Home

Results 1 to 4 of 4

Thread: taxonomy for malware callback

Hybrid View

  1. #1
    Norbert Klasen NNTP User

    taxonomy for malware callback

    Hi,
    suppose a network device detects infected clients by identifying malware
    callback patterns in the clients network communication (typically HTTP GETs
    or POSTs initiated by the client). Which XDAS taxonomy should apply to such
    events and who is initiator and who the target?

    Norbert

  2. #2
    jcvader1 NNTP User

    Re: taxonomy for malware callback


    I'm not sure what you are getting at here.
    You can have a look on
    http://www.novell.com/developer/plug..._taxonomy.html at the
    taxonomies defined.
    If you are using a default collector this is done for you, if you are
    developing your own collector you can decide yourself which taxonomy you
    give to it.
    I guess something like XDAS_AE_INFECTED would be in order. It all
    depends on what you are planning on doing with the information, e.a.
    putting it in a report, sending a mail, ....

    Hope this helps,
    Anco


    --
    jcvader1
    ------------------------------------------------------------------------
    jcvader1's Profile: https://forums.netiq.com/member.php?userid=502
    View this thread: https://forums.netiq.com/showthread.php?t=50042


  3. #3
    Norbert Klasen NNTP User

    Re: taxonomy for malware callback

    Hi Anco,

    >>> On 19.02.2014 at 12:04, jcvader1<jcvader1@no-mx.forums.netiq.com>

    wrote:

    > I'm not sure what you are getting at here.
    > You can have a look on
    > http://www.novell.com/developer/plug..._taxonomy.html at

    the
    > taxonomies defined.
    > If you are using a default collector this is done for you, if you are
    > developing your own collector you can decide yourself which taxonomy you
    > give to it.
    > I guess something like XDAS_AE_INFECTED would be in order. It all
    > depends on what you are planning on doing with the information, e.a.
    > putting it in a report, sending a mail, ....


    I'm working on a FireEye collector. Here's a sample:

    fenotify-68960.alert:
    CEF:0|FireEye|MPS|7.0.2.156588|IM|infection-match|1|rt=Jan 29 2014 11:00:02
    Z src=10.1.0.1 cn3Label=cncPort cn3=8080 cn2Label=sid cn2=83700175
    shost=client1.example.com proto=tcp dvchost=FIREEYE1 dst=10.2.0.1
    cs5Label=cncHost cs5=10.2.0.1 spt=54552 dvc=10.3.0.1 smac=00:00:00:00:f5:c2
    cn1Label=vlan cn1=0 dpt=8080 externalId=68960 cs4Label=link
    cs4=https://FIREEYE1.example.com/event_stream/events_for_bot?ev_id=68960
    cs6Label=channel cs6=GET
    http://sp-storage.spccint.com/AutoUp...AutoUpdate.zip
    HTTP/1.1::~~User-Agent: SearchProtect;1.7.0.72;Microsoft Windows 7
    Enterprise Edition Service Pack 1 (build 7601)
    64-bit;spe5aeb121-b62d-45be-834d-e27372620129::~~Accept: *\/*::~~Host:
    sp-storage.spccint.com::~~::~~ dmac=00:00:00:00:01:01 cs1Label=sname
    cs1=Malicious.URL

    What happened is: the workstation client1.example.com (10.1.0.1) downloaded
    http://sp-storage.spccint.com/AutoUp...AutoUpdate.zip via the
    corporate proxy 10.2.0.1. This was observed by the FireEye appliance
    FIREEYE1 (10.3.0.1) and determined to be an indication that the workstation
    is indeed infected.

    So we have:
    - client1 retrieved some file from sp-storage.spccint.com via a proxy.
    - client1 is reported to be infected.

    I'd also go for XDAS_AE_INFECTED (Record if an AV or IDS determines that a
    system has been affected by a virus or similar infection.) as taxonomy. That
    should make client1 the target - although it initiated the connection and
    did the GET request. Or is vice versa?

    And what is supposed to be the correct outcome taxonomy? Success, because
    client1 had been successfully infected?

    Norbert



  4. #4
    jcvader1 NNTP User

    Re: taxonomy for malware callback


    Hi Nobert,

    As I said before it all depends what you intent to do with the
    information.
    If you are unsure about that at this moment I would go with the event
    information.
    The client is shost so in this event it is seen as the source, the proxy
    as the destination and the fireeye as the observer.
    If you want a report seen from the client as destination you can always
    substitute source with destination in the outlay of the report.

    The same goes for the outcome taxonomy. You are designing the collector
    so you decide what the outcome should be.
    I would probably go for XDAS_OUT_SUCCES because none of the others fit
    and there is no real error (as you put it, it is successfully infected)
    , maybe you could go for XDAS_OUT_UNKOWN if you want.
    Keep in mind that the XDAS taxonomy is made for classification of the
    events. You can identify an infection with XDAS_AE_INFECTED so no need
    to identity it again with the outcome.

    Hope this helps,
    Anco


    --
    jcvader1
    ------------------------------------------------------------------------
    jcvader1's Profile: https://forums.netiq.com/member.php?userid=502
    View this thread: https://forums.netiq.com/showthread.php?t=50042


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •