Hassan submitted this story:
Ouch! One thing I keep saying in our IDS Class: If your servers all for sudden start joining IRC channels, then they are either very bored, or very compromised. But lets see how it went for Hassan. Hassan had what every analyst wants: pcaps! So he looked at the full packet capture of the traffic:
Further analysis showed that the traffic originated from servers that were currently in the process of being moved between hosts via vMotion. The content of the memory / disk being transferred included IRC traffic like strings! Oops. We may not have active IRC traffic, but why are these strings present? Maybe malware lingering on the system? Hassan went all in and used volatility to examine the memory dump.
Great work Hassan! This one was a good one and yes, anti-virus patterns will often contain "malicious strings" and can trigger an IDS if it spots these strings in transfer. The signatures as downloaded from the vendor are often encrypted, compressed or otherwise obfuscated, so your IDS usually doesn't recognize these patterns. But once loaded into memory on the host, the signatures are in the clear.Intrusion Detection In-Depth - SANS Baltimore Spring 2020
Oct 9th 2014
5 years ago