SOC Managed Security IPS Services Review Sample
This sample quarterly tuning report was conducted for Client ITProSec on the IPS security service.
Table of Contents
2. IPS Device Configuration and Status 4
3.1. Top 5 attacks in last 30 days 7
1. Introduction
The following quarterly tuning report was conducted for Client ITProSecon the IPS security service.
The goals of the review are to:
– Provide details of the current deployment.
–
Determine if there are any errors in the configurations that may impact service.
– Complete an analysis of available attack event data.
– Provide recommendations based on findings.
1.1. Scope
The SOC managed devices in-scope for this IPS tuning review is as follows:
| Function | Hostname | Model |
| IPS Sensor | ITPROSECOM-TOR-IPS01 | HP Tipping Point 660N |
| IPS Sensor | ITPROSECOM-MRHM-IPS01 | HP Tipping Point 660N |
2. IPS Device Configuration and Status
The following details the status of ITPROSECOM-TOR-IPS01 and ITPROSECOM-MRHM-IPS01.
| Property | Details | |
| ITPROSECOM-TOR-IPS01 | ITPROSECOM-MRHM-IPS01 | |
| Check Date | 2018-Sept-6 | 2018-Sept-6 |
| Firmware Version | TOS 3.8.4.4525 | TOS 3.8.2.4459 |
| Signature Version | DV 3.2.0.9161 | DV 3.2.0.9161 |
| Auxiliary DV | Malware 3.7.0.1370 | Malware 3.7.0.1370 |
| Number of Monitored Segments | 8 | 4 |
| Uptime | 73 weeks, 5 days | 118 weeks, 1 day |
| CPU Usage | 70% at Peak Hours & No Alarms | 0.5% to 1% & No Alarms |
| Memory Usage | 40% | 40% |
2.1. IPS Profile
2.1.1. ITPROSEC
| Item | Details |
| Check Date | 2018-Sept-6 |
| IPS Profile Name | ITProSec_2 |
| Version | 18.3 |
| Filter Configuration | Filters Total – 20000+ Filters Modified – 5180 |
| Security Filter Settings | Exploits – Recommended Identity Theft – Recommended Reconnaissance – Recommended Security Policy – Recommended Spyware – Block+Notify_1 (Locked) Virus – Recommended Vulnerabilities – Recommended Network Equip Protection – Recommended Traffic Normalization – Recommended Instant Messaging – Recommended Peer to Peer – Recommended Streaming Media – Recommended |
| Application Filter Settings |
Exploits (1) Reconnaissance – Recommended Security Policy – Recommended Instant Messaging – Recommended Peer to Peer – Recommended Streaming Media – Recommended |
The IPS profile is applied to both IPS sensors.
2.1.2. Client ITProSecSeg10
| Item | Details |
| Check Date | 2018-Sep-6 |
| IPS Profile Name | Client ITProSecSeg10 |
| Version | 68.1 |
| Filter Configuration | Filters Total – 20000+ Filters Modified – 5181 |
| Security Filter Settings | Exploits – Recommended Identity Theft – Recommended Reconnaissance – Recommended Security Policy – Recommended Spyware – Block+Notify_1 (Locked) Virus – Recommended Vulnerabilities – Recommended Network Equip Protection – Recommended Traffic Normalization – Recommended Instant Messaging – Recommended Peer to Peer – Recommended Streaming Media – Recommended |
| Application Filter Settings | Reconnaissance – Recommended Security Policy – Recommended Instant Messaging – Recommended Peer to Peer – Recommended Streaming Media – Recommended |
The IPS profile is applied to both IPS sensors.
3. Attack Events Analysis
The details below are an analysis of the attack events produced for a period of 30 days from both IPS sensors.
3.1. Top 5 attacks in last 30 days (Major and Critical only)
The following are the top 5 threat IDs which were triggered during traffic inspection. See the embedded PDF for details.
| Source IPs for Each Top Threat | ||||
| 31942 | 13817 | 4932 | 12607 | 0948 |
3.2. Threat Analysis
3.2.1. 31942: HTTP: D-Link DSL-2750B Command Injection Vulnerability
This filter detects an attempt to exploit a command injection vulnerability in D-Link DSL-2750B. This vulnerability results from a failure to properly validate parameters during login. A successful attack leads to arbitrary code execution under the context of the admin user. Authentication is not required to exploit this vulnerability. Reference: Discoverer Advisory http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth
Recommendation
Default Action is block. It is however recommended to verify if 122.33.115.71, 151.202.31.12 and 151.202.31.16 are patched against this vulnerability.
3.2.2. 13817: TLS: OpenSSL Heartbleed Vulnerability
This filter detects an attempt to exploit an information disclosure vulnerability in OpenSSL. Specifically, OpenSSL servers fail to validate the length of the client payload sent against the actual size of data received. This can result in information disclosure, including private keys and other confidential data. Note: Filter 13814, 13840 and 13891 can be used for vulnerability and policy enforcement of heartbeat packet requests. References: HeartBleed Advisory Page http://heartbleed.com/ Common Vulnerabilities and Exposures https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 Vendor Patch Advisory https://www.openssl.org/news/secadv_20140407.txt
Recommendation
Default action is to Block+Notify. It is recommended to verify that 122.33.115.69 and 122.33.115.71 has been patched against this vulnerability.
3.2.3. 4932: Exploit: Shellcode Payload
This filter detects standard shellcode payloads common to various vulnerability
testing suites. In practice, many exploit writers use common payloads in their
custom attacks, due to an open source development model. Note that a backup process which attempts to
copy packet capture files or compiled exploit code across the network in a
cleartext fashion may fire this filter. Exceptions for this filter should be
made for these types of backup servers in order to avoid blocking the backup
process.
Recommendation
Affected destinations are 151.202.31.12, 151.202.31.16 and 122.33.115.71.
Action is set to Block+Trap+Notify+Trace.
No further recommendations
3.2.4. 12607: Backdoor: Zero Access Trojan Communication Attempt
This filter detects an attempt by the Zero Access Trojan to communicate with a control server. Backdoor programs are typically installed by attackers on compromised machines to allow easy access to the compromised host from arbitrary remote locations. Most backdoors listen for connections on a high-numbered TCP or UDP port and respond to various commands from an attacker, including commands to manipulate the file system, start and stop programs, reboot the system, capture keystrokes and passwords, and more. It should be assumed that the remote attacker has complete control over the system running the backdoor program. Reference: Advisory http://dfirjournal.wordpress.com/2012/07/19/more-zeroaccess/
Recommendation
Action is set to Block and Notify.
These are the blocked attempt to communicate with malware-hunter.census.shodan.io – a specialized Shodan crawler that explores the Internet looking for command & control (C2s) servers for botnets
No further recommendations
3.2.5. 0948: HTTP: test-cgi Vulnerability
This filter detects an exploit to the test-cgi cgi command on a web server. test-cgi is a utility to provide information on the current web environment. test-cgi has a vulnerability which allows an attacker to view arbitrary files on the system with the privileges of the web server. References: http://www.securityfocus.com/bid/2003
Recommendation
Action is set to Block+Trap+Notify+Trace.
No further recommendations
4. Conclusion
The purpose of this review was to evaluate the configurations of the managed IPS devices to determine if there are any issues that may impact service and to look for areas that can be improved upon.
At this time, there are no outstanding errors with the configuration. However we recommend a firmware upgrade for ITPROSECOM-MRHM-IPS01 to match the version 3.8.4 used on ITPROSECOM-TOR-IPS01.
We look forward to answering any questions you may have on the results, and working with you to implement any of the changes mentioned.
