[Oisf-users] Suricata logs perfectly... and now ?!

mc8647 mc8647 at mclink.it
Mon Feb 27 22:17:49 UTC 2012 

Ok, now Suricata runs and collect massive amounts of logs.... Thanks you 
to everybody for your help.

I started to implement suricata because in January I found several 
strange connections in proxy logs. So I started to trace them down and 
we found Zeus installed on several PCs. More PCs were infected daily, 
with the av unable to stop them.
So I collected all the samples I could, sent to av company etc etc, 
blocked the C&C/DROP IP at the firewall, cleaned the PCs...

When I could trace the infections in proxy logs I found the same log 
lines: an advertising circuit, a couple of PDF downloads, .jar files 
(org.class, net.class, com.class...) and finally the payload... Seconds 
after the payload, a https connection to a hungarian IP (also hosting 
adult sites) started. The IP address is not listed in any "bot", "cc", 
malware-related list. Also the domain used were not blacklisted....

Installing Suricata I was expecting to find a lot more infected PCs. I 
enabled only the "malware"/"botnet" related rules and I found several 
PCs with:
ET MALWARE dialno Dialer User-Agent (dialno)
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET MALWARE AskSearch Toolbar Spyware User-Agent (AskTBar)
ET MALWARE Fun Web Products Agent Traffic
ET MALWARE Simbar Spyware User-Agent Detected
ET MALWARE Casalemedia Spyware

I also found several DROP/C&C log lines (but I don't have them with me) 
but several of them were FP and infact updating ET rules some of the IPs 
were not listed anymore...


Now I'd like to ask about my results:
- is this a classic outcome of a Suricata network log ? I was expecting 
way more infected PCs  ! Or are the "free" rules not enough to catch in 
the wild malware ?
- are these toolbar/spyware really really malware ?

About the logs data:
- how do you handle all this massive log data ?
- how do you analyze it ?

ok, I have tons of other questions but the message is already too long, 
so I can summarize with the message title:
Suricata now works... and now what to do with all this data ?

Thanks
Francesco

More information about the Oisf-users mailing list