When it comes to log collection, it is always difficult to figure out what to to capture. The primary reasons are cost and value. Of course you can capture every logs flowing in your network but if you dont have a use case to attach to its value, that equals to wasted storage and money. Really not ideal since most Security Information Management (SIM) also referred to Security Information and Event Management (SIEM) have a daily cost associate with log capture. Before purchasing a SIM, the first task that is often difficult is, what do I collect and why? We want quality over quantity. Again, what you collect has a cost, the minimum amount of time logs are retained (how many years) must be calculated because it directly related to the number of events per second (EPS) collected daily [1], how many log collector are necessary to capture what you need, etc.

Next, it is important to identify your top five use cases, based on value that can have an immediate impact with the security team. This part is often difficult to pin point because it usually isn identify the log source (firewall, IPS, VPN, etc.), its category (user activity, email, proxy, etc.) , its priority (high, medium, low), information type (IP, hostname, username, etc.) and matching use case (authentication, suspicious outbound activity, web application attack, etc.)[4]. The last step is to identify the SIM that will meet your goals.

[1] http://www.buzzcircuit.com/tag/siem-storage-calculator/
[2] http://blogs.gartner.com/anton-chuvakin/2014/05/14/popular-siem-starter-use-cases/
[3] http://blogs.gartner.com/anton-chuvakin/2013/09/24/detailed-siem-use-case-example/
[4] http://journeyintoir.blogspot.ca/2014/09/siem-use-case-implementation-mind-map.html
[5] https://isc.sans.edu/forums/diary/SIEM+is+not+a+product+its+a+process/20399

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
IBM Clustered Data ONTAP CVE-2016-3400 Man in the Middle Security Bypass Vulnerability
 

Enlarge (credit: SophosLabs)

Google's official Play marketplace is waging an uphill battle against Android apps that display an unending stream of popup ads even when users try to force them to stop, researchers said Friday.

The researchers, from UK-based SophosLabs, said they have found a total of 47 apps in the past week that collectively have racked up as many as 6 million downloads. They all use a third-party library that bombards users with ads that continue to display even after users force-close the app or scrub memory. In a blog post, SophosLabs said Google has removed some of the privately reported apps while allowing others to remain.

The MarsDae library that's spawning the popup torrent supports Android versions 2.3 through 6, as well as Samsung, Huawei, Mizu, Mi, and Nexus devices. One app that incorporates MarsDae, SophosLabs said, is Snap Pic Collage Color Splash, which remained available on Google servers as this post was being prepared. Snap Pic has been downloaded from 50,000 to 100,000 times. Once installed, it displays ads on the Android home screen. Even after a user uses the Android settings to force close the app, the ads resume a few seconds later.

Read 3 remaining paragraphs | Comments

 
Deluge CVE-2017-9031 Directory Traversal Vulnerability
 

When Im on shift, I really like to look at the port trends and see what the changes are. Looking at shifts in the network traffic is a great way to provide early warning that something new is out there. So today, port 83 caught my eye because its just not a common port you run into. width:748px" />

First step, what normally lives as a service on this port? width:326px" />

However, I cant find any documentation about this. This step can sometimes be one of the most frustrating. Its not the research part, but finding GOOD documentation that lays out the service or protocol that normally listens on a port. Its finding sample traffic, logs etc. that can help you understand what you are seeing. That, however, is a completely different topic, but might be a fun rabbit hole to go down later.

Now, the fun part...getting packets to see what we can figure out what is going here. Normally that helps, but today, not so much. It actually has made it a little more confusing only because there are a lot of disparate items (so it seems) in the traffic and some very curious. Johannes got a sample of traffic off our honeypot by setting up a netcat listener. Here are a few of the interesting tidbits from the packets, but I havent figured out how to put it all together or if any of it even fits together.

  • There was a successful three-way handshake, then one packet with the PSH and ACK flags set and that was followed by a graceful teardown. width:710px" />

    Who knew there was so much action on a port that I really hadnt looked at till today. If you have any packet captures for this or any ideas how this fits together or if its just random, please let us know!!

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
ESA-2017-041: EMC VNX1 and VNX2 Family Multiple Vulnerabilities in VNX Control Station
 
 
389 Directory Server CVE-2016-5416 Information Disclosure Vulnerability
 
FreeType 2 CVE-2017-8105 Out of Bounds Write Heap Buffer Overflow Vulnerability
 
Linux Kernel 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' Local Information Disclosure Vulnerability
 
June 2017 - Bamboo - Critical Security Advisory
 
[security bulletin] HPESBGN03761 rev.1 - HPE Virtualization Performance Viewer (VPV)/ Cloud Optimizer using Linux, Remote Escalation of Privilege
 
[SECURITY] [DSA 3882-1] request-tracker4 security update
 
Multiple Blue Coat Products Security Bypass Vulnerability
 
Internet Storm Center Infocon Status