SBN

Network traffic analysis for IR: Event-based analysis

Introduction to event-based analysis

Event-based analysis, as its name suggests, focuses on analysis of specific events that occur on the monitored network. This is accomplished by defining the event of interest, like malware detected within a phishing email, in such a way that a “hit” can be easily differentiated from a false positive.

If an incident responder can define a specific event with this level of accuracy and clarity, event-based traffic analysis can be a very valuable tool. Unlike connection-based or statistical analysis, which are primarily designed to draw attention to anomalies, an alert based on event-based analysis provides the analyst with specific information about the type of attack or other event being experienced on the network.

Performing event-based analysis

Event-based analysis is based on signatures: descriptions of a particular event that can be used to test if that event has occurred. A common example of a signature is for malware, where features of the malicious file are extracted for use in an antivirus, intrusion detection/prevention system or other detection and monitoring tool.

While each system can use its own unique scheme for defining systems, the desire for interoperability and the prominence of some solutions have led to a couple of “standard” signature formats: Snort signatures and YARA rules.

Snort signatures

Snort is an open-source, free network intrusion detection and prevention system. This IDS and IPS is extremely powerful, making it a widely used product.

Snort rules are signatures developed specifically for use with the Snort IDS/IPS. They are designed to be extremely readable and flexible, making them a popular choice for defining signatures for event-based analysis.

(Source)

As shown in the image above, a Snort rule has several fields:

  • Action: What should occur if the event is triggered (e.g., send an alert to the analyst)
  • (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/Q0PZPIL3Esg/