Analyzing outgoing network traffic
We all know that network traffic contains real treasure when trying to identify malicious activities. Various organizations recognized this and even mandate that IDS or IPS systems are implemented.
However, such systems typically have similar problems as anti-virus products – they depend either on pre-made signatures or some kind of heuristics which can be (sometimes easily) evaded.
At the same time, in the AV world we can see that more vendors rely on things such as cloud scanning and reputation systems.
One of the things I often recommend to people is that they check outgoing network sessions created by their networks – not only established connections but also various attempts. For example, you should regularly monitor your firewall logs to see what traffic has been dropped – but put more effort into analyzing what egress connections were blocked since that can help you identify potentially infected (or hacked) machines on your network.
The best example of when such analysis really pays off is RSA Security – through egress log analysis they found out that the hacker that compromised their network used FTP to transfer files to an external machine. This should make you ask yourself – do you monitor egress connections to detect big(ger) transfers to external hosts, especially those in weird locations?
Another thing that I found really useful is to correlate those connection attempts to known bad reputation sources; this is where we get to the beginning of this diary. Such correlation can really add value to your firewall/router data – knowing that an internal IP address tried to connect to an external IP address, and that this connection attempt was blocked is good, but knowing that the external IP address is actually a ZeuS C&C really adds value!
Some of the reputation sources that are free, and that I found to be working really well are the following (in no particular order):
- Emerging Threats’ RBN list: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
- All abuse.ch trackers: Zeus (https://zeustracker.abuse.ch/), SpyEye (https://spyeyetracker.abuse.ch/), Palevo (https://palevotracker.abuse.ch/)
Do you use other reputation sources? Anything you wish to add to this list? Let us know!
--
Bojan
INFIGO IS
Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
Comments
Sorry to ask, but how reliable is RBN list for you guys?
Yew Chuan
Aug 23rd 2012
1 decade ago
But since many years at our institute (Swiss Federal Institute of Technology) we analyze the egress connections. We use statistical methods to automatically detect peaks and also correlations between positives. The last powerpoint presentation of our implementation can be found here:
https://www1.ethz.ch/id/services/list/security/workshops/IDS-ETHS-SWITCH_SecWG2011
It is not quite up to date some, things are missing there, but essentially it is a correct description of our setup.
Christian Hallqvist
www.ethz.ch
Christian
Aug 23rd 2012
1 decade ago
http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt
http://rules.emergingthreats.net/open/suricata/rules/botcc.rules
http://rules.emergingthreats.net/open/suricata/rules/rbn-ips.txt
https://www.projecthoneypot.org/list_of_ips.php
http://rules.emergingthreats.net/open/suricata/rules/tor.rules
http://rules.emergingthreats.net/open/suricata/rules/compromised.rules
http://www.malwaredomainlist.com/hostslist/ip.txt
http://rules.emergingthreats.net/open/suricata/rules/rbn.rules
http://www.mtc.sri.com/live_data/attackers/
http://intel.martincyber.com/ip/
https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https://reputation.alienvault.com/reputation.generic
https://www.openbl.org/lists/base.txt
http://www.blocklist.de/lists/ssh.txt
https://palevotracker.abuse.ch/
http://www.malwaregroup.com/ipaddresses
http://www.ciarmy.com/list/ci-badguys.txt
http://www.malware.com.br/cgi/submit?action=list
ben webb
Aug 23rd 2012
1 decade ago
-monitoring outbound routes (may be an infrastructure activity if firewall is not adequately monitoring outbound)
- monitor, control and log any outbound encryption (dont assume all encryption is good_)
-special attention to open proxies (e.g. hidemyass.com )
Infosecurity.master
Aug 23rd 2012
1 decade ago
Matt
Aug 23rd 2012
1 decade ago
Bojan
Aug 23rd 2012
1 decade ago
Rank #Addrs CC
---- ------ --
1 5898 US
2 1819 CN
3 1435 RU
4 1180 DE
5 736 NL
6 510 UA
7 463 GB
8 424 FR
9 406 KR
10 380 CA
11 330 BR
12 307 TW
I'm a little surprised to see Germany at #4, because it doesn't seem to show up as much in the contexts with which I usually deal.
Hal
Aug 23rd 2012
1 decade ago
Free lists from Spamhaus are DROP en EDROP:
http://www.spamhaus.org/drop/
Placebo
Aug 24th 2012
1 decade ago
watcher60
Aug 24th 2012
1 decade ago
MarkE
Aug 24th 2012
1 decade ago