NetWitness Community

RSAAdmin · ‎2013-03-26

Has anyone seen any unusual activity with huffington post recently?

We have a nightly report set up for botnets and have seen daily activity on it for about a week or so.

I know the site is legit so I am curious if anyone else is seeing anything weird.

Maybe its a false positive? The weird thing about it is that each IP that went to the site only had 1-2 sessions.

I'm thinking anyone going to that site will be clicking on more than 1-2 links.

Any thoughts on this?

Thanks

RSAAdmin · ‎2013-04-01

Hi Fielder,

Like I mentioned, I didnt set that one up. When our PS guy came in I didnt know much at all with this stuff, so it was very intimidating... Its NOT as intimidating now but still is just a bit.

I took a quick look at your link and WOW. I will definitely have to look that over a few times to get it all to sink in.

Thanks so much for the help.

RSAAdmin · ‎2013-04-02

Hi Fielder,

All the traffic also contains "rt=" too - yes. eg:

GET http://www.huffingtonpost.com/ads/ad_html_wh.php?vert=weddings&placement=slideshow HTTP/1.1

The user agents are all as I would expect (ie8 - corp browser):

mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0; .net clr 1.1.4322; infopath.2; .net clr 2.0.50727; .net clr 3.0.4506.2152; .net clr 3.5.30729; .net4.0c; .net4.0e) (6)

The hostnames that came back are/were:

Hostname Aliases (18 items)

www.huffingtonpost.com (6) - b.huffingtonpost.com (6) - pixel.quantserve.com (4) - o.sa.aol.com (4) - entry-stats.huffpost.com (4) - at.atwola.com (3) - www.google-analytics.com (2) - secure-us.imrworldwide.com (2) - s.huffpost.com (2) - i.huffpost.com (2) - counters.gigya.com (2) - b.scorecardresearch.com (2) - ad.dc2.adtech.de (2) - cdn.theview.abc.go.com (1) - cdn.media.theview.tv (1) - ar.voicefive.com (1) - a0.twimg.com (1) - 2912a.v.fwmrm.net (1)

And the the threat/risk info showed up as:

Threat Category (3 items)

suspicious (6) - informational (6) - botnet (6)

Risk: Warning (2 items)

bredolab botnet activity (6) - escalation multiple suspicious (1)

Risk: Suspicious (2 items)

escalation multiple informational (6) - known malware filenames (1)

I believe the 1 "known malware filenames" is:

directory = http://s.huffpost.com/assets/

filename = js.php

risk.suspicious = known malware filenames

Anyway - my extra 2c...

PS: your detecting beaconing post is fantastic - looking at how/if we can implement that is now on my todo list!

RSAAdmin · ‎2013-04-15

I just wanted to give the final update on this in case, anyone else is having the same problem.

I had opened a ticket with RSA, and after reviewing the submitted evidence to investigate, they have recognized a problem with the parser.

They have informed me that the botnet parser is being rewritten from scratch.

So it does appear that this was indeed a false positive as suspected.

Thanks all for the friendly support and advice.

Anonymous · ‎2014-01-02

9 months later I still see false positives in factory 10.2.2 code.. its catching the ts= string. so just to note that.

RSAAdmin · ‎2014-01-02

Its not in the code. Its a feed from Live. And if you have upgraded, you may have kept some old parsers that have since been deprecated. I think the parser responsible is the old botnet parser.

Anonymous · ‎2014-01-02

its factory reset/format new to 10.2.2 re subscribed and downloaded all parser's as of Dec2013 and had this issue.

RSAAdmin · ‎2014-01-03

To get rid of these false positives disable nw45030.

RSAAdmin · ‎2014-01-06

Let us know if this fixed the issue.

NetWitness Community

Huffington Post False Positive?