Interesting blog post from ISC SANS Handlers blog about http error code 522 (Connection timed out)
https://isc.sans.edu/diary/522%2BError%2BCode%2Bfor%2Bthe%2BWin/21377
Which got me thinking, could RSA NetWitness help detect this potential indicator ?
If you have Packets the http_lua registers the error codes in the error metakey
If you have logs, the error codes should be registered in result.code from your firewalls or proxy logs
This post from Christopher Ahearn shows you how to implement a quick parser to move and split the value from error into result.code to give analysts better pivoting if you happen to have both Packets and Logs from RSA.
Here is what the errors metakey looks like on my test system
Which has no error 522 unfortunately.
To locate with a drill in investigator:
error begins '522'
If the parser from chris is implemented or if you have logs that parse out that value for you:
result.code = 522
once you test and validate what you find you might want to create an application rule (looking at outbound traffic in particular as that would be your malware calling home - outbound)
name=t3_potential_malware_callback_err_522
rule=service=80 && error begins 522 && direction=outbound
or
rule=result.code=522 & direction=outbound
There could be some legit reasons for erro 522 (especially with cloudflare it seems) but from the ISC handlers post there was also some legit malware that was also detected. Fine tune the alerting and drills to get to the actionable stuff.
as always, comment or DM if you find something interesting or if there are particular tuning parameters that you find effective.
2 Comments
