Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rule to alert on known cryptomining ports in VPC flow logs #972

Merged
merged 11 commits into from
Nov 28, 2023
Merged

Add rule to alert on known cryptomining ports in VPC flow logs #972

merged 11 commits into from
Nov 28, 2023

Conversation

egibs
Copy link
Contributor

@egibs egibs commented Nov 27, 2023

Background

This PR adds a rule to look for known cryptomining ports in VPC flow logs. The rule also contains an empty set that can hold known destination addresses to avoid alerts when a more common port is detected for outbound traffic to a public address (8080, for instance).

Changes

  • Adds a set of CRYPTO_MINING_PORTS to panther-iocs.py
  • Adds a new aws_vpc_crypto_ports.py rule which consumes the aforementioned set
  • Adds aws_vpc_crypto_ports.yml with a few tests (nothing elaborate since we're emulating flow logs)

Testing

  • make fmt; make lint; make test

@egibs egibs requested review from a team November 27, 2023 14:47
@egibs egibs force-pushed the egibs-vpc-flow-log-cryptomining-ports branch from df39bc0 to c6e4467 Compare November 27, 2023 15:13
@arielkr256
Copy link
Contributor

I would set this one to be disabled by default with a lower severity, since it will primarily be used as a building block for correlation rules. By itself it will probably be very noisy.

@egibs
Copy link
Contributor Author

egibs commented Nov 27, 2023

I would set this one to be disabled by default with a lower severity, since it will primarily be used as a building block for correlation rules. By itself it will probably be very noisy.

That was in the back of my mind -- I think this is a safer idea.

arielkr256
arielkr256 reviewed Nov 28, 2023
View reviewed changes
global_helpers/panther_iocs.py Show resolved Hide resolved
global_helpers/panther_iocs.py Outdated Show resolved Hide resolved
@egibs egibs requested a review from arielkr256 November 28, 2023 17:18
@egibs egibs merged commit 28e3bd7 into main Nov 28, 2023
3 checks passed
@egibs egibs deleted the egibs-vpc-flow-log-cryptomining-ports branch November 28, 2023 19:49
@rleighton
Copy link
Contributor

I've done crypto mining detections before ... this will be VERY noisy. Better to use a list of domain names w/VPCdns.

Also, AFAIK VPC flow logs are uni-directional so dst likely does not have the meaning you think it does.

Did you test this on KoS?

This rule seems very dubious.

@egibs
Copy link
Contributor Author

egibs commented Nov 28, 2023

I've done crypto mining detections before ... this will be VERY noisy. Better to use a list of domain names w/VPCdns.

Also, AFAIK VPC flow logs are uni-directional so dst likely does not have the meaning you think it does.

Did you test this on KoS?

This rule seems very dubious.

The plan is to potentially leverage the rule for correlations. We already have DNS rules in place that do work for these types of detections, so this will be supplemental at most and will not be relied upon as a primary rule.

egibs pushed a commit that referenced this pull request Nov 28, 2023
Revert "Add rule to alert on known cryptomining ports in VPC flow logs (
89a1cd9 
#972)"

This reverts commit 28e3bd7.
@egibs egibs mentioned this pull request Nov 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@egibs @arielkr256 @rleighton