Topic
  • 5 replies
  • Latest Post - ‏2013-02-21T14:23:34Z by SystemAdmin
SystemAdmin
SystemAdmin
184 Posts

Pinned topic APT1 Investigation

‏2013-02-20T19:59:38Z |
Has anyone started to incorporate the data provided by APT1 investigation into Qradar. I have a reference set full of FQDN's but I'm failing in the creation of a rule. I have URL's from a firewall but it's the full URL, I can see dns requests in the Qflow payload but I do not see how to do a payload search using a reference set. Other than that most of the data is in the ioc format which doesn't play well with Qradar.-------Posted BY Derek Thomas
Updated on 2013-02-21T14:23:34Z at 2013-02-21T14:23:34Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: The following py script will

    ‏2013-02-21T03:54:48Z  
    The following py script will get all the IP addresses out of all the IOCs.

    import os, re, sys

    root = r"D:\IOC\Appendix G (Digital) - IOCs"

    files = os.listdir(root)
    for fname in files:
    if fname.lower().endswith(".ioc"):
    with open(os.path.join(root, fname), "r") as fin:
    for line in fin:
    if line.find("<Content type=\"IP\">") > -1:
    print line.split(">")[1].split("<")[0]
    Posted By John Mcleod
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: use custom properties

    ‏2013-02-21T09:27:34Z  
    You will need to extract the URLs and/or DNS requests into a custom property, and then use the "when any of these properties are contained in any of these reference set(s)" test in your rule. And you are right to worry that a URL of "http://host1.example.com" will not match if the reference set only contains "example.com". For this reason, it is probably best to extract a "base domain" custom property, rather than the complete URL (or, in addition to the complete URL, meaning two different custom properties) and also to populate your reference set with base domains rather than complete domain names (in other words example.com not host1.example.com).

    If you do this with a script, do take care to watch out for cases where the "base domain" should be more than 2 levels deep, for example "bbc.co.uk". But the bigger challenge there will probably be working out the regular expression to extract the custom property the way you want.

    Posted By travis.mcwaters
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: This does look challenging.

    ‏2013-02-21T14:06:14Z  
    This does look challenging. The DNS requests in Qflow payloads isn't pretty. I believe i have seen extra spaces and periods but I will double check. Firewall logs show the full URL in a pretty standard format and are already parsed, the difficulty will be extracting the domain from the full URL for the reasons you mentioned. I'm going to work on the IP list before I start moving to DNS/URLs. It would be great if we could get some good dns logs but I haven't yet found an easy way to do that.
    Posted By Derek Thomas
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: Thanks for this script! I

    ‏2013-02-21T14:09:29Z  
    Thanks for this script! I didn't have a chance to rip one out. It would still be cool if we could import .ioc's into Qradar.
    Posted By Derek Thomas
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: Unfortunately I didn't find

    ‏2013-02-21T14:23:34Z  
    Unfortunately I didn't find any IP's in the .ioc's after spot checking the xml and running the script.
    Posted By Derek Thomas