[Oisf-devel] PREPROCESSOR IDEA: Reliable Fast Flux Detection

Victor Julien victor at inliniac.net
Tue Mar 20 09:05:23 UTC 2012


On 03/19/2012 07:14 PM, Martin Holste wrote:
> How about a dev utility that converts Wireshark modules into
> preprocessors suitable for Suricata?

I think this would be a very significant effort due to the differences
between the code bases, the libraries used, etc.

I actually looked into converting wireshark into a IDS/IPS before
starting to work on Suricata (then codenamed VIPS or Victor's IPS ;-))
but decided it wasn't feasible. I think there has been another project
trying the same, but haven't heard about it in a long time anymore.

Cheers,
Victor

> On Mon, Mar 19, 2012 at 10:14 AM, Victor Julien <victor at inliniac.net> wrote:
>> On 02/29/2012 10:21 AM, Kevin Ross wrote:
>>> As fast flux more and more used
>>> http://www.damballa.com/press/2012_02_28PR.php and if you look at
>>> samples in the sandnet such as e2d5d6ce50cf0a6b816e0f2aa7c35970
>>> (W32/Shiz) you will see SID 2008470 (ET DNS Excessive NXDOMAIN responses
>>> - Possible DNS Backscatter or Fast Flux DNS Lookups) detects it. However
>>> this detection method while it works does have FPs.
>>>
>>> If however a preprocessor detecting the NXDOMAIN responses where most
>>> (or all of them) are unique then that would reliably detect fast flux
>>> (perhaps by checking if the last domain in the NXDOMAIN response is the
>>> same as this one, if it is then you don't have fast flux, if it is then
>>> move on with the increment till you declare fast flux). So rather than a
>>> host doing lots of requests for the same domain or a few triggering the
>>> sig if you see behaviour like e2d5d6ce50cf0a6b816e0f2aa7c35970 where it
>>> is moving through the generated domains then you reliably have fast flux
>>> detection.
>>>
>>> I believe with more malware moving to fast flux (which vendors seems to
>>> call stealthy but seeing how much fast flux triggers sid 2008470 it
>>> lights up like a christmas tree I doubt it); but I think reliable
>>> detection of fast flux will be important in detecting malware behaviours
>>> in the network.
>>
>> I guess the first thing we'd need is a good DNS parser. Anyone
>> interested in building one?
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list