a good morning everybody thank you for being here and I think sab psyche for having me and today we’re going to talk a bit about analyzing traffic it’s not only about traffic it’s about the whole application and we split in some steps I tried to show everything I have a bunch of slides so I will try to cover all the slides and so just a quick introduction I work as security instructor tsukuri I have to patent and technology I used to do research and so I start to have pictures as this so I just moved back for a system administrator because I was getting into crazy I’m an open-source guy I really like to share information and so like if I’m if those research were only my I probably do some scripts in public public publish at github but they did not allowed I do try at along oh my my spare time not really on my spare time but I do a lot of trial and I’m a dad I have a six month baby that is making life a little bit busy but that’s awesome so just a quick overview about my company since they are paying and allowing me to spend my time on that I work for Zachary security we have like mostly Maori removal and we have called proxy that our product so most of ideas I’m going to talk here we use in our product so I’m just sharing something that for real life and I heard that we have joy here that he is a sales manager and he’s giving three months trial to everybody that talked to him so if you want to talk about tacky talk to me want some trial talk to him and I have some challenge on the middle of the presentation and I don’t have too much stuff but I have this to hold beers so that’s awesome and if you answer my my challenge the the right the right answer I’ll give you right if you answer I could give you like just three guys answer so I did my talk based on WordPress like that’s that just a conceptual idea there is no big secret I use WordPress because mostly talking about CMS I think it’s the mark to use like 23% of CMS our WordPress so that a good a good number so our motivations besides the behind the talk is we would like to do something different we don’t kow really what feel like we’re not you’re not a competitor with Imperva or mod security stuff like that we have some different approach with so we have a big focus on some technology so we mostly try to do less rules Cinci where we are working with quite listing and have better performance and I kind of not too high P like we protect against all day is not really but since we’re working with the whitelisting we have better protection for zero days so our agenda quick introduction the the five steps the first step that we use here some challenge we have and some conclusions we have some ideas about projects that maybe you could put we could put under the last project that would be great to talk with share more information and Mikey web a safer place you could not make that safer because if it’s to say if we don’t have jobs right so in each box just just a quick question did who watch the SMS hacking 101 talk here nobody that was a great talk they have some good hacking stuff on the the talk and I will mention like some hacking that he did that I thought it’s very interest think and how we could protect using our ideas that’s very so just to normalize the concepts like reverse engineer it’s really analyzed something understand how it works and duplicate or create something similar or in our case we were analyzed and create

something to protect another quick slide we are not looking for bugs or security flaws we don’t care about that for sure if you found something that’s good but we’re looking for a traffic like I’m a system administrator and so I love pcaps that’s what I love and so like if you look for right listening I tried to find something and I I found this nice publication it’s a dravite and they don’t talk exactly about web application whitelisting they are talking about software’s regular softwares but basically white list is like to run something you need to be on this way if something is a bit different it’s something like you could consider malicious like uncommon behavior so white listing is like I I analyzed I see how it works and so I create something like most bit on this way that thinks if you if you think about that it’s kind of basic but sometimes to her to do that like if you talk about the white listing software’s like there is much more malicious software than no malicious software so it’s much easier to allow the the non malicious software instead of block the the malicious software so I really like this concept about whitelist and so in our graph detection we are going to analyze traffic application structure so we are using the WordPress stuff and analyze the fire structure and so see what which are the more important files how that tax handle those files how what you should prevent to have access to those directors we talked about the headers and some behaviors because behavior is important because like if you try to just drop on the on the request sometimes it’s the kind of impossible we need to have more information some tree shows and stuff like that and so like as I said I said before we are going to use the WordPress as base but you could convert the idea to any application some application you take a lot of more time and some application the kind of either or maybe if you do in the future as we once talked it creates some waspy project it could have a lot of information ready to go so it just use that so we have our fire detection steps what is the for detection steps that’s that’s a kind of we reverse the traffic so we generate traffic and we analyze traffic and we see like what is a regular traffic well what a normal traffic will will do and so we analyze the application structure so like we have a bunch of files oh we have you look into the directory of application you have a hundred of 5,000 files so probably you could not cover all the files but at least you could you could cover the most important files so we have a kind of local protection and hardening we need to meet gate and the attacks through face because nothing is 100% like so if you do those protection like you reverse the traffic and so it created like the good good blocks on the request you analyze the structure and you protect the most important files but nothing is a hundred percent and so you need to have some local medications and you’re going to talk about that and and the the talk that Greg Greg Greg did yesterday we covered some some things that he showed he showed but if the application were using something that we are talking here your your being protected and this touch code data so we I have a pleasure to work in a Disneyland because we have a lot of information like we handle traffic from like thousands of thousands of domains and so like we have a lot of tests tactical data that you could provide some tuning and talking here like all those steps that you were they talk to each other I hope get more in deep in each step but this tactical data is awesome like we detect a lot of new behaviors new trend stuff like that

so the very first step let’s analyze the traffic so we’re talk about traffic web traffic we have like everything okay we have like a bunch of information each analyzed so this is a kind of mind map probably have more or less information but you have the HP protocol so we start like look on the not really on HP protocol but the IP sirs the method so we have the URA we have the headers the request and response we have the bar request HTTP version and starts codes like mostly I I put here the the most common had information that we handle and we use to protect so we start to do some analysis so first we need to do some crawling some spider so for for this sample I just use here I used burp everybody use burp or zappy or or anything you want so what’s the good side about Burpee you have this pattering and you could emulate a regular user like where’s the first step I have nothing like I’m talking to like I I just have an application that my developer want to put online and I need to protect so why do you do I spider that’s the easiest way to to see what’s going on because if you talk to the developer most of time they you not tell everything what’s going on so I just like some crawling here so I start to crawl everything and find information follow the links and and try to to catch and to create us a real sites map can have some parameters like in this case but we use verb for that and besides using verb what you need to do well you are crawling the information so you need to run at CP dump in the server and save a pcap because like in future you don’t want to do all the time this pattern so you have the information save it and so we could create some some some scripts and make the work either like because like most who is sitting administrators here most of developers and like citizens traitors like really lazy we like to script everything because we don’t want to do the same the same task every time so we we need to crawl saving at the pcap and so and so test again and again but using a be careful that’s much easier and so we can you could have like some cheese sharks and white shark on foo Commons that make it make the parsing pretty basic so looking the get request like I got requests is pretty basic so what are you looking when we have the traffic why do you look on the they get requests like you have the method here so you have the URA here and here you have some variables what what’s what what’s the good about the verb they have like they put some colors and so they make a lot of easier if you want you could you have the parents here it splitted in a different tab but here you have like I username how do we go ID and pair interacts and just simulate something and when you’re looking here what what we need to look like I don’t know nothing about so I know username will be supposed to be only words correct I don’t think nobody has a ad name or they don’t have like another special characters on the name so what do you do like it is see like also username will be mostly space because maybe you have two names like Rodrigo space mantra and words nobody had numbers on name as if you are two unless your dad is too it’s a big hugger and once you have your hacker named Rex like with zero like my nickname like you have ID here ID is only a number so what’s the what’s the point like if I look like if ID is a number why are you try to compare with a lot of different things it is not it’s not either like I just get ID equal I create a rejects like a number anything different from a number for me is

malicious doesn’t matter a simple word is malicious and the and the the previous talk the CMS hacking like the there was a flaw in a core file of June on that case and what he he did like just discover he changed ID to something else than a number and so the the application they broke and so and and show that oh you have a wrong carry so just need to fix and put the correct carry and so he could like access their whole database but if ID you have a rule that block on for a number you not have that problem you could have this to have the bug because like the bugs there but you you’re kind of have a virtual patching they are not going to have access to that bug and there is no sense is that kind of like when you go to the bar like you want a beer right you don’t say like I don’t want a whiskey I don’t want I don’t want vodka I don’t read the book I don’t want coke I don’t want no you want a beer you go straight and so the protection needs to go straight or something you want so another point you could need to take care is like user agent is very important like very important part I did the research in the past like malicious user agent they used to be smaller than regular user agent another very important point HTTP version like if you look on the RFC from the HTTP 1.1 they they say like HP 1.0 for example is not it’s not waiting for the host header and so like that a kind of mismatch like if you see like HTP 1.0 with some host that a regular browser will never send that and so like another another point here that the number of headers that’s very important like under my previous research if you look on the number of headers going to your application like if you’re a regular browser usually is more than eight headers Navarrete and malicious guys they don’t care too much about RFC and that stuff they just want to send traffic they usually have three four so that’s kind of stuff we need to start figure out so like that’s a regular IRA where you can request in and it’s all about how you look on to the request like just maybe change how you look on that another just just to join the merit oppose request opposed usually you have the post method you have the you are a here and the content do you have the bar content just over here usually when you have like some buttons and stuff like that it’s supposed to use post since it’s a kind of more secure and we have the information here what one point you need to really pay attention or you’re creating blocks and some attackers will take care about that and somewhere else you have some extra information that the bottom in the bottom we will add to their requests and so I’ll show like something that we showed another point like we have a variable peed up for the password like that’s kind of you could not write a list right because you’re not going to write Allegiance I know it just could use likes words and number so they will they just use some bad pass not they are using good pass users are users but one point that we were figure out here like since you have a lot of states tactical data what we could do we could grab the top 100 passwords and just make sure that they are not using that and so our not quite listing but just making sure that they’re not going to use some dumb bit password because that’s the only way you could make sure that they are going to use a good pass or at least they are not on the top hundred when they brute force it will be really quickly so I was crawling and I found that as a tough it was very funny you could get a job from Heather asking how that’s funny I was playing like I was just playing with burp and so like X hacker Heather if we’re really this you should visit automatic comm select jobs and apply to join the fun mention this Heather and so I I I just access and they have a lot of jobs over there that’s a good way like at least they they probably up at least

they look on their headers and those guys there’s they they are the WordPress creators they keep the stuff running they have a lot of jobs listed here I thought this was a joke because I was trying to do something to legal but no it’s real they really want to like if you’re a developer they have a lot of a lot of jobs there and but what I want show really here is the stat code like this tax code is when you do some request we have a status code when it’s okay is 200 we have a couple of different code like some codes are for internal for server errors for some codes are for client errors but then like for us on this case here especially we are going to to use 200 as the good code and for 404 that’s not found as another code like because like when some something malicious or some BOTS or some scanner is running you that IP will generate a lot of 404 and so like in the end like we have a request we have the request the full request here’s like a regular browser we have the heifer we have the information here how the and so that we receive oh okay okay oh it’s that’s good okay doesn’t mean that this password it’s okay it’s just answer from this front sir from their web server and so after you do this basic really basic basically like you look you need to spend a lot of time look on the traffic like as I showed like with that we have to require so you see like sometimes application have a lot of variables so it could take forever but it’s worth at at the end you could sleep like in and figure out like okay I could sleep a bit more like because nobody is going to hack my website on the middle of night and so I create like maybe in future are you going to release like a tool because there is some some big different about really something and the code that I do the code that I do is not something I could release because I do something as sister administrator let’s make my life easier and so I start trying to I some traffic that I saved and that we cut that’s why I thought that I saved it at the peak happen so you could keep work on that and so I create some rejects based on the URL so here you probably have numbers and here you have some words and space and could be thinks this is for search the page IJ is only numericals so like here’s another search another search and so I create some some some rejects and run against the my scrape it and so I have like those URL will fit here and those will fit here and so I could use during those rejects just protect my application I could create some application fire I could add something on Apache or add a simple if inside angina axe doesn’t matter you could just add these rejects and block the traffic and so we have for sure you have a cup of information they will not match and so that kind of thing you could analyze and reanalyze and make sure that’s not malicious or maybe you’re missing some rejects some stuff like that and and the goods I like when you’re deploying this you could deploy like on the on the ideas mode i’ma I came from their IDs world and so like you could just deploy on monitoring mode when you’re using a real traffic and so and so you could fix some false positives because probably you miss something and so you have like some traffic that you probably need to do some new new work or maybe you probably those rejects will get some regular traffic and so just a quick challenge like you could keep your beer bit color what’s wrong here like where this is malicious just to see if everybody’s awake any guess the username here no no no that’s not

that’s a try one more try alright who try it there I didn’t see who Oh the IP no they get not not really like what’s wrong here like you have a Mozilla really apple crumb like not a real new version but no browsers will use it HTTP 1.0 that’s that’s why it’s wrong who gives some suggestion oh I have one more maybe three people who and how about here besides being a IP foreigner Ukraine I don’t know I’m not talking about missing because we don’t have the whole information here because could not fit you remember when I saw like when you post at WP login dot PHP remember that the Boonton add some information to their content and if you look here the post log they just have the log and this the password so it’s not a regular request it’s somebody trying to do some brute force make sense got it I just come back here quickly like here like when when you have the full requests you have the log the name and the password but the button if you’re a regular user a real user they will add more information and at that case it’s missing they just send the user and password probably a brute force right and so that’s the Sumer we we captured the traffic and we split the traffic heather is math variables all the information you work and and and you figure idle could block because maybe could block more stuff that I could because like we handle like a thousand different web sites so it cannot block everything because they have a lot of different customers that’s hard but if you have your own server and you could block probably more things so we split the traffic you compare for variable against rejects that we create if you don’t have you could create a new reject and so we test through with real traffic and so everything will work so you grab a beer that’s it so that’s the first the first step the analyzing traffic so the second step we need to analyze the file directories and structure and so we have file directors permissions monitor stuff and so like if you get our WordPress turbo you have a lot of files if you google about some some guys read some stuff about the files about your actors that’s real cool and but you need to focus like if you take care about all the files all the times you get get crazy and so what’s the the basic structure config files installation files like if you if you if you like in the the CMS hacking talk like sometimes to figure out the version of the something he just have access to change log or reasona stuff that is inside the the WordPress or Joomla installation so we need to take care about that you have a very important file WP admin that you have other administer user usually like when you have where you could log in as admin of the the web or the the WordPress site we have double includes that our core files so when you get infected like that those files could just be replace it with the the other turbo files and so you have WP content you have famous plugins uploads we need to take care special on uploads if Rollo uploads and it really take care about that and you have like the XML RFC dot PHP that’s that’s file they love to attack that and I will show a bit a bit

more about that so what what what what is the xml arab c dot PHP file he’s supposed to handle comment but comments comes with sparse so that’s kind of stuff that i need to balance they could ping back he could ping a website i will show here so they use for a DDoS attacks and we have some blog posts about that the it was crazy because it was a neighbor by default we have a user off like if use this this get users blogs you could brute force and so like we are like protecting on WP logging like for brute force and so we saw that their brute forcing using the XML file and so like we need to protect them or if you want to have some fun you could like maybe hydrect for for some runny pot and and show who is the boss like you rock you rock my my blood I sniff your packets like that’s a kind of share sharing needs and so here as simple like I’m talking about the xml-rpc log me attempt they they ask the file and so they send the user here that that’s the user test so never create a user colored test because you’re probably create you probably use some bad password because you say no no it’s just quickly it’s temporary and those used stay forever and like the password here on this sample is sick boy so they are just brute enforcing and like with we take some time to figure out that and so we start to true to really understand the the API behind it and this this file some brute force so here is a brute force that’s why you found this they are using because like we refer as like we are protecting the WP admin so you’re good but you’re not that good so that’s amount of requests we got on that period like it was like I think like probably here in the beginning of July they start they discover that and so it’s a kind of they share a lot of information I think between them because that’s crazy and so Sunday let’s start more and so a big spike and so like here in the middle of July they start to go really really hard and so what you did like that data probably XML Arab see they need to have access to that so we create a rule that if they have the XML file XML access plus the the WP blog users stuff so we’re going to block so the pink back did somebody here about the the DDoS using the ping back you did so basically like you could use a comment line any WordPress hit in the file they have like a method name called pink back but pink and so you put the victim sites here and they start to send the request to that website but any WordPress could be use it because it was enabled by default so you could like go to Google and numerate like a hundred thousand of WordPress and just create a script and probably your DDoS in like and so we got something like this a hundred sixty two thousand WordPress website attacking our customers and that’s what’s crazy because like is is there a kind of regular traffic from Rio IPS is not kind of a racket eyepiece kind of being ragged but it’s not real racket another another point that we need take care is WP admin access having access because like weird like for here you’re like that different part like usually have a couple of blocks real blogs here and suddenly have some spikes and so we have spikes and when you’re really getting deep and finds some new things like this like

sixth Street thousand attempt it’s like a week that’s some numbers it’s it’s not usually that number sometimes is much more sometimes a bit or less but imagine like we block like a lot of attacks like for a WPA Jimmy only and some customers they just disable this protection so like you don’t have logs for that so probably they have much more access to the information but we don’t know it’s up to the customer you just have this the we have this feature but it’s up to them so sometimes it’s hard because some websites they need to allow anyone to through logging right and so just quickly some H acts with restriction files they upload like if you do options index like a lot of people could upload but if doing that how the information get listed so you could add this to make sure that not going to list and these you are not allowing for an outside somebody have access to dot PHP file that’s very simple simple but like when you allow uploads they could upload a web shop right and so if they upload a web shop they could like start your reps send some comments but if you have something like this you avoid that they could applaud but oh well like they could change the extensions and all that stuff you need to really take care about that but and so like that what you mean like if you could allow only a few users a few IP sirs that’s much better but if you have a regular browser a regular blog that’s kind of hard the XML RFC we block by default in our service so if the customer needs by any reason have some access we allow everybody to have access but we have some rules as I told like and then in the correlation logs to keep a kind of protection and here a couple more simples like blog like text files log files just make sure people by mistake some information is over there and so so another another point like the third step local protection and hardening so you need to mitigate that and everybody knows here there is no 100% security and so we want to mitigate so why do you do I just cut the internet cable and make it offline so you’re good but how you do that we have some some tricks here we have real-time monitoring option like it could download all sack it’s an open source project and like besides all the features that they have they have this awesome feature for line for Linux that it’s used a inotify functionality from the kernel so in real time if somebody change any file that you you think it’s important and extension they would just send you alert that’s very interesting like talk about the CMS hacking I don’t know they they I don’t know why Greg needs some to do something on the server for them and so they they just give the the kind of oedema access to into the WordPress and what he did he just removed the 404 dot PHP file content and change for web shop because they don’t want to give a show for him and so he it just did that if you have this running you get on the right way why’d they change that if you have a matter of faction why they they chain that why they create new files and so like when you have some infection or some somebody hitting your server you have like to monitor this in real time like the if you read the network security mantra the book like it’s how about how fast you could detect the attacker it’s not about like prevent a hundred percent because the kind of well the attacker will always have access if he wants that’s the biggest room life but you could try to make the life difficult so another tree showed ideas that we have that you saw two men 4:04 like who generates a regular user you not access a lot of not found information your server so it R is about or it’s a web scanner or something malicious it’s not a good regular user another another

another threshold like god / / time for the same IP like as a regular P you will not send too much information like too much human too many gets like I know not going to send like 50 requests in 3 seconds that’s not common post the same concept so that’s kind of idea that we saw that you could create like we could we could monitor a bit and get some times and we showed and so you could add that especial for file permissions like do you guys know the comment colored change attribute and it looks like we have like I’m just simulating a quick I cook infection like we have like a chimera content to test dot PHP so cat that’s Dutch HP Mario content so we list the permissions and like spooker they have permissions that’s okay and I list the special attributes now like I just did shed its CH attr plus I and so we check you become this file in the table and so like if I am is poker suits poker here I try to add a content I don’t have permission so in the kind of paranoid but if like the octopus a paper socket server has that like like Greg will not get their web shop because like it could read the the web the web user could read the content but he could not add information so you need a route to change the permission of our files and so we because most of time unless you are upgrading your WordPress the chains are on the database the files are are are the same so is that the kind of stuff that it could add there’s a kind of paranoid but that’s a kind of very nice and so just to finish the first step some static of data so static of data is where false positives become something interesting too because like you could figure out what I’m doing wrong or or maybe how could I could improve that and so we do some counterintelligence like work on behaviors alerts to get new trends like those those blog posts I mentioned before like it’s a kind of new trends like when you release that everybody starts figure out oh we are we’re being attacked and stuff like that and Ronnie Potts like we have kind of real-life or Ronnie Potts that’s all we have because we have some some good some good some some clients that people will try to track that and so like behavior is all about how you look on the problem like if you have like some three user agents like this like this only three simple four are thousands I can just put that how you’re going to protect like what you’re going to create you’re going to how you’re going to behavior that and yes like we usually look on different approach like you couldn’t look tell me like could be ABCD that you have in everything but if you look at ABCD that’s why it’s a blacklist way of doing stuff so if by any chance the attacker just changed d4e you’re out of game there’s two but what is common here all the user agent they have like 19 bytes that’s how we try to look things different because it’s sometimes it’s a kind of crazy like too much information going on and you need like oh my god what I need to do there they’re going to win the battle and so we figure out oh they’re missing this and so we try to see anything like we could so some stats a statistic like we block like no week like a lot of access to xml and if you look by IP like USA’s is the most country that attacks but that’s that’s common because like I think most of the hosting and in fact on machines that they are hosted in u.s. so that’s pretty common so China in second and so a couple of more countries here’s and so like one point very very interesting if we’re doing troduce create some protection used gyro AP like I could if I’m not run like 40% of our

blocks its ji p the customer could set like I don’t want traffic for a decent is the those countries and so they could just block and so for the percent that save a lot of performance and traffic and and CPU the top met so get is the most use it post is a bit is in second hair trace cook I don’t know what’s cook right I to cook I think I’m out of time but if you could stay a little bit before lunch I could finish it and some stuff like you’re I’m just finished so HTTP version as I told you like regular browser doesn’t use HP 1.0 we have some scripts that and some bots that they use and so like we block like on for a week almost 1 million requests using HTTP version 1.0 and and I think because they have the big fire of China they could not update their web browsers and so poor China they have some very old browsers so they are the top one here using HTTP 1.0 Ukraine Singapore like that’s kind of traffic like if you have a something related to us like you don’t want traffic phone for a lot of different countries Brazil we’re here and so in Sumer like we reverse the traffic analyzed application structure it doesn’t matter