Anybody have some tips on monitoring the behaviour/ infection on netwitness?
If you're concerned with just Blackhole, that might be a bit more difficult. If you really just care about most exploit kits there are a couple of easy wins that I've found for finding exploit kits in general.
I'll spare you the details on how/why these mostly work, but if you're interested let me know and I'd be happy to fill in the blanks.
This is what I use at client sites to help detect this kind of activity.
name="vr possible drive by" rule="filetype = 'java jar','java class',pdf && filetype = 'windows executable'" order=34 alert=alert type=application
name="vr suspicious jar file" rule="filetype = 'java jar','java class' && extension = 'php'" order=35 alert=alert type=application
name="vr jvm exe download" rule="filetype = 'windows_executable','windows executable' && client contains 'java' && alias.host != 'sdlc-esd.sun.com'" order=13 alert=alert type=application
This will wind up catching other things as well, but it's a really good place to start looking for exploit-kit related activity (as long as it targets java/pdf).
sconz: i would like to know more detail regarding your queries.. . for example,. what does the order parameter do ?
Do you hae any other useful queries you utilize in day to day analytic work ?
I have a similar technique i use to detect blackhole all tho its more generic,. ; client = java && filetype contains 'exe'
The order is just present if you export rules form a Decoder. If you were to export all your rules from a Decoder and then open them up in a text editor you'd see the "order" is the order in which the rules are processed.
I have a lot of queries and rules that I use, unfortunately most are written towards custom parsers that I've written as well. I'll dig through them and see if which ones will work with the default Live content.
Thank you for that clarification.. i look forwrd to checking out what you have regarding queries.
Do you know if anyone has created a parser to detect buffer overflows by checking for a large number of consecutive 0x40, 0x41's , 0x42's(ABC) in the payload ?
I am a complete noob to netwitness. we just got it online and i havent gone to their training yet. ive been reading the little material i have from them.
can you tell me where you enter the information you posted ?
as well as this one:
client = java && filetype contains 'exe'
i see some places to enter filters and rules but am unsure at this point where i would enter those.
i know this post is old so i hope someone can answer it.
id also take another other good rules, filters, etc... that anyone might have.
thanks to everyone in advance.
You can toss them in Investigator under Edit -> rules -> app rules (then pick file import or network capture). And on a Decoder by clicking the network adapter icon, then clicking the Application Rules tab.
You can copy/paste the name into the "Rule Name" box, then the contents of rule=" " should be copy/pasted into the "Definition" box.
Uncheck "stop rule processing" and click the "Alert" box at the bottom. From there the alert= is what you want to select from the drop down menu (this is where the rule information (name) will be populated. For most of them I'd simply select "Alert"
i usually enter these type of queries int he custom drill down.
One thing I noticed is that in investigator to find .jar or .class files I use "filetype begins java_" as opposed to "filetype = java jar" or "filetype = java class" as sconz mentioned. I don't doubt his searches are working so I'm curious if there are subtle changes to meta like space vs. underscore between Netwitness versions or maybe that's an artifact of the rule export from the decoder? If meta descriptions change that would be unfortunate as then we'd possibly have to rewrite rules, bookmarks, and alerts on version upgrades.
thanks everyone for the advice.
i will have to get some time to explore what everyone is advising.
with this just going live ive been swamped so hopefully i can get a chance to explore these options in the next day or so.
thanks again... any other advice is gladly welcome.
Retrieving data ...