Sourcefire IPS¶
Constructor : Cisco¶
Device : Sourcefire 3D Sensors¶
Theoretical injector performance¶
22141 EPS
Log format : IS¶
example 1 : TOTOHOST SNORT[2500]: [1:1418:11] SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.116.28.60:40949 -> 10.116.24.225:161
example 2: TOTOHOST256 SNORT[2600]: [1:1852:3] WEB-MISC robots.txt access [Classification: Access to a Potentially Vulnerable Web Application] [Priority: 2] {TCP} 10.116.28.60 -> 10.116.24.225
example 3: HOSTNAME SNORT: [1:993:11] WEB-IIS iisadmin access [Classification: Web Application Attack] [Priority: 1] {TCP} 10.116.28.60:51218 -> 10.116.24.225:80
example 4: HOSTNAME SNORT[2500]: [1:3000:4] NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.116.28.60:2110 -> 10.116.24.225:139
+----------------+-------------------+---------------------------------+ | Constructor | LMC field | sample logs | | field | | | +================+===================+=================================+ | SensorName | [obs][host][ | > SENSOR-52 SNORT[2500] | | | name] | | +----------------+-------------------+---------------------------------+ | SFIMS[program | [obs][process\ | SNORT [2500]: | | ] | ][name] | [1:1418:11] SNMP request | +----------------+-------------------+---------------------------------+ | SFIMS[pid] | [obs][process\ | SNORT[2500]: | | | ][id] | [1:1418:11] SNMP request | +----------------+-------------------+---------------------------------+ | Signature | [sourcefire][s | 1418:11] SNMP request tcp | | | ignature] | [Classification | +----------------+-------------------+---------------------------------+ | classification | [alarm][name] | > Classification: Web | | | | > Application Attack | +----------------+-------------------+---------------------------------+ | priority | [alarm][sev] | > [Priority: 2] | +----------------+-------------------+---------------------------------+ | protocol | [app][proto]\ | > [Priority: 3] {TCP} | | | [name] | > 10.116.28.60:2110 | +----------------+-------------------+---------------------------------+ | Source_ip | [init][host]\ | 10.116.28.60:2110 -> | | | [ip] | 10.116.24.225:139 | +----------------+-------------------+---------------------------------+ | SRCPort | [init][host]\ | 10.116.28.60:2110 -> | | | [port] | 10.116.24.225:139 | +----------------+-------------------+---------------------------------+ | Destination_i | [target][host\ | 10.116.28.60:2110 -> | | p | ][ip] | 10.116.24.225:139 | +----------------+-------------------+---------------------------------+ | DSTPort | [target][host\ | 10.116.28.60:2110 -> | | | ][port] | 10.116.24.225:139 | +----------------+-------------------+---------------------------------+ | GID | [sourcefire][g | SNORT[2500]: | | | id] | [1:1418:11] SNMP request | +----------------+-------------------+---------------------------------+ | SID | [sourcefire][s | SNORT[2500]: | | | id] | [1:1418:11] SNMP request | +----------------+-------------------+---------------------------------+ | revision | [sourcefire][r | SNORT[2500]: | | number | ev] | [1:1418:11] SNMP request | +----------------+-------------------+---------------------------------+
Test Unit List¶
unit_is_Access_to_a_Potentially_Vulnerable_Web_Application.json unit_is_Attempted_Information_Leak.json unit_is_Web_Application_Attack.json
Log format : DC¶
example:
SFIMS: [119:4:1] http_inspect: BARE BYTE UNICODE ENCODING [Impact: Potentially Vulnerable] From at Wed Apr 15 13:19:26 2015 UTC [Classification: Not Suspicious Traffic] [Priority: 3] {tcp} 191.1.221.205:58422->10.34.200.224:80
| Constructor field | LMC field |
|---|---|
| SensorName | [obs][host][name] |
| SFIMS[program] | [obs][process][name] |
| SFIMS[pid] | [obs][process][id] |
| Signature | [sourcefire][signature] |
| classification | [alarm][name] |
| priority | [alarm][sev] |
| protocol | [app][proto][name] |
| Source_ip | [init][host][ip] |
| SRCPort | [init][host][port] |
| Destination_ip | [target][host][ip] |
| DSTPort | [target][host][port] |
| GID | [sourcefire][gid] |
| SID | [sourcefire][sid] |
| revision | number [sourcefire][rev] |
| impact | [sourcefire][impact] |
Test Unit List¶
unit_dc_Not_Suspicious_Traffic.json
Log format : Sourcefire for device 3d8xxx¶
SFIMS: [Primary Detection Engine (e8a41cd0-5cc4-11e5-b22f-82f97030470a)][Seg20_S_Sieges_IN][1:31978:5]
[Classification: Attempted Administrator Privilege Gain] User: Unknown, Application: Unknown, Client: Firefox, App Protocol: HTTP, Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Seg20-S-Sieges-BB-IN, Security Zone Egress: Seg20-S-Sieges-BB-OUT, Context: Unknown, SSL Flow Status: N/A, SSL Actual Action: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, [Priority: 1] {TCP} 10.110.130.50:50250 -> 10.100.8.50:8000
| Constructor field | LMC field |
|---|---|
| application | [app][name] |
| user | [target][usr][name] |
| ssl_certificate | [sourcefire][ssl_certificate] |
| interface_ingress | [init][host][if] |
| interface_egress | [target][host][if] |
| security_zone_egress | [sourcefire][security_zone_egress] |
| security_zone_ingress | [sourcefire][security_zone_ingress] |
| context | [sourcefire][context] |
| app_protocol | [sourcefire][app_protocol] |
| client | [init][process][name] |
| type | [type] |
| classification | [alarm][name] |
| priority | [alarm][sev] |
| protocol | [app][proto][name] |
| application | [app][name] |
| src_ip | [init][host][ip] |
| src_port | [init][host][port] |
| dst_ip | [target][host][ip] |
| dst_port | [target][host][port] |
| sid | [sourcefire][sid] |
| gid | [sourcefire][gid] |
| rev | [sourcefire][rev] |
| signature | [sourcefire][signature] |
Test Unit List¶
unit_3d8xxx.json