Mandiant’s APT1 Domain/MD5 Intel and Security Onion for Splunk

Mandiant’s Intel Report APT1: Exposing One of China’s Cyber Espionage Units is loaded with indicators that organizations can use to identify whether they are or have been a victim of APT1. If you’re running the newest version of Security Onion, then you’ll definitely have data available to comb through for network, domain and md5 hash indicators. ELSA can help you with this process as can Security Onion for Splunk.

If you want a quick way to leverage the domain and md5 data in Security Onion for Splunk download the Digital Appendix and Indicators zip file (md5 hashes are provided by Mandiant) and extract the files. Make a copy of the files “Appendix D (Digital) – FQDNs.txt” and “Appendix E (Digital) – MD5s.txt” and rename them to apt1_fqdn.csv and apt1_md5.csv. Then you’ll need to edit the files so the first row contains the field header. For apt1_fqdn.csv add “domain” to the first row; for apt1_md5.csv add “md5” so they should look like this:

apt1_fqdn.csv example apt1_md5.csv example

Next, we need to upload the .csv files we edited so head to Security Onion for Splunk and click Manager > Lookups > Lookup Table files > New. The Destination app will be securityonion, then choose the files and specify the Destination filename to be the same as what we named the files (apt1_fqdn.csv and apt1_md5.csv).

Add lookup table

When you’ve uploaded both files you’ll need to change the permissions if you want other users to be able to run the queries by setting the permissions to Read for “This app only (securityonion).” Now head back to the Security Onion app, click the Search menu and run the following searches over all the Bro historical data you’ve got (dns.log and http.log specifically).

sourcetype=bro_dns [|inputlookup apt1_fqdn.csv | fields + domain] | fields dest_ip src_ip domain

sourcetype=bro_http [|inputlookup apt1_md5.csv | fields + md5] | fields dest_ip src_ip md5

If you get no matching events back, breathe a sigh of relief. If you do get results, start digging deeper!


Security Onion 1.1 for Splunk

README notes w/ bonus comments for Version 1.1

I’ve added an input for Bro’s capture_loss.log which now displays on the SOstat Security Onion monitor in a time chart paired with Snort packet loss. To enable this log in Bro edit:


and add the following:

@load misc/capture-loss

You’ll have to check and install Bro for the change to get loaded.

sudo broctl

and you’re done. It takes a few before the first logged event will show so give it a bit before you worry if it’s working. (The main reason I added this aside from the value is it will likely be standard in SO down the road. It’s completely optional and if I didn’t tell you about it you’d be none the wiser unless you did have it turned up, in which case you’d be pleasantly surprised.)

I also tweaked the sguild inputs to exclude “{URL” events. This data is already being consumed via bro_http so it should cut down on the licensing volume. (This will save you a ton of indexing volume and alone is worthy of updating!)

Monitors Dashboard

  • Returned misc-activity to the Sguil panel. (I’d yanked it due to the volume of URL events, but since we’re leaving those to bro_http, it’s value returns.)
  • Added date/time and raw event to drill down display for the FTP Args panel.


  • A drop down list has been added to GeoIP allowing you to search GeoIP by sourcetype which should reduce query times for more targeted views. The map also now includes drill down capabilities with results appearing below the map when selected. (Neatest update. Much more efficient than relying on all connections and lets you get geo visibility into each sourcetype.)


  • Added drill down to the time chart panels for HTTP and SMTP mining

(The following additions bring a little asset and vulnerability management to the game via two dashboards: PADS [passive asset detection] and  Bro’s Known Knowns.)

  • Added a PADS dashboard (similar to HTTP and SMTP mining) searchable by Name, Classification, Source IP, Source Port, Destination IP, Destination Port, Protocol, and Severity.
  • Added a Known Knowns dashboard. Includes: Known Services; Known Software searchable by Name and Type; and Known Certs searchable by Country, Common Name, Certificate Issuer Subject, Location, Organization, Organizational Unit, Port Number, State, and Certificate Subject.


  • Created an event type for PADS in addition to the PADS Mining dashboard.


  • Updated SOstat SO to include Bro capture loss in addition to Snort packet loss. (Also improved the packet/capture loss displays to be more “deployment friendly” tracking by host or sensor.)


Few screenshots for @remor:

1.1 GeoIP1.1 Known Knowns

1.1 PADS

DC404 Slides

Last Saturday DC404 in Atlanta hosted Doug Burks presenting Security Onion and myself presenting the Security Onion Splunk app. I had a great time meeting Doug and the members of DC404, all of whom impressed on every level. The class and quality of people I continue to encounter in this field on the open source ranges is unmatched.

For the DC404 members who couldn’t make it, I give you slides: DC404 – Splunkin the Onion.

Special thanks to Beth and Taylor for the invite!

Fake A/V Scamware Revisited

Following up on my post from yesterday, if you’re interested in IPS or web filter URL pathings, a majority of the fake a/v paths have been consistent:

  • /2009/download/trial/InstallAV*
  • /download/av_2009glof.exe
  • /download/av_360glof.exe
  • /promo/download/trial/InstallAV*
  • /spygd08/install.php

Blocking these or blocking executable downloads from URLs including these paths won’t stop them all but they will certainly help.

Palin Hack Advice

No, I’m not giving her advice on how to be a political hack…she’s getting lots of that already.

You’ve probably heard by now how Sarah Palin’s Yahoo! mail account was accessed by a 20 year old from Memphis. Basically, the attacker used the password reset feature, which prompts you to answer several personally identifiable questions, such as “Where did you meet your spouse?” Being a governor only made that type of information all too easy to find.

Interestingly enough, the Grand Jury in Chattanooga convened on the matter today. I stumbled across this on the ISC Handler’s Diary page and had to share the advice.

Just because you’re presented with a “process” that looks and feels secure, doesn’t mean it is. It’s not just the 1s and 0s that are vulnerable; vulnerabilities start with the user at the keyboard. An uneducated user is almost guaranteed to be attacked. In this case, a seemingly “secure” solution of personal questions provides the user with a choice: secure my information or risk it all. Provide an accurate answer and just about anyone who has some level of personal knowledge (social networking sites anyone?) about you has discovered a vulnerability and can attack at will. Provide a false answer and you increase your odds of protection drastically.

Holey DNS!

Been awhile since I posted, but that doesn’t mean I’ve not been busy. Trends have been all over the map lately. It would take me weeks to catch the site up with what all has been going on since my last post, so I’ll try to fill in pieces as I can going forward.

That said, for now:

PATCH DNS NOW! There’s rumblings of a potentially disastrous DNS cache poisoning vulnerability. We won’t know just how bad this is until Dan Kaminsky gives his presentation Aug. 7th. If it’s a nasty one but the impact is negligible, then credit Kaminsky, CERT, Microsoft and the other vendors involved for the way the disclosure has been handled and coordinating the patch release. Time will tell…