This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Using NetWitness and/or Security Analytics to detect Java exploit drive-bys

RSAAdmin
Beginner
Beginner

‎2013-08-26 01:34 PM

Hi All,

 

I was wondering if anyone had an good drills for specifically detecting drive-bys that target Java exploits?

 

The following rule is useful for detecting attempts to download malware payloads following exploitation

 

     client regex "java/1.6.0_([0-9]|[1][0-9]|[2][0-6])" && content = "application/pdf","application/x-msdownload","application/x-shockwave-flash"


However I was looking for some drills for specifically identifying the actual drive-by stage of the attack?


Cheers


Kit

1 REPLY 1

RSAAdmin
Beginner
Beginner

‎2013-08-28 11:51 AM

The referrer strings will typically take you backwards to find out which host was the problem.  You could also create a "TimeLine Report" in Informer/SA.  Look for alias.host,directory,filename,query,referrer,country.dst,org.dst for the timeperiod in question.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.