Docs Home User Guide

Contents

Malware and Blacklist alerts

Note This feature requires the Badfellas plugin

The trisul_badfellas plugin adds the ability to check all of your network traffic against public blacklists for :

  1. Communication with known malicious IPs
  2. Retrieving malware from malicious URLs
  3. Falling victim to Phishing sites
  4. Trying to query DNS for known malicious domain names

What can you do with these alerts ?Top

You can get useful reports like

  1. Top 100 hosts with malware in my enterprise
  2. Infection trends over time
  3. Breakup of malware types (ZeUS, Gumblar, GhostNet, etc)
  4. Retrieve suspected malware flows
  5. Pull suspected malware packets into Wireshark or Unsniff
  6. Script using TRP

EvasionsTop

Trisul is resistant to :

  • TCP frag attacks – it reassembles TCP before constructing the URL requested & HTTP Host
  • Both DNS requests and replies are checked for any malicious domains
  • Minor permutations in domains and URLs are automatically handled.

UpdatesTop

Blacklists need to be updated regularly to be effective. You can specify a custom update policy for each of these blacklist sources. Note that you many need to purchase a feed from some of these sources.

How to specify refresh policyTop

Ensure that trisul_badfellas plugin is installed
The malware list is updated based on the value given in the frequency field (sec) in the config file
/usr/local/etc/trisul/PI-9FE3C6BC-BEB6-4320-A5BA-7993286D70DF.xml file’ These lists are all updated at once. The frequency of updates is controlled by the Run/Frequency element in the config file. The parameter sets the number of seconds before the list must be refreshed.

      <Run>
        ..
        <Frequency>3600</Frequency>
      </Run>

How to tweak Badfellas settingsTop

You may fine tune how Trisul checks for malicious activity by tweaking these parameters

ReloadListSeconds
How frequently Trisul checks for new data
CheckICMP
Scan ICMP traffic like PINGs for connection attempts
CheckDNS
Parse DNS records
CheckHTTPHost
Check HTTP Host header in addition to DNS
CheckTCPFlows
Check each flow
CheckURL
Check all URLs seen

The fields to be changed can be found in the config file /usr/local/etc/trisul/PI-9FE3C6BC-BEB6-4320-A5BA-7993286D70DF.xml To turn off an option set the corresponding entry to FALSE.

 <TrisulPluginConfiguration>
    <Policy>
        <description>Controls how the Trisul Badfellas plugin works </description>
        <ReloadListSeconds>900</ReloadListSeconds>
        <CheckICMP>TRUE</CheckICMP>
        <CheckDNS>TRUE</CheckDNS>
        <CheckHTTPHost>TRUE</CheckHTTPHost>
        <CheckTCPFlows>TRUE</CheckTCPFlows>
        <CheckURLs>TRUE</CheckURLs>