Closed kevross33 closed 8 years ago
That is actually a good point. I will just remove it for now because it isn't a particularly strong individual indicator anyway so I will include it in other checks as I build on this rather than as a stand-alone indicator.
OK there is a problem with the sig but I am too tired to spot it. It basically is returning true even if no HTTP traffic is generated and I am not sure why.
I had added in additional checks, regexs etc to use the low fidelity checks in combo to generate more reliable indicators and i noticed it was triggering on some samples but it occurs on this version too.
It always returns true because you're only checking for self.weight -- which is initialized in the class abstract to 1. https://github.com/brad-accuvant/cuckoo-modified/blob/master/lib/cuckoo/common/abstracts.py#L664
You want
if self.weight > 1:
return True
Or preferably, initialize the weight to 0 where the confidence is set and then leave the original weight check.
Ah yes. Thanks for pointing that out; I guess I was too close to it I couldn't see that.
This is the start of a signature to try and pick out various anomalies. In large volumes traffic many of these features will be highly common but should be interesting from a sandbox environment where only anomalous or cnc related traffic.
I will add in other general features in time and then I intent to look at best ways to present likely CnC hosts (appending the HTTP hostname of the most likely cnc candidates to the alerts).