This post is a tutorial on using Security Onion OS tools such as Sguil and Wireshark for investigating network alerts to determine if they are false positives or true negatives.
Here’s a detailed breakdown of the key points covered:
- The video focuses on analyzing security alerts in a network using SQL to identify whether they are genuine threats or false positives.
- The instructor explains how network engineers and security analysts often deal with various alerts from different systems such as IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems).
Interface and Network Topology:
- The interface displayed includes sections for alerts, rules that trigger those alerts, packet data, DNS information, and system messages.
- The network topology consists of two devices:
- A DMZ server with the IP address
172.16.1.10
. - A Windows PC client with the IP address
10.1.6.1
.
- A DMZ server with the IP address
- The DMZ server is considered external, while the Windows PC is internal.
Analyzing an RDP (Remote Desktop Protocol) Alert:
- The first alert analyzed shows communication between the DMZ server and the internal Windows PC over RDP (Port 3389).
- The video explains how to right-click and view correlated events to investigate if the alert is part of a potential Denial of Service (DoS) attack.
- By inspecting the packet data in Wireshark, the instructor finds that the DMZ server initiated the connection, which is unusual because external connections to internal clients are typically blocked by firewalls unless explicitly allowed.
Suspicious Network Behavior:
- The instructor notes that this unexpected connection may indicate that the internal client is being used as a proxy or has been compromised.
- The investigation continues by analyzing the packet data further to identify any malicious behavior or signs of exploitation.
File Analysis:
- A file downloaded by the internal client is analyzed using VirusTotal to check if it is malicious.
- VirusTotal flags the file as suspicious, but only by a few antivirus engines, suggesting that it could be a false positive or an obfuscated malware file.
Nmap Scan Detection:
- The tutorial identifies a network scan using Nmap from the DMZ server targeting the internal Windows PC.
- The scan seeks to detect open services and operating system details, which could be a precursor to exploitation.
Exploit Investigation:
- Another alert shows a potential Internet Explorer vulnerability being exploited.
- The instructor explains a typical scenario where an attacker sends a malicious URL through phishing or social engineering, and the victim unknowingly clicks it, leading to exploitation.
- By reviewing the full transaction between the DMZ server and the Windows PC in Wireshark, it is revealed that the client visited a malicious webpage, resulting in a successful exploitation.
Incident Escalation:
- The instructor advises escalating such incidents to tier-two analysts for further investigation and initiating incident response.
- This includes isolating the compromised machine, conducting forensic analysis, and cleaning or wiping any traces of malware.
Show Comments