[logs] SIM solution - Objectives ? (Firewall logging)

[Paul Melson]

> B.)  how do you find this host?  In an edu setting we are open and many
connections come and go from all 
> parts of the world, and we have to allow them both ways on 80.  So say
from a firewall log built 
> messsage how can I tell this is passwords and not normal web traffic?

NIDS sensor.  Destination blacklist.  Frequency/volume analysis of traffic
(a human browsing the web has erratic patterns where software has nice
symmetric traffic patterns).  I'm sure I'm forgetting other ways of
identifying interesting traffic.  Bottom line, though, if you're relying
solely on firewall logs to find compromised hosts, you're definitely missing
stuff.


> there was one reply that gave me some thought as to what malware sigs I am
looking for in addition to 
> .exe .com .pif .bat using a piped egrep in logs.  I have seen malware
downloaded as gif and then 
> installed as an exe so this is not by any means foolproof.

That was me. ;)  Most of the stuff I'm seeing comes in the form of some
browser exploit and/or script, and these URLs can look like anything.  The
WMF and ANI exploits, for example, can be delivered in any file name as long
as it has an image extension (.bmp, .jpg, .png, etc.) so that the right DLL
is called.  But what most of these exploits do is a simple drop & run of
bigger executables downloaded via HTTP or FTP.  Finding the dropped
executable files works pretty well using the regex I posted earlier, and
then you isolate traffic by client address and work your way back to the
exploit(s).

PaulM