Event Analysis Training – Analyzing Blacklisted Web Traffic

Previously, we’ve blogged about the various advantages and
disadvantages of using reputation based analysis of NetFlow, firewall and
network sessions for event analysis. The basic concept is to use an external
source of “badguy” IP addresses from commercial providers or free providers such
as the SANS Internet Storm Center and see if any of your network IP addresses
communicate with them.

If all you have is NetFlow or network session data
consisting of the IP addresses and ports, it can be difficult to analyze what
is being transmitted. Often, an IP address for something like a chat server
could be blacklisted, but that does not mean that every system making use of it
was involved in some sort of virus or botnet activity. The ability to see the
actual packet data or log of the HTTP message components such as the URI, web agent
and referrer in web-based attacks can mean the difference in responding to a possible
infection or safely ignoring an alert.

This blog describes how using real-time sniffed web
transactions can be used to analyze “blacklisted” IP address connections.

Analyzing a Suspicious
Botnet Event

One of the sources of data that the Log Correlation Engine (LCE)
can use for reputation based correlation are the block lists from the Emerging Threats set of Snort IDS
rules.

In the screenshot below (from a Security Center managing an
LCE), there is an event (continue reading...)