Anonymous_User Absent Member.
Absent Member.
607 views

taxonomy for malware callback

Hi,
suppose a network device detects infected clients by identifying malware
callback patterns in the clients network communication (typically HTTP GETs
or POSTs initiated by the client). Which XDAS taxonomy should apply to such
events and who is initiator and who the target?

Norbert
0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: taxonomy for malware callback


I'm not sure what you are getting at here.
You can have a look on
http://www.novell.com/developer/plugin-sdk/sentinel_taxonomy.html at the
taxonomies defined.
If you are using a default collector this is done for you, if you are
developing your own collector you can decide yourself which taxonomy you
give to it.
I guess something like XDAS_AE_INFECTED would be in order. It all
depends on what you are planning on doing with the information, e.a.
putting it in a report, sending a mail, ....

Hope this helps,
Anco


--
jcvader1
------------------------------------------------------------------------
jcvader1's Profile: https://forums.netiq.com/member.php?userid=502
View this thread: https://forums.netiq.com/showthread.php?t=50042

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: taxonomy for malware callback

Hi Anco,

>>> On 19.02.2014 at 12:04, jcvader1<jcvader1@no-mx.forums.netiq.com>

wrote:

> I'm not sure what you are getting at here.
> You can have a look on
> http://www.novell.com/developer/plugin‑sdk/sentinel_taxonomy.html at

the
> taxonomies defined.
> If you are using a default collector this is done for you, if you are
> developing your own collector you can decide yourself which taxonomy you
> give to it.
> I guess something like XDAS_AE_INFECTED would be in order. It all
> depends on what you are planning on doing with the information, e.a.
> putting it in a report, sending a mail, ....


I'm working on a FireEye collector. Here's a sample:

fenotify-68960.alert:
CEF:0|FireEye|MPS|7.0.2.156588|IM|infection-match|1|rt=Jan 29 2014 11:00:02
Z src=10.1.0.1 cn3Label=cncPort cn3=8080 cn2Label=sid cn2=83700175
shost=client1.example.com proto=tcp dvchost=FIREEYE1 dst=10.2.0.1
cs5Label=cncHost cs5=10.2.0.1 spt=54552 dvc=10.3.0.1 smac=00:00:00:00:f5:c2
cn1Label=vlan cn1=0 dpt=8080 externalId=68960 cs4Label=link
cs4=https://FIREEYE1.example.com/event_stream/events_for_bot?ev_id=68960
cs6Label=channel cs6=GET
http://sp-storage.spccint.com/AutoUpdate/1.209.0.355/AutoUpdate.zip
HTTP/1.1::~~User-Agent: SearchProtect;1.7.0.72;Microsoft Windows 7
Enterprise Edition Service Pack 1 (build 7601)
64-bit;spe5aeb121-b62d-45be-834d-e27372620129::~~Accept: *\/*::~~Host:
sp-storage.spccint.com::~~::~~ dmac=00:00:00:00:01:01 cs1Label=sname
cs1=Malicious.URL

What happened is: the workstation client1.example.com (10.1.0.1) downloaded
http://sp-storage.spccint.com/AutoUpdate/1.209.0.355/AutoUpdate.zip via the
corporate proxy 10.2.0.1. This was observed by the FireEye appliance
FIREEYE1 (10.3.0.1) and determined to be an indication that the workstation
is indeed infected.

So we have:
- client1 retrieved some file from sp-storage.spccint.com via a proxy.
- client1 is reported to be infected.

I'd also go for XDAS_AE_INFECTED (Record if an AV or IDS determines that a
system has been affected by a virus or similar infection.) as taxonomy. That
should make client1 the target - although it initiated the connection and
did the GET request. Or is vice versa?

And what is supposed to be the correct outcome taxonomy? Success, because
client1 had been successfully infected?

Norbert


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: taxonomy for malware callback


Hi Nobert,

As I said before it all depends what you intent to do with the
information.
If you are unsure about that at this moment I would go with the event
information.
The client is shost so in this event it is seen as the source, the proxy
as the destination and the fireeye as the observer.
If you want a report seen from the client as destination you can always
substitute source with destination in the outlay of the report.

The same goes for the outcome taxonomy. You are designing the collector
so you decide what the outcome should be.
I would probably go for XDAS_OUT_SUCCES because none of the others fit
and there is no real error (as you put it, it is successfully infected)
, maybe you could go for XDAS_OUT_UNKOWN if you want.
Keep in mind that the XDAS taxonomy is made for classification of the
events. You can identify an infection with XDAS_AE_INFECTED so no need
to identity it again with the outcome.

Hope this helps,
Anco


--
jcvader1
------------------------------------------------------------------------
jcvader1's Profile: https://forums.netiq.com/member.php?userid=502
View this thread: https://forums.netiq.com/showthread.php?t=50042

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.