Considering the following IPS alert, which of the following HTTP transaction records provides the most relevant correlation with the alert?

  • Post author:
  • Post category:Blog
  • Reading time:3 mins read
  • Post last modified:June 12, 2024

Considering the following IPS alert, which of the following HTTP transaction records provides the most relevant correlation with the alert?

Count:7 Event#7.2 2017-01-03 21:31:44
FILE-FLASH Adobe Flash Player integer underflow attempt
209.165.200.235 -> 10.10.6.238
IPVer=4 hlen=5 tos=0 dlen=673 ID=56477 flags=2 offset=0 ttl=62 chksum=45616
Protocol: 6 sport=80 -> dport=40381
  • host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.10 srcport=39472 dstip=209.165.200.235 dstport=80 status_code=200 content_length=1211 method=GET site= iluvcats.public uri=/home/index.php referer=- user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 mime_type=text/html
  • host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.238 srcport=40381 dstip=209.165.200.235 dstport=80 status_code=200 content_length=1211 method=GET site= iluvcats.public uri=/home/index.php referer=- user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 mime_type=text/html
  • host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.238 srcport=40381 dstip=209.165.200.235 dstport=80 status_code=200 content_length=455 method=GET site=iluvcats.public uri=/EN7rkG55w/pQfsLXfUa.swf referer=http://iluvcats.public:8080/EN7rkG55w user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 mime_type=application/x-shockwave-flash
  • host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.28 srcport=41772 dstip=209.165.200.235 dstport=80 status_code=200 content_length=455 method=GET site=iluvcats.public uri=/EN7rkG55w/pQfsLXfUa.swf referer=http://iluvcats.public:8080/EN7rkG55w user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 mime_type=application/x-shockwave-flash
Explanation & Hint:

To find the HTTP transaction record that provides the most relevant correlation with the given IPS alert, we need to match the details from the IPS alert with those in the transaction records. The IPS alert details are:

  • IPS Alert Details:
    • Type: FILE-FLASH Adobe Flash Player integer underflow attempt
    • Source IP: 209.165.200.235
    • Destination IP: 10.10.6.238
    • Destination Port: 40381

Now, let’s examine the HTTP transaction records for matches:

  1. First Record:
    • Source IP: 10.10.6.10 (doesn’t match the destination IP in the alert)
    • Destination IP: 209.165.200.235
    • Destination Port: 80
    • MIME Type: text/html (not related to Adobe Flash)
  2. Second Record:
    • Source IP: 10.10.6.238 (matches the destination IP in the alert)
    • Destination IP: 209.165.200.235
    • Destination Port: 80
    • MIME Type: text/html (not related to Adobe Flash)
  3. Third Record:
    • Source IP: 10.10.6.238 (matches the destination IP in the alert)
    • Destination IP: 209.165.200.235
    • Destination Port: 80
    • MIME Type: application/x-shockwave-flash (related to Adobe Flash)
  4. Fourth Record:
    • Source IP: 10.10.6.28 (doesn’t match the destination IP in the alert)
    • Destination IP: 209.165.200.235
    • Destination Port: 80
    • MIME Type: application/x-shockwave-flash (related to Adobe Flash)

Based on this analysis, the third HTTP transaction record is the most relevant correlation with the alert, as it involves a Flash file (indicated by the MIME type application/x-shockwave-flash), and the source and destination IPs match those in the IPS alert. This transaction is consistent with the nature of the alert, which is an Adobe Flash Player integer underflow attempt.

For more Questions and Answers:

Threat Investigation Post-Assessment | CBROPS

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments