Fiesta EK - Traffic Monitoring with Suricata
Read this in "about 5 minutes".
Description
Analyze the following packet and answer the questions.
- Link to download
.pcap: here. (Password:infected)
Credit: malware-traffic-analysis.net.
Question
For each pcap, answer the following questions:
1) What is the date and time of the activity?
2) What is the IP address of the Windows host that gets infected?
3) What is the domain name and IP address of the compromised web site?
4) What is the domain name and IP address that delivered the exploit kit (EK)?
5) What is the name of the EK?
Answer & Rationale
[1]. What is the date and time of the activity?
2015-01-08 23:51:21
[2]. What is the IP address of the Windows host that gets infected?
192.168.138.158
[3]. What is the domain name and IP address of the compromised web site?
- Domain name:
www.subaruoutback.org - IP Address:
108.168.211.93
[4]. What is the domain name and IP address that delivered the exploit kit (EK)?
- Domain name:
atypefresh.in - IP address:
205.234.186.112
[5]. What is the EK name?
FiestaEK.
Snort
- Within the Security Onion.
- From the first terminal,
tcpreplaythe1.pcap
$ sudo tcpreplay -t -i eth0 1.pcap
sending out eth0
processing file: 1.pcap
Actual: 4804 packets (4899622 bytes) sent in 0.31 seconds. Rated: 15805232.0 bps, 120.58 Mbps, 15496.77 pps
Statistics for network device: eth0
Attempted packets: 4804
Successful packets: 4804
Failed packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
- Within the second terminal, we execute the following command and observe that the
snortrule is triggered.
$ sudo snort -A console -c /etc/nsm/securityonion-eth0/snort.conf -i eth0 -k none -q
09/25-02:51:27.566318 [**] [1:2019655:5] ET CURRENT_EVENTS Fiesta EK Landing Nov 05 2014 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 205.234.186.112:80 -> 192.168.138.158:51629
09/25-02:51:27.571936 [**] [1:2018407:9] ET CURRENT_EVENTS Fiesta URI Struct [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.138.158:51677 -> 205.234.186.112:80
09/25-02:51:27.574725 [**] [1:2018408:1] ET CURRENT_EVENTS Fiesta PDF Exploit Download [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 205.234.186.112:80 -> 192.168.138.158:51677
09/25-02:51:27.644398 [**] [1:2018407:9] ET CURRENT_EVENTS Fiesta URI Struct [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.138.158:51713 -> 205.234.186.112:80
09/25-02:51:27.731970 [**] [1:2018407:9] ET CURRENT_EVENTS Fiesta URI Struct [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.138.158:51723 -> 205.234.186.112:80
09/25-02:51:27.754655 [**] [1:2018407:9] ET CURRENT_EVENTS Fiesta URI Struct [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.138.158:51725 -> 205.234.186.112:80
09/25-02:51:27.755333 [**] [1:2018407:9] ET CURRENT_EVENTS Fiesta URI Struct [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.138.158:51735 -> 205.234.186.112:80
09/25-02:51:27.797567 [**] [1:2018407:9] ET CURRENT_EVENTS Fiesta URI Struct [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.138.158:51751 -> 205.234.186.112:80
09/25-02:51:27.861534 [**] [1:2011582:46] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.138.158:51989 -> 205.234.186.112:80
09/25-02:51:27.861534 [**] [1:2014912:6] ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.138.158:51989 -> 205.234.186.112:80
09/25-02:51:27.861534 [**] [1:2019611:6] ET CURRENT_EVENTS Fiesta Java Exploit/Payload URI Struct [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.138.158:51989 -> 205.234.186.112:80
09/25-02:51:27.861534 [**] [1:2018407:9] ET CURRENT_EVENTS Fiesta URI Struct [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.138.158:51989 -> 205.234.186.112:80
Suricata
- Offline input.
$ sudo suricata -c /etc/suricata/suricata.yaml -r ../../malware-analysis/20150118/1.pcap -l .
cat fast.log | head -4
01/08/2015-18:51:31.706476 [**] [1:2018407:10] ET EXPLOIT_KIT Fiesta URI Struct [**] [Classification: Exploit Kit Activity Detected] [Priority: 1] {TCP} 192.168.138.158:51682 -> 205.234.186.112:80
01/08/2015-18:51:30.207155 [**] [1:2018407:10] ET EXPLOIT_KIT Fiesta URI Struct [**] [Classification: Exploit Kit Activity Detected] [Priority: 1] {TCP} 192.168.138.158:51678 -> 205.234.186.112:80
01/08/2015-18:51:29.324080 [**] [1:2018407:10] ET EXPLOIT_KIT Fiesta URI Struct [**] [Classification: Exploit Kit Activity Detected] [Priority: 1] {TCP} 192.168.138.158:51666 -> 205.234.186.112:80
01/08/2015-18:51:29.324080 [**] [1:2014726:127] ET POLICY Outdated Flash Version M1 [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.138.158:51666 -> 205.234.186.112:80
- Reading
eve.jsonwithevebox.
$ sudo evebox oneshot eve.json
2021-09-24 23:23:10 INFO evebox::commands::oneshot: Using database filename ./oneshot.sqlite
2021-09-24 23:23:11 INFO evebox::sqlite::init: Found event database schema version -1
2021-09-24 23:23:11 INFO evebox::sqlite::init: Initializing SQLite database (sqlite)
2021-09-24 23:23:11 INFO evebox::sqlite::init: Updating SQLite database to schema version 1 (sqlite)
2021-09-24 23:23:11 INFO evebox::sqlite::init: Updating SQLite database to schema version 2 (sqlite)
2021-09-24 23:23:11 INFO evebox::commands::oneshot: Reading eve.json (166509 bytes)
- Here is how it looks like.
