Category: Product Updates

June 14 2013. We have added a new option to automatically download and restart software components that need an update. The autoupdate has been designed to minimize loss of security event data while it is being applied. If you want this feature (we highly recommend it), edit your sensor configuration(s) and click on Autoupdate, Save, and reload your sensor.

Last week, Mandiant published a report identifying a working group executing sophisticated, long-term attacks against targets in the United States. If you want to see if your network is the target of such attacks, follow the instructions below to update your sensor(s).

Add Packet Stash’s FQDN Snort Rules

APT-1 uses at least 3,000 known FQDNs (Fully Qualified Domain Names) to deliver its payloads (see the Mandiant report for more details on how APT-1’s backdoor software works). Packet Stash quickly followed up on the Mandiant data release with a ruleset containing the FQDNs used in these attacks, and then released this ruleset under the GNU General Public License. These rules are a good first step for identifying known APT-1 attack vectors.

To merge the Packet Stash APT-1 FQDN Rules into your ruleset, do the following steps

1. Download the PacketStash ruleset from https://github.com/packetstash/packetstash-rules/blob/master/APT1/apt1.rules.
2. Log in on https://nsm.metaflows.com. Click on the Rules item on the top menu. If you have multiple sensors in your domain, you will be asked to select the sensor you want to modify.
3. Click on Merge Rules in the middle of the secondary menu for the Rules page.
4. Select the file with the rules you saved in Step 1.
5. After the rules file finishes uploading, click on the “Save” button on the secondary menu for the Rules page. When the rules finish saving, click the “Close” button.
6. The Rules page will reload. After the page reloads, a text panel will appear in the upper-right corner with the buttons “Reload” and “Not Now”. Clicking “Reload” will make the sensor software restart and reload the new Snort Rules. Clicking “Not Now” will cause the sensor to not reload.

Add the MetaFlows APT-1 IP Addresses Classification

APT-1 also uses a known range of IP addresses comprising at least 40 Class B networks (see Table 8 on page 40 of the Mandiant report for the list). One other step MetaFlows customers can take to identify potential APT-1 attack vectors is to leverage our existing Classification tools to identify flows to or from the addresses in these networks. To do this, do the following steps:

1. Log in to your MetaFlows account at https://nsm.metaflows.com.
2. After you log in, download the APT-1 IP Addresses classification file.
3. Enter the Real Time or Historical view. Click on the Classifications icon on the bottom menu bar. This will open the classifications list. Click the Classification Import icon at the top of this window. Select the apt1ips.json classification file you downloaded in Step 2.
4. Once the classification file is uploaded, the Edit Classification window will open. You can modify the classification further with other markers available from Mandiant, or you can just click “Save Classification” at the top of the page to use the classification as-is. The classification will be imported into your existing classifications and you can start using it to identify any addresses from the known APT-1 networks by filtering Real Time and Historical data with the classification, which will be listed under the Mandiant APT-1 classification category.

We have discovered several APT-1 hosts acting on our global network of honeypots with this classification, so it is feasible that our customers could be experiencing attacks involving these addresses as well. If you have any comments, questions, or suggestions, please contact us at support@metaflows.com.

How to add Mandiant Rules to your sensors

1. Go to https://github.com/packetstash/packetstash-rules/blob/master/APT1/apt1.rules and save the rules on your desktop
2. Login into nsm.metaflows.com. Click on Rules on the top menu, then click on Merge Rules in the middle of the top menu.
3. Upload the rules you saved in step 1
4. Click on Save Rules
5. Click Ok
6. Click on restart sensor

We can now reassemble interesting files being transmitted on your network (both inbound and outbound) on ports 25,80,110 and port 143. These are the ports through which most Malware is propagated with Browser-Based Attacks, Phishing, or Email Spam.

Real Time File transmission Logging

By default, all dangerous file transmissions (exe, dll, MS Office, pdf, zip, etc.) are logged and correlated whether or not they are malicious. This allows you to see what content your users are downloading or uploading (these informational messages can be disabled if this is too much information for you). See the screenshot below where several file transfers are logged.

Real Time File Scanning

Importantly, the files that contain malicious code as reported by Virus Total are ranked 100 and flagged as high-priority events for your analysis. Usually, any of these events need to be taken very seriously and appropriate remediation should be taken quickly. See the screenshot below where Snort events and File-inbound events are correlated to show you an ongoing infection.

In order to access this great new feature:

1. Go to your Sensor Configuration page
2. Enable the File Monitoring plugin by clicking on the check box labeled “File Monitoring” toward the bottom of the page
3. Enter an optional Virus Total Key (if you do not have one, we highly recommend registering with Virus Total and obtaining a free key at https://www.virustotal.com/)
4. Save the sensor configuration
5. Execute /nsm/etc/mss.sh restart on your sensor

We’ve updated BotHunter to the latest version from the SRI Malware Threat Center. This new version has an updated rule set to help catch the latest threats as well as improved detection of false positives that are often associated with Peer-to-Peer and file-sharing traffic.

Current customers will receive this update automatically when their sensor is restarted/reloaded, and it will be bundled into the installation package for all new deployments.

The MSS now allows to perform vulnerability scans. Right-click on a record and choose the host/port combination to scan. A report will be created in real time once the scan is done and the results will also be stored as Log events to be retrieved through the historical queries. The scans can be slow, so be patient once you initiate a scan.

Our event analysis interface was improved to provide more correlation between Flow, IDS, and Log events. Snort events are blue, Service discovery and User discovery events are yellow and Log event are red. Each of these categories can be under the source or destination IP address or the Event column. If the events are under the source or destination addresses it means that they have been associated with that address (or group of addresses) only. If the events appear in the Event column, it means that they have been associated with that flow or group of flows (both source and destination addresses were associated with that event).