[Oisf-users] HTTP Botnet Detection Preprocessor or Analyser Idea

[Kevin Ross]

A sudden idea; why not have some sort of analysers to go over any flows,
http logs etc collected by suricata investigating common indicative
behaviours to eventually determine when to alarm on a possibly infected
hosts. These examples are based on HTTP and all of these could be used to
assign an infection value to a host, once it passes a threshold a detailed
alert can be generated. I know there are many more indicators and some may
not be but I am meaning to get the idea across. I am not saying this should
be done realtime or even by the main processes in suricata; just analysers
to go over collected logs to determine indicative behavior (this could also
be done even if you had short term kept logs for things like flows, HTTP
logs, DNS Logs, FTP logs - FTP to detect data uploads) etc). A combination
of characteristics perhaps not across just HTTP logs or whatever but many
could determine infection possibilities (i.e host looks up either known bad
domains or more unique domains and those that indicate fast flux, then it
uses repetitive HTTP checkins and occasionally may download updated binaries
and so on).

Kevin

- Host makes REPETIVE GET or POST requests to more disparate hosts than
other hosts possibly followed by an OK message from server, even without any
data in the body followed by no further communication

- Host sends POST or get requests repeatedly with high percentage of
repetition and frequency of values such as &os=, &mac=, &pid= and so on.
Possibly this sort of message followed by repetitive checkin messages

- Host receives executables with minimal effort (i.e checkin, redirect, EXE
download)

- Host uses new user-agents following possible malware download (EXE and so
on).

- Host communicates with high frequency of HTTP servers without FQDN (such
as 92.23.X.X/stat.html instead of www.iamok.com or something and others,
possibly displaying repetition).

- Communication flows are very small, short and show particular
characteristics (i.e small bursts of similar length communications and
possibly repetive time interval between bursts).

- Host communicates using suspicious HTTP headers (like the ETPRO sigs)

- Host POSTs short amount of data with (when things like gzip removed) have
high entropy indicating encrypted communications with CnC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110822/966fe9c5/attachment-0002.html>