SOC Managed Security IPS Services Review Sample

This sample quarterly tuning report was conducted for Client ITProSec on the IPS security service.

Table of Contents

1.    Introduction  4

1.1.        Scope  4

2.    IPS Device Configuration and Status  4

2.1.        IPS Profile  5

3.    Attack Events Analysis  7

3.1.        Top 5 attacks in last 30 days  7

3.2.        Threat Analysis  8

4.    Conclusion  9

1.    Introduction

The following quarterly tuning report was conducted for Client ITProSecon the IPS security service.

The goals of the review are to:

– Provide details of the current deployment.

– Determine if there are any errors in the configurations that may impact service.
– Complete an analysis of available attack event data.
– Provide recommendations based on findings.

1.1.     Scope

The SOC managed devices in-scope for this IPS tuning review is as follows:

Function Hostname Model
IPS Sensor ITPROSECOM-TOR-IPS01 HP Tipping Point 660N
IPS Sensor ITPROSECOM-MRHM-IPS01 HP Tipping Point 660N

2.   IPS Device Configuration and Status

The following details the status of ITPROSECOM-TOR-IPS01 and ITPROSECOM-MRHM-IPS01.

Property Details
ITPROSECOM-TOR-IPS01 ITPROSECOM-MRHM-IPS01
Check Date 2018-Sept-6 2018-Sept-6
Firmware Version TOS 3.8.4.4525 TOS 3.8.2.4459
Signature Version DV 3.2.0.9161 DV 3.2.0.9161
Auxiliary DV Malware 3.7.0.1370 Malware 3.7.0.1370
Number of Monitored Segments 8 4
Uptime 73 weeks, 5 days 118 weeks, 1 day
CPU Usage 70% at Peak Hours & No Alarms 0.5% to 1% & No Alarms
Memory Usage 40% 40%

2.1.     IPS Profile

2.1.1.    Ontario Securities Commission_2

Item Details
Check Date 2018-Sept-6
IPS Profile Name ITProSec_2
Version 18.3
Filter Configuration Filters Total – 20000+ Filters Modified – 5180
Security Filter Settings Exploits – Recommended Identity Theft – Recommended Reconnaissance – Recommended Security Policy – Recommended Spyware – Block+Notify_1 (Locked) Virus – Recommended Vulnerabilities – Recommended Network Equip Protection – Recommended Traffic Normalization – Recommended Instant Messaging – Recommended Peer to Peer – Recommended Streaming Media – Recommended
Application Filter Settings Exploits (1)
Reconnaissance – Recommended Security Policy – Recommended Instant Messaging – Recommended Peer to Peer – Recommended Streaming Media – Recommended

The IPS profile is applied to both IPS sensors.

2.1.2.    Client ITProSecSeg10

Item Details
Check Date 2018-Sep-6
IPS Profile Name Client ITProSecSeg10
Version 68.1
Filter Configuration Filters Total – 20000+ Filters Modified – 5181
Security Filter Settings Exploits – Recommended Identity Theft – Recommended Reconnaissance – Recommended Security Policy – Recommended Spyware – Block+Notify_1 (Locked) Virus – Recommended Vulnerabilities – Recommended Network Equip Protection – Recommended Traffic Normalization – Recommended Instant Messaging – Recommended Peer to Peer – Recommended Streaming Media – Recommended
Application Filter Settings Reconnaissance – Recommended Security Policy – Recommended Instant Messaging – Recommended Peer to Peer – Recommended Streaming Media – Recommended

The IPS profile is applied to both IPS sensors.

3.   Attack Events Analysis

The details below are an analysis of the attack events produced for a period of 30 days from both IPS sensors.

3.1.     Top 5 attacks in last 30 days (Major and Critical only)

The following are the top 5 threat IDs which were triggered during traffic inspection. See the embedded PDF for details.  

                                                         Source IPs for Each Top Threat
31942 13817 4932 12607 0948

3.2.     Threat Analysis

3.2.1.    31942: HTTP: D-Link DSL-2750B Command Injection Vulnerability

This filter detects an attempt to exploit a command injection vulnerability in D-Link DSL-2750B.  This vulnerability results from a failure to properly validate parameters during login. A successful attack leads to arbitrary code execution under the context of the admin user.  Authentication is not required to exploit this vulnerability.  Reference:  Discoverer Advisory http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth

Recommendation

Default Action is block. It is however recommended to verify if 122.33.115.71, 151.202.31.12 and 151.202.31.16 are patched against this vulnerability.

3.2.2.    13817: TLS: OpenSSL Heartbleed Vulnerability

This filter detects an attempt to exploit an information disclosure vulnerability in OpenSSL.  Specifically, OpenSSL servers fail to validate the length of the client payload sent against the actual size of data received. This can result in information disclosure, including private keys and other confidential data.  Note: Filter 13814, 13840 and 13891 can be used for vulnerability and policy enforcement of heartbeat packet requests.  References:  HeartBleed Advisory Page http://heartbleed.com/  Common Vulnerabilities and Exposures https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160  Vendor Patch Advisory https://www.openssl.org/news/secadv_20140407.txt

Recommendation

Default action is to Block+Notify.  It is recommended to verify that 122.33.115.69 and 122.33.115.71 has been patched against this vulnerability.

3.2.3.    4932: Exploit: Shellcode Payload


This filter detects standard shellcode payloads common to various vulnerability testing suites. In practice, many exploit writers use common payloads in their custom attacks, due to an open source development model.  Note that a backup process which attempts to copy packet capture files or compiled exploit code across the network in a cleartext fashion may fire this filter. Exceptions for this filter should be made for these types of backup servers in order to avoid blocking the backup process.

Recommendation

Affected destinations are 151.202.31.12, 151.202.31.16 and 122.33.115.71.

Action is set to Block+Trap+Notify+Trace.

No further recommendations

3.2.4.    12607: Backdoor: Zero Access Trojan Communication Attempt

This filter detects an attempt by the Zero Access Trojan to communicate with a control server.  Backdoor programs are typically installed by attackers on compromised machines to allow easy access to the compromised host from arbitrary remote locations. Most backdoors listen for connections on a high-numbered TCP or UDP port and respond to various commands from an attacker, including commands to manipulate the file system, start and stop programs, reboot the system, capture keystrokes and passwords, and more. It should be assumed that the remote attacker has complete control over the system running the backdoor program.  Reference:  Advisory http://dfirjournal.wordpress.com/2012/07/19/more-zeroaccess/

Recommendation

Action is set to Block and Notify.

These are the blocked attempt to communicate with malware-hunter.census.shodan.io – a specialized Shodan crawler that explores the Internet looking for command & control (C2s) servers for botnets

No further recommendations

3.2.5.    0948: HTTP: test-cgi Vulnerability

This filter detects an exploit to the test-cgi cgi command on a web server. test-cgi is a utility to provide information on the current web environment. test-cgi has a vulnerability which allows an attacker to view arbitrary files on the system with the privileges of the web server.  References: http://www.securityfocus.com/bid/2003

Recommendation

Action is set to Block+Trap+Notify+Trace.

No further recommendations

4.   Conclusion

The purpose of this review was to evaluate the configurations of the managed IPS devices to determine if there are any issues that may impact service and to look for areas that can be improved upon. 

At this time, there are no outstanding errors with the configuration. However we recommend a firmware upgrade for ITPROSECOM-MRHM-IPS01 to match the version 3.8.4 used on ITPROSECOM-TOR-IPS01.

We look forward to answering any questions you may have on the results, and working with you to implement any of the changes mentioned.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.