Eric Partington

HTTP Error code 522

Blog Post created by Eric Partington Employee on Sep 1, 2016

Interesting blog post from ISC SANS Handlers blog about http error code 522 (Connection timed out)

 

https://isc.sans.edu/diary/522%2BError%2BCode%2Bfor%2Bthe%2BWin/21377

 

Which got me thinking, could RSA NetWitness help detect this potential indicator ?

 

If you have Packets the http_lua registers the error codes in the error metakey

If you have logs, the error codes should be registered in result.code from your firewalls or proxy logs

 

This post from Christopher Ahearn shows you how to implement a quick parser to move and split the value from error into result.code to give analysts better pivoting if you happen to have both Packets and Logs from RSA.

 

Here is what the errors metakey looks like on my test system

http error codes

Which has no error 522 unfortunately.

 

To locate with a drill in investigator:

error begins '522'

 

If the parser from chris is implemented or if you have logs that parse out that value for you:

result.code = 522

 

once you test and validate what you find you might want to create an application rule (looking at outbound traffic in particular as that would be your malware calling home - outbound)

 

name=t3_potential_malware_callback_err_522

rule=service=80 && error begins 522 && direction=outbound

or

rule=result.code=522 & direction=outbound

 

There could be some legit reasons for erro 522 (especially with cloudflare it seems) but from the ISC handlers post there was also some legit malware that was also detected.  Fine tune the alerting and drills to get to the actionable stuff.

 

as always, comment or DM if you find something interesting or if there are particular tuning parameters that you find effective.

Outcomes