Sunday, August 11, 2013

IDS alert analysis

Today I was going through my IDS logs and found something suspicious.

The following are the steps I took to know that the alerts were benign.


I went inside the payload, nothing was evident.  So I wanted to know how did I end up on the IP 130.239.18.142, so I went to my proxy logs and grep'ed the IP.  In an instance I came to realize that I was downloading some ISO files.


Now to prove that the timing match,

The first field on the proxy logs is unix epoch time, I converted that (1374814496.635) using [date -d @1374814496.635 +"%d-%m-%Y %T %z"]  to verify the same. "26-07-2013 10:24:56 +0530"
The second field is the milliseconds which took to download the file "1330675". Since unix epoch time increments one per second I had to get the seconds component by dividing the number by 1000 which gives me approx 1330 and add this with the previous epoch time to get the TotalTime of 1374815826 which happens to translate to "26-07-2013 10:47:06 +0530"

This shows that the alerts were well within the time of the download and IDS was sure to trip off any data contained within the ISO file which is obviously falsepositive.  Case closed.