11.2.6 Lab – Classify Alerts
Objectives
- Part 1: Research Snort and CVE IDs
- Part 2: Classify Alerts in a Windows Environment
- Part 3: Classify Alerts in a Unix/Linux Environment
Background / Scenario
In this lab, you will classify alerts from two different environments: Windows and Linux. You are responsible for determining whether a detected alert is a true positive or a false positive. You are responsible for classifying whether the alerts are generated by the SIEM or from performing vulnerability scans. There will be two different environments to which you can apply the generated alerts.
Required Resources
- Internet access
Instructions
Part 1: Research Snort and CVE IDs
Use sites such as mitre.org, snort.org, virustotal.com, and vendor websites to research information about the following Snort IDs (sid) and CVE IDs. For each alert, provide the following information:
- The cross listing between Snort IDs and CVE numbers when available.
- The CVSS score indicating the severity for each of the following IDs.
- A brief description of the alert.
You will classify these alerts in Part 2 and Part 3.
1. Sid 1-54630
CVE-2020-8617 – CVSS Score 7.5 High – Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server.
2. CVE-2021-3438
A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege.
3. CVE-2020-5723
The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges.
4. Sid 1-46597
CVE-2018-8165 – CVSS Score 6.9 High – An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka “DirectX Graphics Kernel Elevation of Privilege Vulnerability.” This affects Windows Server 2016, Windows 10, Windows 10 Servers.
5. CVE-2020-28374
CVSS Score 8.1 High – In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.
6. Sid 1-31814
This activity is indicative of malware activity on a host. In this case the MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent was detected. VirusTotal reports: 50 security vendors flagged this file as malicious.
7. Sid 1-50089
CVE-2019-0885 – CVSS Score 5.9 High – A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka ‘Windows OLE Remote Code Execution Vulnerability’.
8. Sid 1-50190
CVE-2019-3462 – CVSS Score 8.1 High – Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine. Several Linux based servers are listed as potential targets.
9. Sid 1-49188
This event is generated when SpeakUp linux trojan tries to request malicious scripts from the C2 servers. VirusTotal reports: 30 security vendors flagged this file as malicious. Perl
10. Sid1-46991
CVE-2018-4243 – CVSS Score 5.9 High – An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the “Kernel” component. A buffer overflow in getvolattrlist allows attackers to execute arbitrary code in a privileged context via a crafted app.
Part 2: Classify Alerts in a Windows Environment
In this scenario, you are working in a primarily Windows environment consisting of Windows 10 PCs, Windows 2016 Servers, HP LaserJet printers, Grandstream UCM 6200 series IP phone system, and various software.
Use the information you gathered in Part 1 to determine if the alert should be classified as a true positive, false positive, or in need of further information about the environment.
1. Sid 1-54630
False Positive in this environment, BIND is running on a Linux server
2. CVE-2021-3438
True Positive – Since this environment includes HP Printers this alert is very likely
3. CVE-2020-5723
True Positive – The UCM 6200 series IP phone system is specifically listed.
4. Sid 1-46597
True Positive – This alert affects Windows 10, and Windows 2016 Servers.
5. CVE-2020-28374
False Positive – Alert pertains to Unix/Linux systems.
6. Sid 1-31814
True Positive – Malware applicable to Windows based systems.
7. Sid 1-50089
True Positive – Remote execution possibility for Windows systems.
8. Sid 1-50190
False Positive – The alert is applicable to several Linux distributions.
9. Sid 1-49188
False Positive – Linux Trojan primarily using a perl executable.
10. Sid1-46991
Likely False Positive, needs further investigation – Affects MacOS and other Apple OSs. It’s possible a user brought their own device and connected to the network.
Part 3: Classify Alerts in a Linux Environment
In this scenario, you are working in a primarily Linux environment consisting of Linux servers that provide DNS, web services, and email. The environment also includes Linux workstations, a Cisco IP phone system, Epson printers, and various application software.
Use the information you gathered in Part 1 to determine if the alert should be classified as a true positive, false positive, or in need of further information about the environment.
1. Sid 1-54630
True Positive in this environment, BIND is running on a Linux server
2. CVE-2021-3438
False Positive – This alert applies to HP and Samsung printers and is a driver issue for Windows. This environment is using Linux workstations.
3. CVE-2020-5723
False Positive – The IP phone system in use is a Cisco system.
4. Sid 1-46597
False Positive – This alert affects Windows 10, and Windows 2016 Servers. This environment is using Linux workstations.
5. CVE-2020-28374
True Positive – Alert pertains to a kernel vulnerability in Linux systems.
6. Sid 1-31814
False Positive – Malware applicable to Windows based systems. This environment is using Linux workstations.
7. Sid 1-50089
False Positive – Remote execution possibility for Windows systems. This environment is using Linux workstations.
8. Sid 1-50190
True Positive – The alert is applicable to several Linux distributions.
9. Sid 1-49188
True Positive – Linux Trojan primarily using a perl executable.
10. Sid1-46991
Likely False Positive, needs further investigation – Affects MacOS and other Apple OSs. It’s possible a user brought their own device and connected to the network.