.2xx.yyy.zzz - - -hostname1-eth3-6 Notice::ACTION_LOG 3600.000000 F - - - - -
Heine Lysemose
May 29, 2015, 5:27:24 PM5/29/15
to securit...@googlegroups.com
Hi
I would search in ELSA around that timeframe something like, IP-adress groupby:program
Regards,
Lysemose
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Pete
May 29, 2015, 5:27:58 PM5/29/15
to securit...@googlegroups.com
I just noticed this commit in testing:
https://github.com/Security-Onion-Solutions/securityonion-elsa-extras/commit/b9dd358b2a42c7268557a9706fb4117f1627d81a
Will that affect all bro_notice class events? It may be just what I'm looking for... I'll try to run it through some tests.
Thanks!
Doug Burks
May 29, 2015, 7:28:13 PM5/29/15
to securit...@googlegroups.com
If you could help us test these new ELSA packages, that'd be great!
There are lots of changes of there and they need lots of testing
before release.
https://groups.google.com/d/topic/security-onion-testing/OHhNEapIUgE/discussion
Thanks!
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
There are lots of changes of there and they need lots of testing
before release.
https://groups.google.com/d/topic/security-onion-testing/OHhNEapIUgE/discussion
Thanks!
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Seth Hall
May 29, 2015, 9:58:49 PM5/29/15
to securit...@googlegroups.com
You can also search the “tags” field in the HTTP log. Every request that is flagged as a potential SQL injection request is marked with HTTP::URI_SQLI.
.Seth
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
.Seth
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Seth Hall
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
Doug Burks
May 30, 2015, 6:43:55 AM5/30/15
to securit...@googlegroups.com
Thanks, Seth!
securityonion-web-page - 20141015-0ubuntu0securityonion25 now includes
a new HTTP Query called "Potential SQL Injection" that will search for
HTTP::URI_SQLI. The package is copying to ppa:securityonion/test:
https://groups.google.com/d/topic/security-onion-testing/OHhNEapIUgE/discussion
securityonion-web-page - 20141015-0ubuntu0securityonion25 now includes
a new HTTP Query called "Potential SQL Injection" that will search for
HTTP::URI_SQLI. The package is copying to ppa:securityonion/test:
https://groups.google.com/d/topic/security-onion-testing/OHhNEapIUgE/discussion
mmfirm...@gmail.com
Jun 2, 2015, 9:01:08 AM6/2/15
to securit...@googlegroups.com
Here's my SO, incident response check list:
SO Processes
*Workstations Investigations*:
1. Squil
2. ELSA on IP (May need to increase limit (i.e. limit:5000)
3. Programs (to see various BRO associations with programs i.e. HTTP)
4. srcip & dstip (follow any additional hosts)
4.5 Group by destination port
5. check /nsm/bro/current/capture_loss.log
6. check /nsm/sensor_data/<interface>/dailylogs/date (netsniff-ng)
7. bro -r snort*.log ls -al check logs (i.e. dns.log on sensors)
argus
racluster -n -r 2015-02-09.log - host 10.11.11.11
ra -n -r logfile - tcp and dst port 21 -s stime saddr sport daddr dport sbytes dbytes
-n don't resolve port numbers to names
-s which fields to display
-m saddr daddr groups by source and destination
tshark
sudo tshark -t ad -n -r dailylog-snort-file -R 'tcp.port==80 and http'
-t set format of packet timestamp
-n disable network object name resolution
-r read packet input file
-R apply filter
ELSA getPcap and query for "event"" info instead of "sancp" info
Servers:
General:
sudo service nsm status
sudo nsm_sensor_ps-start --only-argus
sudo sostat
ELSA:
You can add the keywords after the search terms
+program="ossec_archive" limit:10000 keyword thekeyword
zcat for extracting info from bro logs
zcat <log file> |bro-cut -d|grep <ip or other info>
tcpflow -r snort.log.filenname port 20 (or other port)
tcpflow reconstructs sessions
/etc/nsm/interface-name/sensor.conf for agent startup options.
/etc/nsm/securityonion/sguild.email
SO Processes
*Workstations Investigations*:
1. Squil
2. ELSA on IP (May need to increase limit (i.e. limit:5000)
3. Programs (to see various BRO associations with programs i.e. HTTP)
4. srcip & dstip (follow any additional hosts)
4.5 Group by destination port
5. check /nsm/bro/current/capture_loss.log
6. check /nsm/sensor_data/<interface>/dailylogs/date (netsniff-ng)
7. bro -r snort*.log ls -al check logs (i.e. dns.log on sensors)
argus
racluster -n -r 2015-02-09.log - host 10.11.11.11
ra -n -r logfile - tcp and dst port 21 -s stime saddr sport daddr dport sbytes dbytes
-n don't resolve port numbers to names
-s which fields to display
-m saddr daddr groups by source and destination
tshark
sudo tshark -t ad -n -r dailylog-snort-file -R 'tcp.port==80 and http'
-t set format of packet timestamp
-n disable network object name resolution
-r read packet input file
-R apply filter
ELSA getPcap and query for "event"" info instead of "sancp" info
Servers:
General:
sudo service nsm status
sudo nsm_sensor_ps-start --only-argus
sudo sostat
ELSA:
You can add the keywords after the search terms
+program="ossec_archive" limit:10000 keyword thekeyword
zcat for extracting info from bro logs
zcat <log file> |bro-cut -d|grep <ip or other info>
tcpflow -r snort.log.filenname port 20 (or other port)
tcpflow reconstructs sessions
/etc/nsm/interface-name/sensor.conf for agent startup options.
/etc/nsm/securityonion/sguild.email
Pete
Jun 2, 2015, 4:33:22 PM6/2/15
to securit...@googlegroups.com
Thanks, Seth. That's the clue I needed!
Reply all
Reply to author
Forward
0 new messages