的 Snort IPS engine is at the core of both the Cisco Firepower Threat Defense and Cisco Meraki IPS systems. 由思科的Talos集团维护, Snort引擎, and its signatures are licensed to the world via the open source GPL and as such it is the most widely distributed IPS engine in the world.
A recent Talos blog post summed up the top 5 most frequently triggered signatures on the Snort engines in 2017.
Pay particular attention to #5 and #3 as in my view these are both “early warning” alerts that something bad might be brewing in your network. We see these signatures fire with unfortunate regularity on the school IPS modules that we routinely monitor. 的 source of these hits probably deserves more attention than they are getting at the current time.
像往常一样, the full post is an interesting read to get a feel for what has been happening out in the real-world Internet.
For the direct full Cisco Talos blog entry with additional charts and graphs please follow this link:
2017 was an eventful year for cybersecurity with high profile vulnerabilities that allowed self-replicating worm attacks such as WannaCry and BadRab位 to impact organizations throughout the world. In 2017, Talos researchers discovered many new attacks including backdoors in legitimate software such as CCleaner, 针对高科技公司和M.E.博士，是奈雅菌最初传播的元凶. 尽管所有这些, headline-making attacks are only a small part of the day to day protection provided by security systems.
在这篇文章中, we review some of the findings created by investigating the most frequently triggered Snort signatures as reported by Cisco Meraki systems and included in the Snort default policy set.
Snort signatures are classified into different classes based on the type of activity detected with the most commonly reported class type being “木马-activity” followed by “Policy-violation” and “Misc-activity”. Some less frequently reported class types such as “Attempted-admin” and “网络-application-attack” are particularly interesting in the context of detecting malicious inbound and outbound network traffic.
Snort签名由三个部分标识. 生成器ID (GID)，签名ID (SID)和修订号. 的 GID identifies what part of Snort generates the event; ‘1’ indicates an event has been generated from the text rules subsystem. SID唯一地标识规则本身. 您可以通过Snort网站上的搜索框搜索关于sid的信息. 的 revision number is the version of the rule; be sure to use the latest revision of any rule.
废话少说, 下面是策略中触发次数最多的5个签名(顺序相反), 就像您从每年的Snort警报排行榜上所期望的那样.
#5 - 1:39867:3“可疑 .tk dns 查询”
的 .tk顶级域名为托克劳南太平洋领土所有. 的 domain registry allows for the registration of domains without payment, which leads to the .tk top-level domain being one of the prolific in terms of the number of domain names registered. 然而，这种免费注册会导致 .Tk域经常被攻击者滥用.
此签名在DNS查找时触发 .tk域. 这种情况并不一定意味着这种查找在本质上是恶意的, 但它可能是网络中可疑活动的有用指标. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers.
Other, similar signatures detecting DNS lookups to other rarely used top-level domains such as .位, .pw和 .Top也进入了我们的前20个触发次数最多的规则列表.
4 - 1:23493:6“胜利.木马.ZeroAccess出站连接”
ZeroAccess是一种感染窗户系统的木马病毒, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns. 该规则检测被感染系统发送到所谓超级节点的UDP数据包, 哪些参与了网络的指挥和控制服务器. 该规则可用于阻止恶意软件的出站通信.
ZeroAccess is a state of the art rootkit and is able to hide from the basic detection techniques on the infected machine. 然而, network detection using IPS such as Snort can quickly pinpoint a source of the malicious ZeroAccess traffic as it generates a fairly noisy and regular communication pattern.
恶意软件每秒钟发送一个UDP数据包去检查一个超级节点, 因此，单个受影响的组织预计会有许多警报. This may be one of the reasons why the ZeroAccess detection signature is placed high on our list.
#3 - 1:41083:1“可疑 .位 dns 查询”
的 .位 top level domain extension is relatively obscure but is occasionally used for hosting malware C2 systems with Necurs being one of the families using it as a part of the botnet communication. 的 .比特TLD使用的名字coin管理, a distributed ledger with no central authority that is one of the first forks of the Bitcoin cryptocurrency. 分散的本质 .“位域”是指很少有DNS服务器能够解析该域, 但同样，这些域名也不愿被删除.
签名在DNS查找时触发 .位域. 与 .tk查找, 如果签名触发, 这并不一定意味着这种查找本质上是恶意的. 然而，规则触发的急剧增加可能值得调查.
詹克斯更像是蠕虫而不是特洛伊木马, 尽管在人类可读的签名描述中使用了命名. It spreads by copying itself to removable and shared drives and allows the attacker to remotely access and control the infected system. 像许多木马, 一旦系统被感染, Jenxcus试图与它的C2基础设施建立联系. This contact is made with an HTTP POST request using a specific user-agent string. 的 user-agent string itself is specific to this trojan and its many variants and can be detected and blocked using this signature.
#1 - 1:40522:3 " Unix.木马.Mirai变体 post-compromise 指纹”
Internet of Things (IoT) security is something which we have written about extensively. 的 Mirai botnet and variants continue to try and infect IoT devices by attempting to log in with default usernames and passwords. 一旦恶意软件成功访问设备, 它将检查设备的行为如预期，而不是像一个蜜罐. 该规则检测的就是这个检查. This post compromise activity has been constantly present throughout the year and at the peak of its activity in February accounted for over 20% of all alerts reported daily.