[SecurityRatty] tag: ttl

EPTS: Proposed Event Processing Definitions, September 20, 2006

Thu, 21 Aug 2008 01:47:11 +0000

For interested readers, here are the event processing definitions we provided to the (future) EPTS working group on September 20, 2006, coordinated (edited) by David Luckham and Roy Schulte;

adaptive process management (n.) an element of resource and business process management, adaptive search and event processing. Sometimes referred to as “Level 4” event processing or process refinement.

application concept (n.) a definition of a set of properties that represent the data fields of an application entity. An application concept can describe relationships among themselves. For example, an order concept might have a parent/child relationship with an item concept. A department concept might be related to a purchase requisition concept based on the shared property, department_id. Application concepts can include an application state model.

application state modeler (n.) a UML-compliant application that allows you to model the life cycle of a concept instance — that is, for each instance of a given concept, you can define which states it will pass through and how it will transition from state to state. States have entry actions, exit actions, and conditions, providing precision control over the behavior of an event processing agent. Transitions between states also may have rules. Multiple types of states and transitions maximize the versatility and power of the application state modeler.

derived event (n.) an event that is created as a result of processing one or more other events.

complex event (n.) an event that is a situation-entity abstraction of two or more simple, derived or other complex events.

complex event processing (n.) CEP is a technology for extracting information from message-based systems. CEP is primarily an event processing concept that deals with the task of processing multiple events from an event cloud with the goal of identifying the meaningful events within the event cloud. CEP employs techniques such as detection of complex patterns of many events, event correlation and abstraction, event hierarchies, and relationships between events such as causality, membership, and timing, and event-driven processes.

event (n.) a instance of an event definition. It is an immutable object that represents a business activity that happened at a single point in time. Just as one cannot change the fact that a given activity occurred, one cannot change an event — events are immutable.

event aggregation (n.) the aggregation of simple, derived or complex events into higher levels of event abstractions.

event definition (n.) a set of properties related to a given activity that represents an important or interesting change of state in a human, system or computational activity. An event definition includes event properties such as event priority, event time to live (TTL), and a description of the payload, which is comprehensive information related to the activity that occurred. Events expire when the TTL has elapsed, unless the event processing agent has instructions to consume them prior to that time.

event channel (n.) a communications channel in which events are transmitted from event source to event receivers, typically received as electronic messages. Each channel can have multiple destination and. events can be configured to transmit to a default destination. JMS is an example of an event channel.

event cloud (n.) a partially ordered set of events (poset), either bounded or unbounded, where the partial orderings are imposed by the causal, timing and other relationships between the events. Typically an event cloud is created by the events produced by one or more distributed systems. An event cloud may contain many event types, event streams and event channels. The difference between a cloud and a stream is that there is no event relationship that totally orders the events in a cloud.

event-driven (n.) the behavior of a human, system or computational entity whose execution or actuation is in response to events, typically received as electronic messages.

event-driven architecture (n.) an architectural style for distributed computing applications in which some of the components are event-driven and communicate by means of events.

event processing (n.) computing that performs operations on events, including modifying, creating and destroying events.

event-object (n.) an software object that represents an event, generally for the purpose of computer processing, that exhibits both encapsulation, inheritance and polymorphism.

event prediction (n.) computational activity where the impact of events, complex events, and situations caused by events identified, including both opportunity or threat. Sometimes referred to as “Level 2” event processing, impact assessment or predictive analytics.

event pre-processing (n.) computational activity where events are cleansed or normalized to produce semantically understandable data. Sometimes referred to as “Level 0” event processing.

event processing (n.) computational activities on events dealing with the association, correlation, and combination of event data and information from single and multiple event sources to achieve refined identity and situation estimates for observed event objects, and to achieve complete and timely assessments of opportunities, threats, and their significance. Event processing is characterized by continuous refinements of event estimates and assessments and by evaluation of the need for additional sources, or modification of the process itself, to achieve improved results.

event processing agent (n.) an EPA is a computational entity that performs event processing.

event processing network (n.) a set of event processing agents and a set of event channels connecting them.

event properties (n.) data representation of an event, typically by name-value pairs of type string, integer, real, boolean or a complex data type.

event refinement (n.) filter, identify and track events & make initial processing decisions based on association, correlation and state estimation. Sometimes referred to as “Level 1” event, or event-object, track and trace.

event stream (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

event stream processing (n.) a time-ordered sequence of events. An event stream may be bounded by a certain time interval or other contextual dimension (content, space, source, certainty), or be open ended and unbounded.

rule (n.) defines what triggers unusual, suspicious, problematic, or advantageous activity within an event processing agent and what the EPA does when it discovers these types of activities. Rules execute actions based on certain conditions on events, instances, or a combination of both. A rule includes a group of condition-rule statements and action-rule statements. The condition statements instruct the EPA what to look for in events, and action statements instruct the EPA how to respond when conditions are met. If all the conditions in a rule are satisfied by events or instances or both, the EPA fires the actions. The action might be to execute tasks, create an event instance, modify property values in an event instance, create and send an event, or something else.

rules engine (n.) a type of event processing agent that uses a declarative programming model to process events. Formally described as “an abstract structure that describes a formal language precisely, i.e., a set of rules that mathematically delineates a (usually infinite) set of finite-length strings over a (usually finite) alphabet“. Informally, it can be any system that uses rules, in any form, that can be applied to data to produce outcomes.

rule language (n.) is an artificial language that is used to control the behavior of an event processing agent. Rules languages, like human languages, have syntactic and semantic rules to define meaning.

situation refinement (n.) identify situations, or complex events, based on event clustering, event-event relationships and relationship analysis and context. Sometimes referred to as “Level 2” event processing.

simple event (n.) an event that is not an abstraction or composition of other events.

virtual event (n.) an event that is imagined, modeled or simulated.

Note: The Emerging Technologies Engineering Team at TIBCO Software significantly contributed to these event processing terms and definitions.

Visualized Storm fireworks for your 4th of July

Thu, 03 Jul 2008 16:54:00 +0000

As expected, the Storm botnet maestros have queued up some pwnage for your 4th of July.
See the SANS diary for all the details.
Upon receipt of my first fireworks.exe sample this evening, I went through the standard routine and ran it through the analysis mill. Like the ISC said, not much new here, but if you'd like the nitty-gritty, I've put the analysis report here, the peers config list here, and the pcap here.
However, what I was really inspired to do this evening was visualize the pcap with Raffael Marty's AfterGlow. His new book, Applied Security Visualization, is coming out next month, so we can turn old Storm news into a celebration of the 4th and the pending release of Applied Security Visualization. By the way, Raffael's visualization workshop slides from the 20th Annual FIRST Conference in Vancouver, B.C. last week are here, and mine regarding Malcode Analysis for Incident Handlers are here.
So, a little AfterGlow magic,
tcpdump -vttttnnelr /home/rmcree/pcap/fireworks.pcap | ./tcpdump2csv.pl "sip dip ttl" | perl ../graph/afterglow.pl -c /home/rmcree/afterglow/src/perl/graph/color.properties -p 2 | neato -Tgif -o fireworks.gif, and the results look just like the fireworks we hoped they would.
Happy 4th of July everyone!
Except you Storm a$$hat$. ;-)

del.icio.us | digg

Storm-Bot stripshow analysis

Sun, 23 Dec 2007 19:06:00 +0000

Merry Christmas from the RBN. Now on a PC near you, a stripshow from Santa's helpers. Or not.
The ISC reported the expected Storm surge Christmas eve at 0000 GMT.
hxxp://merrychristmas.com/stripshow.exe (modified to protect the innocent) yields a hash of 2BBA62FBC3B9AF85C3C7D64A82E1237C. Once executed it immediately copies itself as disnisa.exe to C:\WINDOWS and adds a startup registry key for the same.

Current AV detection includes:
Kaspersky stripshow.exe - Email-Worm.Win32.Zhelatin.pd.
eTrust-Vet - Win32/Sintun.AT
Microsoft - Trojan:Win32/Tibs.gen!ldr
Symantec - Trojan.Peacomm.D

After a quick time check to Microsoft's time server, this variant switches immediately to very noisy P2P on a variety of ports. In addition to the ISC-recommended HTTP and email blocks for outbound to merrychristmasdude.com, you have to consider if you really need outbound UDP traffic above 1024. I'm a firm believer in deny all and make exceptions only via legitimate business case. If you can achieve such lockdown, even though your hosts may suffer infection, they won't be communicating with their friends and neighbors.
From API analysis we see a few interesting tidbits:

w32tm /config /update
403014 Copy(c:\malware\stripshow.exe->C:\WINDOWS\disnisa.exe)
77e6bc59 WriteFile(h=7a0)
403038 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
40305f RegSetValueExA (disnisa)
402ba0 WinExec(w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov,100)
77e7d0b7 WaitForSingleObject(788,64)
402ba8 WinExec(w32tm /config /update,100)
40309b CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null))
4030df WinExec(netsh firewall set allowedprogram "C:\WINDOWS\disnisa.exe" enable,100)
71ab52c6 LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71a5716a LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71aa14eb GlobalAlloc()
40da1b bind(8c, port=26790)
77e7ac53 CreateRemoteThread(h=ffffffff, start=404b05)
40da1b bind(b8, port=7018)
40d9c7 listen(h=b8 )
40a262 WaitForSingleObject(d4,2710)

Nice, do a little time sync, allow ourselves through the firewall, then bind, listen, and wait.
First, add another registry entry,

0cd2d RegCreateKeyExA (HKLM\Software\Microsoft\Windows\ITStorage\Finders,)

then start connecting:

71a54cee LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
77e7ac53 CreateRemoteThread(h=ffffffff, start=71a519c4)
40d9f1 connect( 193.33.146.178:24714 )
40d9f1 connect( 74.60.173.98:3887 )
40d9f1 connect( 58.74.135.13:30843 )
40d9f1 connect( 222.119.113.135:22295 )
40d9f1 connect( 71.234.220.147:20232 )
40d9f1 connect( 76.84.231.43:14172 )
40d9f1 connect( 124.5.147.194:16544 )
40d9f1 connect( 58.8.236.130:13224 )
40d9f1 connect( 190.79.151.75:2952 )
40d9f1 connect( 58.8.122.191:29646 )

Once this little bugger hits the network, expect flood-like traffic.
My infected sandbox victim exhausted my 1.5mb DSL connection instantly, in part from a ton of inbound responses from peers being logged at my firewall:

SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=59178 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=60978 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=4987 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=6619 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=13762 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=18384 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=19891 PROTO=UDP SPT=24045 DPT=26790 LEN=33

At last, the peer list referred to by the ISC, written to C:\WINDOWS (many more entries not included):

[config]
[local]
uport=20142
[peers]
00003D6C8F338A3FDD3DF3648666F55C=0CCE03EE2BD100
0100A634122F3553A046EC451061927C=0CCEEF9C5BF700
02007E238D780D25FD5511285E2E596E=0CD9D73081A500
03001E62DC533E7AF6161729A953891B=180BB9671B4800
0400EB5EC13599373A3D544A2D6AF94F=180FAC024F7300
05004710B3440F5D2117CE555A62D04A=1810D0AE22DA00
06001471521206296D099433C93EC427=1813911C2E6100
07002D6D5B0FE3019C56B1290A564E59=1820B08043D700
0800A2417153943DC23C6C5C817C4159=18257B254F2600

There's nothing new or exciting here: SPAM component, headless P2P, seasonal social engineering, fast flux, and other pervasively annoying attributes.
User awareness, as always, is your strongest defense.
Cheers and happy holidays, except for you RBN a$$h0735.