NetWitness Community

LeeKirkpatrick · ‎2017-02-01

In one of my previous posts (https://community.rsa.com/community/products/netwitness/blog/2016/09/26/shannon-have-you-seen-my-entropy) I touched on using a custom Java entropy calculator within the ESA to calculate the entropy values for domains to assist with detecting Domain Generation Algorithms (DGA's); the post was more theory than practical so I decided to implement and test it in my lab so I could share the implementation with you all.

The basic principle behind this form of DGA detection is to calculate an entropy value for each domain seen and store this value in an ESA window. We can then use the values in the ESA window to calculate an average entropy for the domains seen within an environment, this subsequently allows an alert to be generated if any domains exceed the average entropy by 1.3x.

As an example, let's take the following four domains from the Alexa top 100 (this will be what we use as an example baseline, the rule attached to this post would actually monitor your network for what is normal):-

google.com
youtube.com
facebook.com
baidu.com

Running these each through the entropy calculator we receive the following values:-

Domain	Entropy
google.com	2.6464393446710157
youtube.com	3.095795255000934
facebook.com	3.0220552088742
baidu.com	3.169925001442312
Average	2.983553702497115

Using this average as our baseline, we can then say that anything that is greater than 1.3x (3.87861981324625) this average, let me know about it as this is a high entropy value.

Taking the following values from Zeus tracker and calculating their entropy values, we can see the results:-

Domain	Entropy	Status
circleread-view.com.mocha2003.mochahost.com	3.952216429463629	Alert
cynthialemos1225.ddns.net	3.952216429463629	Alert
moviepaidinfullsexy.kz	4.061482186720775	Alert
039b1ee.netsolhost.com	3.754441845713345	No alert

Example of the alert output below:-

Rule Logic

@Name('Learning Phase Variable')
//Change the learningPhaseMinutes variable to the number of minutes for the rule to learn
CREATE VARIABLE INTEGER learningPhaseMinutes = 1440;

@Name('Calculate Learning Phase')
on pattern[Every(timer:at(*, *, *, *, *))] set learningPhaseMinutes = learningPhaseMinutes - 1;

@Name('Create Entropy Window')
CREATE WINDOW aliasHostEntropy.win:length(999999).std:unique(entropy) (entropy double);

@Name('Insert entropy into Window')
INSERT INTO aliasHostEntropy
SELECT calcEntropy(alias_host) as entropy FROM Event(alias_host IS NOT NULL AND learningPhaseMinutes > 1);

@Name('Alert')
@RSAAlert
SELECT *, (SELECT avg(entropy) FROM aliasHostEntropy as Average), (SELECT calcEntropy(alias_host) FROM Event.win:length(1) as Entropy) FROM Event(learningPhaseMinutes <= 1 AND calcEntropy(alias_host) > 1.3* (SELECT avg(entropy) FROM aliasHostEntropy));

If you are interested in implementing this DGA Detection rule, I wrote up a little guide on how to do so. Everything you need is attached to this post.

DISCLAIMER: The information within this blog post is here to show the capabilities of the NetWitness product and avenues of exploration to help thwart the adversary. This content is provided as-is with no RSA direct support, use it at your own risk. Additionally, you should always confirm architecture state before running content that could impact the performance of your NetWitness architecture.

MichaelPochan · ‎2017-02-06

Was running into an error when trying to set this up and wanted to see if anyone else encoutered anything similar. Can import the rule fine, but when attempting to deploy it, we get this error:

ESA was unable to deploy one or more rules, and these rules were disabled. Common issues include: missing metadata, invalid rule syntax, and unavailable external connections at the time of deployment.

Here are the logs for it:

2017-02-06 15:57:37,667 [Carlos@1dee4983-12(run(SetEplModule))(admin)] WARN com.rsa.netwitness.core.epl.EplModuleManager - Esper deployment of module "DGA Detection" (id=5891b077e4b05b67fc
9a050b(default)) failed. Reason: Deployment failed in module 'Module_931447728_Alert' in module url '5891b077e4b05b67fc9a050b' in expression '@Name('Learning Phase Variable') //Change the l
ear...(174 chars)' : Error starting statement: Cannot create variable: Variable by name 'learningPhaseMinutes' has already been created [@Name('Learning Phase Variable')
2017-02-06 15:57:36,922 [Carlos@7002e23e-8(run(SetEplModule))(admin)] WARN com.rsa.netwitness.core.epl.EplModuleManager - Esper deployment of module "DGA Detection" (id=5891b077e4b05b67fc9
a050b(default)) failed. Reason: Deployment failed in module 'Module_931447728_Alert' in module url '5891b077e4b05b67fc9a050b' in expression '@Name('Insert entropy into Window') INSERT INTO
al...(170 chars)' : Error starting statement: Failed to validate select-clause expression 'calcEntropy(alias_host)': Unknown single-row function, aggregation function or mapped or indexed p
roperty named 'calcEntropy' could not be resolved [@Name('Insert entropy into Window')

Any feedback would be greatly appreciated.

LeeKirkpatrick · ‎2017-02-06

Hi Michael,

Seems the calcEntropy plugin could not be resolved, could you post the contents of the following file:-

/opt/rsa/esa/conf/esper-config.xml

Cheers,

Lee

MichaelPochan · ‎2017-02-06

Sure. I thought I followed your instructions but might have missed something.

<?xml version="1.0" encoding="UTF-8"?>
<esper-configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.espertech.com/schema/esper"
xsi:schemaLocation="http://www.espertech.com/schema/esper
http://www.espertech.com/schema/esper/esper-configuration-4-0.xsd">

<auto-import import-name="com.rsa.netwitness.core.alert.RSAAlert"/>
<auto-import import-name="com.rsa.netwitness.core.cep.window.RSAPersist"/>
<auto-import import-name="com.rsa.netwitness.core.cep.library.*"/>

<plugin-virtualdw namespace="vdw" name="mongo" factory-class="com.rsa.netwitness.core.enrichment.vdw.MongoVirtualDataWindowFactory"/>
<plugin-virtualdw namespace="vdw" name="filemap" factory-class="com.rsa.netwitness.core.cep.window.filemap.FileMapFactory"/>
<plugin-virtualdw namespace="vdw" name="geoip" factory-class="com.rsa.netwitness.core.cep.window.geoip.GeoIpFactory"/>

<plugin-singlerow-function name="isNotOneOfIgnoreCase" function-class="com.rsa.netwitness.core.cep.library.ComparisonUtils" function-method="isNotOneOfIgnoreCase"/>
<plugin-singlerow-function name="isOneOfIgnoreCase" function-class="com.rsa.netwitness.core.cep.library.ComparisonUtils" function-method="isOneOfIgnoreCase"/>
<plugin-singlerow-function name="calcEntropy" function-class=”Shannon.Calc" function-method="calcEntropy" />
<engine-settings>
<defaults>

<view-resources>
<share-views enabled="false"/>
</view-resources>

<metrics-reporting enabled="false" engine-interval="0" statement-interval="60000"/>

</defaults>
</engine-settings>

</esper-configuration>

LeeKirkpatrick · ‎2017-02-06

Okay looks good.

Where there any errors when you restarted the esa service?

Any chance you could also show me the wrapper.conf file entry? And one or two lines above it?

MichaelPochan · ‎2017-02-06

No errors when restarting ESA and the service is running fine. Below is the wrapper.conf entry.

wrapper.java.classpath.179=%REPO_DIR%/org/springframework/spring-tx/3.2.12.RELEASE/spring-tx-3.2.12.RELEASE.jar
wrapper.java.classpath.180=%REPO_DIR%/net/sf/jopt-simple/jopt-simple/4.6/jopt-simple-4.6.jar
wrapper.java.classpath.181=/opt/rsa/esa/lib/custom/Entropy.jar

# Java Library Path (location of Wrapper.DLL or libwrapper.so)
wrapper.java.library.path.1=lib
wrapper.java.library.path.2=%EXTRA_LIBRARY_PATH%

EdwardDarnell · ‎2017-02-09

Did you ever find a solution? Having the same issue and all entries look similar to yours.

LeeKirkpatrick · ‎2017-02-09

Hi Both,

I think the issue comes from the copy and paste from the document, looking through the config files posted by Michael again, I can see the first double quote for function-class is different to the others:-

<plugin-singlerow-function name="calcEntropy" function-class=”Shannon.Calc" function-method="calcEntropy" />

Instead it should be the same as the others:-

<plugin-singlerow-function name="calcEntropy" function-class="Shannon.Calc" function-method="calcEntropy" />

Cheers,

Lee

DavidWaugh1 · ‎2017-02-10

Hi Lee,

Great work!

I saw by default the learning time is set to -1.

What is the affect of this?

LeeKirkpatrick · ‎2017-02-10

Hey David,

I thought I set it to 1440.

May have uploaded the incorrect rule! I'll double check.

GagandeepMakker · ‎2017-11-06

Hi Lee,

I have created the DGA detection rule as per your instructions, but could you please help me know as to how can I know if the deployed DGA detection rule is working correctly or not. I have tried keeping the lower entropy value, but still the rule is not triggering.

Is there any way that I can test this? and know if this is working as intended.

if you can help me to know the steps then it would be appreciated.

JimHollar · ‎2019-09-10

Any chance you could update for version 11.3/x? There's no wrapper.conf on esa. Thanks.

LeeKirkpatrick · ‎2019-09-12

Hey Jim,

The ability to add custom JAR files has been removed in later versions, I believe for security reasons, so it is not possible to add a 3rd party module. You could, however, make use of the alias_stats.lua parser created by Matt Tharp located here: https://community.rsa.com/message/925227?commentID=925227#comment-925227. It will give you the entropy as metadata that can be consumed by the ESA and analysed.

Cheers,

Lee