Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add in extra cnc checks #162

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add in extra cnc checks #162

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
636c515
Add in extra cnc checks
kevross33 Nov 19, 2015
2b451f3
Remove checks which are currently FPing sometimes
kevross33 Nov 26, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 43 additions & 22 deletions modules/signatures/network_cnc_http.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,18 @@ def run(self):
"http://.*\.adobe\.com/.*",
]

# HTTP request Features. Done like this due to for loop appending data each time instead of once so we wait to end of checks to add summary of anomalies
# HTTP feature checks
post_noreferer = 0
post_nouseragent = 0
get_nouseragent = 0
nouseragent = 0
version1 = 0
long_uri = 0

# scoring
cnc_score = 0
cnc_count = 0

low_fidelity_params = ["&os=","&win=","&winver=","&winversion=","&win_ver=","win_version=","&windows=","&user=","&username=","&uid=","&gpu=","&ram=","&nat=","&computer=","&compname=","&productid="]
highrisk_params = ["bot=","botnet=","botid=","bot_id=","&antivirus=","&antiv=","&av="]
useragents = ["NSIS","WinHttpRequest","WinInet","InetURL"]

if "network" in self.results and "http" in self.results["network"]:
for req in self.results["network"]["http"]:
Expand All @@ -37,37 +43,52 @@ def run(self):
is_whitelisted = True

# Check HTTP features
if not is_whitelisted and req["method"] == "POST" and "Referer:" not in req["data"]:
post_noreferer += 1

if not is_whitelisted and req["method"] == "POST" and "User-Agent:" not in req["data"]:
post_nouseragent += 1

if not is_whitelisted and req["method"] == "GET" and "User-Agent:" not in req["data"]:
get_nouseragent += 1

if not is_whitelisted and req["version"] == "1.0":
version1 += 1
if not is_whitelisted:
if req["method"] == "POST" and "Referer:" not in req["data"]:
post_noreferer += 1
cnc_score += 1
if len(req["body"]) < 50 and len(req["body"]) > 0:
cnc_score += 1
if len(req["path"]) < 15 and len(req["path"]) > 1:
cnc_score += 2
if "/gate.php" in req["path"]:
cnc_score += 3
if req["path"].endswith(".php") or req["path"].endswith("="):
cnc_score += 1

if req["method"] == "POST" and "User-Agent:" not in req["data"]:
nouseragent += 1
cnc_score += 2

if req["method"] == "GET" and "User-Agent:" not in req["data"]:
nouseragent += 1
cnc_score += 2

if req["version"] == "1.0":
version1 += 1

if cnc_score > 2:
cnc_count += 1

if post_noreferer > 0:
self.data.append({"post_no_referer" : "HTTP traffic contains a POST request with no referer header" })
self.severity = 3
self.weight += 1

if post_nouseragent > 0:
self.data.append({"post_no_useragent" : "HTTP traffic contains a POST request with no user-agent header" })
self.severity = 3
self.weight += 1

if get_nouseragent > 0:
self.data.append({"post_no_useragent" : "HTTP traffic contains a GET request with no user-agent header" })
if nouseragent > 0:
self.data.append({"no_useragent" : "HTTP traffic contains a request with no user-agent header" })
self.severity = 3
self.weight += 1

if version1 > 0:
self.data.append({"http_version_old" : "HTTP traffic uses version 1.0" })
self.weight += 1

if cnc_count > 0:
self.data.append({"cnc_connections" : "%s requests displayed multiple signs of being CnC related" % (cnc_count)})
self.severity = 3
self.weight += 1

if self.weight:
return True

Expand Down