Project

General

Profile

Actions

Feature #5152

open

Anomaly: CredSSP support addition to Suricata anomaly parsing

Added by Peter Manev almost 3 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

CredSSP can be used for http authentication , it may not be the best option in terms of security but it is available.
https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/enable-wsmancredssp?view=powershell-7.2

Currently suricata generates an anomaly event (REQUEST_AUTH_UNRECOGNIZED) on inspecting http auth with CredSSP that could result in millions such events in a organisational setup with lots of powershell usage for example.

{
  "timestamp": "2021-11-15T17:29:46.150405+0100",
  "flow_id": 1858400320896909,
  "pcap_cnt": 131,
  "event_type": "anomaly",
  "src_ip": "ip.ip.ip.ip",
  "src_port": 5985,
  "dest_ip": "ip.ip.ip.ip",
  "dest_port": 64848,
  "proto": "TCP",
  "tx_id": 0,
  "anomaly": {
    "app_proto": "http",
    "type": "applayer",
    "event": "REQUEST_AUTH_UNRECOGNIZED",
    "layer": "proto_parser" 
  }
},
{
  "timestamp": "2021-11-15T17:29:46.152065+0100",
  "flow_id": 1858400320896909,
  "pcap_cnt": 132,
  "event_type": "http",
  "src_ip": "ip.ip.ip.ip",
  "src_port": 64848,
  "dest_ip": "ip.ip.ip.ip",
  "dest_port": 5985,
  "proto": "TCP",
  "tx_id": 0,
  "http": {
    "hostname": "hostrandom",
    "http_port": 5985,
    "url": "/wsman?PSVersion=5.1.15743.2084",
    "http_user_agent": "Microsoft WinRM Client",
    "http_method": "POST",
    "protocol": "HTTP/1.1",
    "status": 401,
    "length": 0,
    "request_headers": [
      {
        "name": "Connection",
        "value": "Keep-Alive" 
      },
      {
        "name": "Content-Type",
        "value": "application/soap+xml;charset=UTF-8" 
      },
      {
        "name": "Authorization",
        "value": "CredSSP gfbSGHZDGBSRgfnFHYejmnjhqwRtwqQQQqqqrGFbgsdHSDFHNxfjdFhjndtujKFYUkfgyK/uOLgaGHUGlIY/lUFFlI+aeKP/iwTYjk=" 
      },
      {
        "name": "User-Agent",
        "value": "Microsoft WinRM Client" 
      },
      {
        "name": "Content-Length",
        "value": "0" 
      },
      {
        "name": "Host",
        "value": "hostrandom:5985" 
      }
    ],
    "response_headers": [
      {
        "name": "WWW-Authenticate",
        "value": "CredSSP bnsfbGLPfdshbnAQFEFWFQQWErfeqreREWqrgfreQbvnmjkfuHzdDYHts/gfsdfhtrDSDGtsrghjkivASDgfAeeGRagrEgASeyhtrHgsagbSAHTh/aSGBCXVZXBZVVSRTsdgGtsrgDFSZg=" 
      },
      {
        "name": "Server",
        "value": "Microsoft-HTTPAPI/2.0" 
      },
      {
        "name": "Date",
        "value": "Mon, 15 Nov 2021 16:29:46 GMT" 
      },
      {
        "name": "Content-Length",
        "value": "0" 
      }
    ]
  }
}

Actions #1

Updated by Peter Manev almost 3 years ago

I have a private TLPRED pcap data I can test with if needed.

Actions

Also available in: Atom PDF