December 21, 2007

Enjoy your IDS (Part 2)

It's Christmas time and we feel happiness for giving presents to the people we love. It has been some time since we started working in this blog and we want to thank our readers, that are so patient with us and our (should I say my) lack of regularity in the posts, with a small, but I hope that, useful present.

In this post I would like to continue the story that I started in my previous one. But for those who feel that the command line provides information in a very rough fashion, let me introduce you to a graphical tool that can also help us with the analysis of a snort alert log. I have called this tool alertdsp (which stands for Alert Display. Go figure why I work in IT instead of being a marketing creative :-) ).

The tool does two main things: 1. Group the alerts in areas (buttons) that are proportional to the number of alerts of that type and 2. Let you browse through the data by selecting different criteria (that is displayed on the buttons or using tooltips).

If you want to run this program you must have a Python environment (I use version 2.5) and wxPython for the platform that you are using. It has been tested under Linux (Fedora 7) and Windows XP, but it should run in any environment with those two components (including Mac OSX, which I would love to try, but don't have the right excuse --nor the money-- to convince my wife that we should buy a minimac :-) ).

So without further ado, let's go through the case that I explained in my previous post. This is based on real data from an incident that we handled (sorry, but due to confidentiality reasons, the data cannot be provided).

The first thing you do is load the data into the application, either as an argument from the command line ($ ./ alert.log) or using the menu File->Open. Having done that, you are presented with a window like this:

Every rectangle or button displays, by default, the alert message and the number of messages of that type. You can use a different field for doing the groups by using the choice control that is found on the near top left.

With a very fast glimpse to the data, you can notice that, although the file contains 10,959 alerts, most of them belong to one of the seven different types that are shown in the big buttons. Also it is quite clear that chances are high that this is a Windows environment (due to all the NetBIOS messages) and that NetBIOS isn't very tightly securized.

Clicking on the button that correspond to the "NETBIOS SMB Session Setup AndX request unicode username overflow attempt" because is the one that sounds like a real attempt of attack you will focus on those alerts only and be provided with a pop up menu that allows you to chose the next grouping field, like this one:

Let me select the source IP (srcip) and this is the result:

Although this is far from enough evidence to frame the owner of that system, I would consider this as a good starting point to investigate. This might be a false positive, for which having additional details on why the alert was triggered would also be very helpful, or an infected system (among others), but what else can you expect from a 1 minute analysis? :-) Seriously though, this is not the ultimate tool, but it can help you to get a fast overview of the IDS data and select a small number of cases for which further investigation would be worth.

I would like to thank the people from Sixty-Five for being so kind to provide a wonderful explanation of the treemaps that they use in their fantastic tool SpaceMonger that I have used for this program. I would also want to thank the people that has help me to review the program and find some bugs (Rosa, German, Jose, Jose Carlos, & Victor).

So here it is. My little Christmas present. Enjoy your IDS and Merry Christmas!