From bf848cd224f84c3c69e511dad85d91b463f558d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Aime?= Date: Sun, 25 Apr 2021 11:06:35 +0200 Subject: [PATCH] Adding new detections --- analysis/classes/zeekengine.py | 68 ++++++++++++++++++++++------------ analysis/locales/cat.json | 4 ++ analysis/locales/de.json | 4 ++ analysis/locales/en.json | 6 ++- analysis/locales/es.json | 4 ++ analysis/locales/fr.json | 6 ++- analysis/locales/it.json | 4 ++ analysis/locales/pt.json | 6 ++- analysis/locales/ru.json | 4 ++ install.sh | 4 +- 10 files changed, 81 insertions(+), 29 deletions(-) diff --git a/analysis/classes/zeekengine.py b/analysis/classes/zeekengine.py index c0a8e45..ac9be35 100644 --- a/analysis/classes/zeekengine.py +++ b/analysis/classes/zeekengine.py @@ -34,6 +34,22 @@ class ZeekEngine(object): self.active_analysis = get_config(("analysis", "active")) self.userlang = get_config(("frontend", "user_lang")) + # Retreive IOCs. + if self.iocs_analysis: + self.bl_cidrs = [[IPNetwork(cidr[0]), cidr[1]] + for cidr in get_iocs("cidr")] + self.bl_hosts = get_iocs("ip4addr") + get_iocs("ip6addr") + self.bl_domains = get_iocs("domain") + self.bl_freedns = get_iocs("freedns") + self.bl_nameservers = get_iocs("ns") + self.bl_tlds = get_iocs("tld") + + # Retreive whitelisted items. + if self.whitelist_analysis: + self.wl_cidrs = [IPNetwork(cidr) for cidr in get_whitelist("cidr")] + self.wl_hosts = get_whitelist("ip4addr") + get_whitelist("ip6addr") + self.wl_domains = get_whitelist("domain") + # Load template language if not re.match("^[a-z]{2,3}$", self.userlang): self.userlang = "en" @@ -84,21 +100,17 @@ class ZeekEngine(object): # Check for whitelisted assets, if any, delete the record. if self.whitelist_analysis: - wl_cidrs = [IPNetwork(cidr) for cidr in get_whitelist("cidr")] - wl_hosts = get_whitelist("ip4addr") + get_whitelist("ip6addr") - wl_domains = get_whitelist("domain") - for i, c in enumerate(self.conns): - if c["ip_dst"] in [ip for ip in wl_hosts]: + if c["ip_dst"] in [ip for ip in self.wl_hosts]: self.whitelist.append(self.conns[i]) self.conns[i] = False - elif c["resolution"] in wl_domains: + elif c["resolution"] in self.wl_domains: self.whitelist.append(self.conns[i]) self.conns[i] = False - elif True in [c["resolution"].endswith("." + dom) for dom in wl_domains]: + elif True in [c["resolution"].endswith("." + dom) for dom in self.wl_domains]: self.whitelist.append(self.conns[i]) self.conns[i] = False - elif True in [IPAddress(c["ip_dst"]) in cidr for cidr in wl_cidrs]: + elif True in [IPAddress(c["ip_dst"]) in cidr for cidr in self.wl_cidrs]: self.whitelist.append(self.conns[i]) self.conns[i] = False @@ -151,17 +163,9 @@ class ZeekEngine(object): if self.iocs_analysis: - bl_cidrs = [[IPNetwork(cidr[0]), cidr[1]] - for cidr in get_iocs("cidr")] - bl_hosts = get_iocs("ip4addr") + get_iocs("ip6addr") - bl_domains = get_iocs("domain") - bl_freedns = get_iocs("freedns") - bl_nameservers = get_iocs("ns") - bl_tlds = get_iocs("tld") - for c in self.conns: # Check for blacklisted IP address. - for host in bl_hosts: + for host in self.bl_hosts: if c["ip_dst"] == host[0]: c["alert_tiggered"] = True self.alerts.append({"title": self.template["IOC-01"]["title"].format(c["resolution"], c["ip_dst"], host[1].upper()), @@ -171,7 +175,7 @@ class ZeekEngine(object): "id": "IOC-01"}) break # Check for blacklisted CIDR. - for cidr in bl_cidrs: + for cidr in self.bl_cidrs: if IPAddress(c["ip_dst"]) in cidr[0]: c["alert_tiggered"] = True self.alerts.append({"title": self.template["IOC-02"]["title"].format(c["resolution"], cidr[0], cidr[1].upper()), @@ -180,7 +184,7 @@ class ZeekEngine(object): "level": "Moderate", "id": "IOC-02"}) # Check for blacklisted domain. - for domain in bl_domains: + for domain in self.bl_domains: if c["resolution"].endswith(domain[0]): if domain[1] != "tracker": c["alert_tiggered"] = True @@ -197,7 +201,7 @@ class ZeekEngine(object): "level": "Moderate", "id": "IOC-04"}) # Check for blacklisted FreeDNS. - for domain in bl_freedns: + for domain in self.bl_freedns: if c["resolution"].endswith("." + domain[0]): c["alert_tiggered"] = True self.alerts.append({"title": self.template["IOC-05"]["title"].format(c["resolution"]), @@ -207,7 +211,7 @@ class ZeekEngine(object): "id": "IOC-05"}) # Check for suspect tlds. - for tld in bl_tlds: + for tld in self.bl_tlds: if c["resolution"].endswith(tld[0]): c["alert_tiggered"] = True self.alerts.append({"title": self.template["IOC-06"]["title"].format(c["resolution"]), @@ -220,7 +224,7 @@ class ZeekEngine(object): try: # Domain nameservers check. name_servers = pydig.query(c["resolution"], "NS") if len(name_servers): - for ns in bl_nameservers: + for ns in self.bl_nameservers: if name_servers[0].endswith(".{}.".format(ns[0])): c["alert_tiggered"] = True self.alerts.append({"title": self.template["ACT-01"]["title"].format(c["resolution"], name_servers[0]), @@ -287,6 +291,7 @@ class ZeekEngine(object): * SSL connections which doesn't use the 443. * "Free" certificate issuer (taken from the config). * Self-signed certificates. + * Blacklisted domain in the CN :return: nothing - all stuff appended to self.alerts """ ssl_default_ports = get_config(("analysis", "ssl_default_ports")) @@ -297,8 +302,9 @@ class ZeekEngine(object): if record is not None: c = {"host": record['id.resp_h'], "port": record['id.resp_p'], - "issuer": record["issuer"], - "validation_status": record["validation_status"]} + "issuer": record["issuer"] if "issuer" in record else "", + "validation_status": record["validation_status"], + "cn": record["server_name"] if "server_name" in record else ""} if c not in self.ssl: self.ssl.append(c) @@ -334,6 +340,20 @@ class ZeekEngine(object): "level": "Moderate", "id": "SSL-03"}) + if self.iocs_analysis: + for cert in self.ssl: + # Check if the domain in the certificate haven't been blacklisted + # This check can be good if the domain has already been cached by + # the device so it wont appear in self.dns. + for domain in self.bl_domains: + if domain[1] != "tracker": + if cert["cn"].endswith(domain[0]): + self.alerts.append({"title": self.template["SSL-04"]["title"].format(domain[0], domain[1].upper()), + "description": self.template["SSL-04"]["description"].format(domain[0]), + "host": domain[0], + "level": "High", + "id": "SSL-04"}) + def alerts_check(self): """ Leverage an advice to the user based on the trigered hosts diff --git a/analysis/locales/cat.json b/analysis/locales/cat.json index 15a9a26..66326b6 100644 --- a/analysis/locales/cat.json +++ b/analysis/locales/cat.json @@ -68,6 +68,10 @@ "title": "El certificat associat a {} és autosignat.", "description": "L'ús de certificats autosignats és un element comú en infrastructures utilitzades per atacants. Recomanem comprovar el host {} que està associat a aquest certificat, especialment el seu nom de domini (en cas d'existir), el seu registre WHOIS, la seva data de creació i verificant la seva reputació a Internet. " }, + "SSL-04": { + "title": "Un certificat conté el nom de domini {}, classificat com a {}", + "description": "Un dels certificats intercanviats conté el nom de domini {}. Aquest nom de domini s’ha classificat explícitament com a maliciós. El vostre dispositiu està compromès i hauria de ser investigat amb més detall per un equip professional." + }, "ADV-01": { "title": "Comprovi les alertes per {}", "description": "Si us plau, verifiqui la reputació del sistema {}, ja que sembla ser maliciós per aparèixer en {} alertes durant la sessió." diff --git a/analysis/locales/de.json b/analysis/locales/de.json index ed3ad5a..f5873be 100644 --- a/analysis/locales/de.json +++ b/analysis/locales/de.json @@ -68,6 +68,10 @@ "title": "Das mit {} verknüpfte Zertifikat ist selbstsigniert.", "description": "Die Verwendung von selbstsignierten Zertifikaten ist in der Infrastruktur von Angreifern weit verbreitet. Wir empfehlen, den mit diesem Zertifikat verknüpften Host {} zu überprüfen. Sehen Sie sich dazu seinen Domain-Namen (falls vorhanden), den WHOIS-Eintrag und das Erstellungsdatum an und überprüfen Sie die Reputation des Hosts im Internet." }, + "SSL-04": { + "title": "Ein Zertifikat enthält den Domainnamen {}, der als {} kategorisiert ist", + "description": "Eines der ausgetauschten Zertifikate enthält den Domainnamen {}. Dieser Domainname wurde explizit als bösartig eingestuft. Ihr Gerät ist sicherlich kompromittiert und sollte von einem professionellen Team genauer untersucht werden." + }, "ADV-01": { "title": "Überprüfen Sie die Warnungen für {}", "description": "Bitte überprüfen Sie die Reputation des Hosts {}. Dieser scheint bösartig zu sein, da er während der Sitzung {} Warnungen verursacht hat." diff --git a/analysis/locales/en.json b/analysis/locales/en.json index 6086b90..d4318de 100644 --- a/analysis/locales/en.json +++ b/analysis/locales/en.json @@ -68,6 +68,10 @@ "title": "The certificate associated to {} is self-signed.", "description": "The use of self-signed certificates is a common thing for attacker infrastructure. We recommend to check the host {} which is associated to this certificate, by looking at the domain name (if any), its WHOIS record, its creation date, and by checking its reputation on the internet." }, + "SSL-04": { + "title": "A certificate contains the domain name {}, categorized as {}", + "description": "One of the certificates exchanged contains the domain name {}. This domain name has been explicitly classified as malicious. Your device is definitely compromised and should be investigated further by a professional team." + }, "ADV-01": { "title": "Check the alerts for {}", "description": "Please, check the reputation of the host {}, this one seems to be malicious as it leveraged {} alerts during the session." @@ -109,4 +113,4 @@ "low_msg": "You have only {} low alert(s), don't hesitate to check them.", "none_msg": "Everything looks fine, zero alerts. Don't hesitate to check the uncategorized communications, if any." } -} \ No newline at end of file +} diff --git a/analysis/locales/es.json b/analysis/locales/es.json index f7c5e66..0a6bbde 100644 --- a/analysis/locales/es.json +++ b/analysis/locales/es.json @@ -68,6 +68,10 @@ "title": "El certificado asociado a {} es autofirmado.", "description": "El uso de certificados autofirmados es un elemento común en infraestructuras utilizadas por atacantes. Recomendamos comprobar el host {} que está asociado a este certificado, especialmente su nombre de dominio (en caso de existir), su registro WHOIS, su fecha de creación y verificando su reputación en Internet." }, + "SSL-04": { + "title": "Un certificado contiene el nombre de dominio {}, categorizado como {}", + "description": "Uno de los certificados intercambiados contiene el nombre de dominio {}. Este nombre de dominio se ha clasificado explícitamente como malicioso. Su dispositivo está definitivamente comprometido y debe ser investigado más a fondo por un equipo profesional." + }, "ADV-01": { "title": "Compruebe las alertas para {}", "description": "Por favor, verifique la reputación del host {}, ya que parece ser malicioso por aparecer en {} alertas durante la sesión." diff --git a/analysis/locales/fr.json b/analysis/locales/fr.json index 5798358..0938e61 100644 --- a/analysis/locales/fr.json +++ b/analysis/locales/fr.json @@ -68,6 +68,10 @@ "title": "Le certificat associé à {} est auto-signé.", "description": "L'utilisation de certificats auto-signés est une chose courante pour des infrastructures d'attaque associées à des activités malveillantes. Nous vous recommandons de vérifier le serveur {} qui est associé à ce certificat, en regardant le nom de domaine (le cas échéant), son enregistrement WHOIS, sa date de création, et en vérifiant sa réputation sur Internet." }, + "SSL-04": { + "title": "Un certificat contient le nom de domaine {}, catégorisé en tant que {}", + "description": "Un des certificats échangés contient le nom de domaine {}. Ce nom de domaine a été explicitement catégorisé en tant que malveillant. Votre appareil est sûrement compromis et doit être investigué plus en détails par une équipe professionnelle." + }, "ADV-01": { "title": "Vérifiez les alertes liées au serveur {}", "description": "Merci de vérifier la réputation et les alertes liées au serveur {}, ce dernier semble malveillant, ayant engendré {} alertes durant la session de capture." @@ -109,4 +113,4 @@ "low_msg": "Vous avez uniquement {} alerte(s) faibles, n'hésitez pas à les consulter.", "none_msg": "Toute semble normal, vous avez aucune alerte. Cependant, n'hésitez pas à regarder les communications non catégorisées." } -} \ No newline at end of file +} diff --git a/analysis/locales/it.json b/analysis/locales/it.json index 1bb9075..9739f23 100644 --- a/analysis/locales/it.json +++ b/analysis/locales/it.json @@ -68,6 +68,10 @@ "title": "Il certificato associato a {} è autofirmato.", "description": "L'utilizzo di certificati autofirmati è una consuetudine per l'infrastruttura degli autori degli attacchi. È consigliabile controllare l'host {} associato a questo certificato, prestando attenzione all'eventuale nome di dominio, al record WHOIS e alla data di creazione, nonché verificandone la reputazione in Internet." }, + "SSL-04": { + "title": "Un certificato contiene il nome di dominio {}, classificato come {}", + "description": "Uno dei certificati scambiati contiene il nome di dominio {}. Questo nome di dominio è stato esplicitamente classificato come dannoso. Il tuo dispositivo è decisamente compromesso e dovrebbe essere esaminato ulteriormente da un team di professionisti." + }, "ADV-01": { "title": "Controllare gli avvisi per {}", "description": "Controllare la reputazione dell'host {}, che sembra di natura dannosa poiché ha sfruttato {} avvisi durante la sessione." diff --git a/analysis/locales/pt.json b/analysis/locales/pt.json index 241e106..dcfdd41 100644 --- a/analysis/locales/pt.json +++ b/analysis/locales/pt.json @@ -68,6 +68,10 @@ "title": "O certificado associado a {} é autoassinado.", "description": "O uso de certificados autoassinados é comum na infraestrutura de invasores. É recomendável analisar o host {} que está associado a esse certificado verificando o nome e o registro de domínio (se houver), a data de criação e sua reputação na internet." }, + "SSL-04": { + "title": "Um certificado contém o nome de domínio {}, categorizado como {}", + "description": "Um dos certificados trocados contém o nome de domínio {}. Este nome de domínio foi explicitamente classificado como malicioso. Seu dispositivo está definitivamente comprometido e deve ser investigado por uma equipe profissional." + }, "ADV-01": { "title": "Verifique os alertas para {}", "description": "Verifique a reputação do host {}, este parece ser malicioso, pois acionou alertas para {} durante a sessão." @@ -109,4 +113,4 @@ "low_msg": "Você tem apenas {} alerta(s) leve(s), não deixe de verificá-los.", "none_msg": "Tudo parece estar bem, zero alertas. Não deixe de verificar comunicações não categorizadas, se houver." } -} \ No newline at end of file +} diff --git a/analysis/locales/ru.json b/analysis/locales/ru.json index 5290f4d..b56774c 100644 --- a/analysis/locales/ru.json +++ b/analysis/locales/ru.json @@ -68,6 +68,10 @@ "title": "Сертификат, связанный с {}, является самоподписанным.", "description": "Использование самоподписанных сертификатов типично для инфраструктуры злоумышленников. Рекомендуется проверить устройство {}, связанное с этим сертификатом, изучив его доменное имя (если имеется), запись WHOIS, дату создания и репутацию в интернете." }, + "SSL-04": { + "title": "Сертификат содержит доменное имя {}, относящееся к категории {}", + "description": "Один из обмениваемых сертификатов содержит доменное имя {}. Это доменное имя явно классифицировано как вредоносное. Ваше устройство определенно взломано и должно быть исследовано профессиональной группой." + }, "ADV-01": { "title": "Проверьте предупреждения для {}", "description": "Проверьте репутацию устройства {}. Оно кажется вредоносным, поскольку для него сработало {} предупрежд. во время сеанса." diff --git a/install.sh b/install.sh index eb59e6d..39ee4ae 100644 --- a/install.sh +++ b/install.sh @@ -303,8 +303,7 @@ check_dependencies() { "/usr/bin/suricata" "/usr/bin/unclutter" "/usr/bin/sqlite3" - "/usr/bin/pip" - "/usr/bin/node") + "/usr/bin/pip") echo -e "\e[39m[+] Checking dependencies...\e[39m" for bin in "${bins[@]}" @@ -316,6 +315,7 @@ check_dependencies() { install_package ${bin##*/} fi done + install_package node echo -e "\e[39m[+] Install Python packages...\e[39m" python3 -m pip install -r "$SCRIPT_PATH/assets/requirements.txt" }