ISC Feature of the Week: Contact Us
Overview
How often do I say "send us a note on our contact form" and I've never detailed the page in a feature!? This is a good time to mention, if you have any aspect of the site you would like reviewed or explained in more detail, please feel free to send us a note on our contact form at https://isc.sans.edu/contact.html. Yup, just did that again! :>
There are many reasons, ways and places to contact the Internet Storm Center. Whether you have a general security question, want to let us know about a patch release, want to discuss current events with security folk, find a glitch in the matrix or have a packet capture you'd like analyzed, the Contact Us page at https://isc.sans.edu/contact.html is the place to go.
Features
The top paragraph explains the usefulness of the DShield Discussion List for certain topics. The groups' messages are moderated and generally release within a few minutes to a few hours of submitting and you can expect a response just as quick.
SSL Version - https://isc.sans.edu/contact.html
The first sub navigation link forwards you to an SSL encrypted version of the page. Note that the site should now automatically default to https but this is still available just in case.
Submit Logs - https://isc.sans.edu/contact.html#submit-logs
Log Submissions were detailed in our very first Feature Diary at https://isc.sans.edu/diary/ISC+Feature+of+the+Week+How+to+Submit+Firewall+Logs/12316.
Report Site Bug - https://isc.sans.edu/contact.html#submit-bug
In addition to the contact form detailed below, we check the DShield sourceforge project page regularly. You can submit bugs, feature requests, and support requests. We are always working on improving the site. Be sure and include your debug info along with submissions.
Contact Form - https://isc.sans.edu/contact.html#contact-form
- This form is sent to all ISC handlers so your submission or inquiry gets the widest exposure to our group. Be sure to include a valid email if you'd like a response or credit.
- Enter a valid email address, your name and the subject of your message.
- Attach a File
- Compress multiple files into one tar/zip file.
- Please don't encrypt or obfuscate the files.
- Feel free to upload malware samples for analysis but please mention the nature of the content in the text box below
- A large text box is provided for your message.
- Let us know your preference for future use of the information you are submitting:
- Is it ok to forward your submission to our malware analysis group?
- May we mention your observation in our diary? (your thoughts, findings, etc)
- May we mention your first name in our diary? - Let us know in the textbox if we can also mention a last name and/or a company or we'll keep your information private.
- Category will help us identify the type of submission. Leave default "other" for general, or select "Malware" or "Packets" where appropriate.
Your submission is distributed to all ISC handlers at handlers@isc.sans.edu and will be kept confidential within the group until and only if you authorize its use. If you have any concerns, please review our Privacy Policy.
We are #dshield on freenode.net if you'd like to chat with us on IRC.
You can leave a Voice Mail at (757) SANS-ISC (726-7472) if you prefer to contact us by phone.
The PGP keys file https://isc.sans.edu/PGPKEYS.txt contains a lot of ISC's and the handler's public keys.
Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
--
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu
Analyzing outgoing network traffic
We all know that network traffic contains real treasure when trying to identify malicious activities. Various organizations recognized this and even mandate that IDS or IPS systems are implemented.
However, such systems typically have similar problems as anti-virus products – they depend either on pre-made signatures or some kind of heuristics which can be (sometimes easily) evaded.
At the same time, in the AV world we can see that more vendors rely on things such as cloud scanning and reputation systems.
One of the things I often recommend to people is that they check outgoing network sessions created by their networks – not only established connections but also various attempts. For example, you should regularly monitor your firewall logs to see what traffic has been dropped – but put more effort into analyzing what egress connections were blocked since that can help you identify potentially infected (or hacked) machines on your network.
The best example of when such analysis really pays off is RSA Security – through egress log analysis they found out that the hacker that compromised their network used FTP to transfer files to an external machine. This should make you ask yourself – do you monitor egress connections to detect big(ger) transfers to external hosts, especially those in weird locations?
Another thing that I found really useful is to correlate those connection attempts to known bad reputation sources; this is where we get to the beginning of this diary. Such correlation can really add value to your firewall/router data – knowing that an internal IP address tried to connect to an external IP address, and that this connection attempt was blocked is good, but knowing that the external IP address is actually a ZeuS C&C really adds value!
Some of the reputation sources that are free, and that I found to be working really well are the following (in no particular order):
- Emerging Threats’ RBN list: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
- All abuse.ch trackers: Zeus (https://zeustracker.abuse.ch/), SpyEye (https://spyeyetracker.abuse.ch/), Palevo (https://palevotracker.abuse.ch/)
Do you use other reputation sources? Anything you wish to add to this list? Let us know!
--
Bojan
INFIGO IS
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago