Who's Attacking Me? - SANS Internet Storm Center

Who's Attacking Me?
I started to play with a nice reconnaissance tool that could be helpful in many cases - offensive as well as defensive. "IVRE" [1] ("DRUNK" in French) is a tool developed by the CEA, the Alternative Energies and Atomic Energy Commission in France. It's a network reconnaissance framework that includes: Passive recon features (via flow analysis coming from Bro or Nfdump Fingerprinting analysis Active recon (via Nmap or Zmap) Import tools (from Nmap or Masscan) I deployed this tool and feed it with attacker's IP addresses collected by my honeypots: My honeypots data are processed by Splunk which, amongst the generation of dashboards, extract the list of offensive IP addresses and feed IVRE. The IP addresses are scanned using Nmap and the post-processing of results stored in a MongoDB database. The post-processing includes: Geo-localization Network tagging Fingerprinting Processing of screenshots All the results are available through a web interface but also via command line tools. At this time, I already collected info from 3500+ IP addresses: Basic information is display per IP addresses: Some reconnaissance features like automatic screenshots: And sharing of data: Very useful to find compromized hosts which deliver malware! The web interface provides a powerful search feature. Examples: Show me all IP addresses from Russia, that have a port 27017 open (MongoDB) Show me the "network devices" from Brazil (switches, routers, firewalls, ...) Show me the hosts running MSSQL without password Show me the available file shares SMB or NFS (Yes, I found some open NFS servers!) Out of the box, statistics are available. Example, the top CPE detected: Getting more knowledge about your attackers is always good. IVRE can help you in this way. This is a very powerful framework that will help you to build your own small "Shodan". Happy hunting! [1] https://ivre.rocks/ Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key	Xme 463 Posts ISC Handler
Subscribe	Jan 13th 2017 2 years ago
This is a really interesting program. I'm a little confused how exactly to download it I've had bad luck in the past trying to understand GitHub and actually getting anything running. I only started to use the terminal about a month ago and still have more questions than answers. I tried to download bro and snort and couldn't figure it out at all. Is this something I can figure out how to use and will it help me determine exactly what is going on with my network? I tried to use their documentation and didn't really see anything like a how to. I see lots of odd connections with blacklists of addresses especially from the log on my modem and other unusual things. Does that last chart show that Macs are getting more (malware?) than other computers?	Anonymous
Quote	Jan 13th 2017 2 years ago
The quickest way to deploy it is to run the Docker version!	Xme 463 Posts ISC Handler
Quote	Jan 14th 2017 2 years ago

I started to play with a nice reconnaissance tool that could be helpful in many cases - offensive as well as defensive. "IVRE" [1] ("DRUNK" in French) is a tool developed by the CEA, the Alternative Energies and Atomic Energy Commission in France. It's a network reconnaissance framework that includes:

Passive recon features (via flow analysis coming from Bro or Nfdump
Fingerprinting analysis
Active recon (via Nmap or Zmap)
Import tools (from Nmap or Masscan)

I deployed this tool and feed it with attacker's IP addresses collected by my honeypots:

My honeypots data are processed by Splunk which, amongst the generation of dashboards, extract the list of offensive IP addresses and feed IVRE. The IP addresses are scanned using Nmap and the post-processing of results stored in a MongoDB database. The post-processing includes:

Geo-localization
Network tagging
Fingerprinting
Processing of screenshots

All the results are available through a web interface but also via command line tools. At this time, I already collected info from 3500+ IP addresses:

Basic information is display per IP addresses:

Some reconnaissance features like automatic screenshots:

And sharing of data:

Very useful to find compromized hosts which deliver malware! The web interface provides a powerful search feature. Examples:

Show me all IP addresses from Russia, that have a port 27017 open (MongoDB)
Show me the "network devices" from Brazil (switches, routers, firewalls, ...)
Show me the hosts running MSSQL without password
Show me the available file shares SMB or NFS (Yes, I found some open NFS servers!)

Out of the box, statistics are available. Example, the top CPE detected:

Getting more knowledge about your attackers is always good. IVRE can help you in this way. This is a very powerful framework that will help you to build your own small "Shodan". Happy hunting!

[1] https://ivre.rocks/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

463 Posts
ISC Handler

This is a really interesting program. I'm a little confused how exactly to download it I've had bad luck in the past trying to understand GitHub and actually getting anything running. I only started to use the terminal about a month ago and still have more questions than answers. I tried to download bro and snort and couldn't figure it out at all.

Is this something I can figure out how to use and will it help me determine exactly what is going on with my network? I tried to use their documentation and didn't really see anything like a how to.

I see lots of odd connections with blacklists of addresses especially from the log on my modem and other unusual things. Does that last chart show that Macs are getting more (malware?) than other computers?

Anonymous

The quickest way to deploy it is to run the Docker version!

Xme

463 Posts
ISC Handler