Copyright 2006 Richard Bejtlich and David Bianco 1 Network Security Monitoring with Sguil Richard Bejtlich [email protected]

Copyright 2006 Richard Bejtlich and David Bianco1

Network Security Monitoringwith Sguil

Richard Bejtlich

[email protected]

www.taosecurity.com / taosecurity.blogspot.com

David Bianco

[email protected]

www.vorant.com / infosecpotpourri.blogspot.com

ShmooCon 2006


Overview

• The Problem• Network Security Monitoring• Sguil• Case Study


The Problem

• You want to know if your network is compromised• You could... inspect every host for signs of compromise

– Where to begin? What to check? Do you trust results?– Unless your enterprise is very small, and you are competent to

perform host-centric forensics, this is not a viable option

• You could... perform a vulnerability assessment– VA indirectly measures compromise by showing potential for

intrusion, not actual intrusions– VA is vulnerability-centric, not threat-centric; not recommended

• You could... inspect network traffic for signs of compromise– Where to monitor? What about encryption or high bandwidth?– This option represents best return on invested resources, if the

right data is collected, analyzed, and escalated


The Problem

• Most people install an IDS or IPS in monitoring mode and wait for alerts

• Thanks to the IDS alert, an analyst is aware of a Web site problem -- but what about activity before or after the alert?

Event Example IDS Action

Event 1 Ping Web site IP address Ignore

Event 2 Visit Web site Ignore

Event 3 Exploit Web site flaw Alert

Event 4 FTP to retrieve tools Ignore

Event 5 Install back door Ignore

Event 6 Communicate with back door Ignore

Event 7 Connect via SSH to another site Ignore

Event 8 Transfer local exploit via SCP Ignore

Event ... And so on... ?


The Problem

• The previous slide presented a best-case scenario -- at least the attack was detected by the IDS! But what do you get with that alert?– Cryptic message about an attack– Maybe a packet that specifically triggered an alert– A reference to visit the vendor's Web site for more generic info

• Factors compounding the problem– Attack over HTTPS using SSL– Attack using insertion and evasion methods– Attack using a zero-day exploit undetected by any IDS

• Scarier scenarios– Use stolen credentials and connect via SSH– Compromise a customer or employee and ride their VPN– Go rogue and steal from your own company


The Problem

• Many security developers and vendors believe one or more of the following– Attacks can be understood prior to execution– Methods to detect or prevent attacks can be encapsulated in

programming logic– Customers will purchase, properly configure, and effectively

deploy products offering sufficient defensive logic– The customer's environment will behave as anticipated by the

developers and vendors

• Accordingly, developers and vendors field alert-centric products which act on those beliefs

• All of these beliefs must hold true in order to counter sophisticated threats, but few do


The Problem

• Investigations with alert-centric systems quickly end, often without resolving the incident

• Analysts stuck with only alert data to inspect cannot make validation and escalation decisions– MSSPs call customers to ask if they have been compromised– Security personnel ignore alerts because they have no other

data

ALERT ALERT

Queries database for alerts

Analyst sees original alert

Database returns single alert

Investigation ends


Network Security Monitoring

• Network security monitoring is the collection, analysis and escalation of indications and warning to detect and respond to intrusions

• NSM gives analysts the data they need to make decisions

• NSM treats all data as indicators, not "false positives" or "false negatives"



• NSM relies upon four forms of traffic-centric data– Statistical data (Capinfos, Tcpdstat)

• Descriptive, high-level view of aggregated events

– Session data (Argus, SANCP, NetFlow)• Summaries of conversations between systems

• Content-neutral, compact; encryption no problem

– Full content data (Tcpdump, Tethereal, Snort as packet logger)• All packet details, including application layer

• Expensive to save, but always most granular analysis

– Alert data (Snort, Bro, other IDSs)• Traditional IDS alerts or judgments (“RPC call!”)

• Context-sensitive, either by signature or anomaly

• Sguil (www.sguil.net) is an interface to much of this in a single open source suite



Alert data

Session data

Full content data Statistical data



• Revisit intrusion scenario when NSM data is available

• Analysts have much more data to review

* if unencrypted (more common than you might think)

Event Example IDS Action Helpful NSM Collection

Event 1 Ping Web site IP address Ignore Session

Event 2 Visit Web site Ignore Session, Full Content

Event 3 Exploit Web site flaw Alert Alert, Session

Event 4 FTP to retrieve tools Ignore Session, Full Content

Event 5 Install back door Ignore Session, Full Content

Event 6 Communicate with back door Ignore Session, Full Content *

Event 7 Connect via SSH to another site Ignore Session

Event 8 Transfer local exploit via SCP Ignore Session

Event ... And so on... ?



• Investigations with NSM present many more options

ALERT ALERT

Queries database for alerts

Analyst sees original alert

Database returns single alert

Queries database for

sessions

SESSIONS

Analyst sees FTP to retrieve tools

Reconstructs FTP control and data channels

FULL CONTENT

Queries database for

sessions

FTP data channel allows analysis of intruder back door

SESSIONS

Analyst sees connections to other IPs

and so on...



• NSM does not try to anticipate attacks• NSM uses a "dumb is smart" approach

– NSM does not rely on fancy systems to pass judgements on network traffic, to the exclusion of all other collection mechanisms

– NSM does leverage smart systems (IDS, network anomaly detection, etc.) for initial clues

• NSM session and full content collection is completely content neutral– Session and full content data are collected whether or not any

other system thinks they are interesting

• NSM is not SIM/SEM: a SIM/SEM collects and correlates log sources which may or may not have any value


Sguil

• Sguil is an open source interface to NSM data• Lead developer: Bamm Visscher• Ancestry: Snort Personal REal-time GUI (SPREG), circa

2001• Sguil released as open source at sguil.sf.net in 2003• Version 0.6.0p1 released 1 Dec 2005• Coded mainly in Tcl/Tk• Integrates:

– Alert data from Snort– Session data from SANCP– Full content data from a second instance of Snort


Sguil

Sensor watches traffic

Sguil client is dynamic Tcl/Tk GUI on Windows or UNIX

Network traffic on monitored link

MySQL database stores alert and session data

Log_packets.sh collects full content data, provided on demand via sensor_agent.tcl

SANCP (www.metre.net/sancp.html) collects session data, sent to database via sensor_agent.tcl

Snort sends alert data output to Barnyard (www.sf.net/projects/barnyard)

Barnyard sends output to sensor_agent.tcl

Sensor_agent.tcl coordinates data flow with sguild

On Sguil server, sguild answers requests from Sguil client


Sguil

Launch sguil.tk, and enter Sguild host, port,

username, and password

Select a sensor, then Start Sguil


Sguil





Sguil

FTP Data Channel shows source code FTP control channel shows commands


How to Pwn a Million PCs Without Breaking a Sweat

A Sguil Case Study


Sguil/NSM Case Study

• Study based on an exploit encountered “in the wild”• The exploit used the WMF vulnerability• Delivered via a popunder ad while victim was visiting an

otherwise legit website• This case study recreates my incident research process

to show off the power of sguil• High-level writeup available on my blog:

– http://infosecpotpourri.blogspot.com/2006/01/how-to-pwn-million-computers-without.html

– Aimed towards users/managers

• Saved the good stuff for ShmooCon!


Important Notes

• The victim’s identity has been obfuscated to protect the innocent

• The ad servers’ identities have been obfuscated to protect the guilty and the not-so-guilty

• Some URLs have been obfuscated to protect the silly• Legitimate website names appearing in this presentation

have nothing to do with this exploit and are only there to provide context for understanding the web session


“It was a dark and stormy night…”


Was that a real exploit I just saw?


Was that a real exploit I just saw?


What other events were generated?


Quick session check (source)


Quick session check (victim)


“I will hunt you down…”

• Also cross-checked other sources, such as:– Antivirus logs – Manual AV update and scan– Checked system for c:\n.exe as specified in WMF file

• Exploit attempt seems to have been unsuccessful• Crisis averted, but let’s have some fun!• All the sessions are HTTP, so we can leverage that to

help us reconstruct the sequence of events• Begin with the transcript of the exploit session• Match up “Referrer” tags with requests and work

backwards– Like climbing a ladder


Victim’s Session List


Rung #1: Exploit Delivered


Rung #2: Spf99 Serves the Ad




Rung #3: Cash4popupads Handoff to Spf99




Rung #4: Cash4popupads creates a popunder




Rung #5: A Legit Site (HTMHelper)


HTMHelper Page Source

<!– Cash4popupads.com Advertising Code Begin --><SCRIPT LANGUAGE="JavaScript1.1" SRC="http://popunder.Cash4popupads.com/popup.php?id=XXXX"></SCRIPT> <!– Cash4popupads.com Advertising Code End -->




Rung #6: Another Legit Site (MySpace)


MySpace Page Source

<div style="position:absolute; left:0px;

top:0px; width:88px; height:31px;">

<a href="http://www.htmhelper.com/onlineicon/" target="_self"><img src="http://www.htmhelper.com/onlineicon/clickhere.gif" alt="Myspace Online Icon" /></a></div>


“Insert Tab A into Slot B…”

• Victim browses a MySpace profile page– The page owner or one of the commenters is online, and has the

“online status” icon showing by their name.– The status icon is provided by and linked back to the HTMHelper

site

• The HTMHelper page is ad-supported and contains a JavaScript snippet to display popunder ads from Cash4popupads. This may be annoying, but not intrinsically malicious

• Cash4popupads establishes the popunder window but not the ad content– It’s acting more as a conduit for the ads, which are provided by

Spf99


“Score along line C and fold to meet side D…”

• Spf99 served the actual infected file– 101.wmf

• Internal codes indicate this was provided by “affiliate 101” – Could be an individual– Could be another ad network– Who knows?

• This is the top of the ladder (for now)• How would you continue the investigation?


Sguil

• Simplest way to try Sguil: use Win client, demo server– Install ActiveState TCL (www.activestate.com/Products/Download/Download.plex?id=ActiveTcl)

– Visit www.sguil.net, download, extract sguil-client-0.6.0p1.zip– Create a c:\tmp directory– Edit sguil.tk set VERSION "SGUIL-0.6.0"

– Edit sguil.conf to match Windows environment# win32 exampleset ETHEREAL_PATH "c:/progra~1/ethereal/ethereal.exe"# Where to save the temporary raw data files on the client system# You need to remember to delete these yourself.# set ETHEREAL_STORE_DIR /tmp# win32 exampleset ETHEREAL_STORE_DIR "c:/tmp"# Favorite browser for looking at sig info on snort.org# set BROWSER_PATH /usr/bin/mozilla# win32 example (IE)set BROWSER_PATH c:/progra~1/intern~1/iexplore.exe

– Launch Sguil client, connect to demo.sguil.net on port 7734 with any username and password


Sguil

• Simplest way to try Sguil with a local setup: use Sguil server VM or client and server VM– Described here: sguil.sourceforge.net/index.php?page=vm– Use Sguil client as described on previous slide to connect to VM– Use complete Sguil VM

• Other options– InstantNSM (instantnsm.sf.net)– FreeBSD installation script

(taosecurity.blogspot.com/2006/01/sguil-installation-script-v0.html)

• Help available on irc.freenode.net #snort-gui channel• Free Tao of Network Security Monitoring chapters on

NSM & Sguil in .pdf at www.taosecurity.com/books.html


Questions?

• Richard Bejtlich• [email protected]• www.taosecurity.com / taosecurity.blogspot.com

• David Bianco• [email protected]• www.vorant.com / infosecpotpourri.blogspot.com

• www.sguil.net• irc.freenode.net / #snort-gui

Documents

Copyright 2006 Richard Bejtlich and David Bianco 1 Network Security Monitoring with Sguil Richard Bejtlich [email protected]