aaaa by sucurinet


									Network-based Integrity Monitoring
We are very used to the concept of FIM, file-based integrity monitoring, were internally on our servers
we monitor the important files and binaries, guaranteeing the integrity of the system if they are intact.
If anything is ever modified, from a configuration file, to a binary or the kernel, then some action must
be taken to detect what happened, who did it and if it was authorized or not.

FIM products are very common and mandatory by most compliance requirements (PCI, HIPAA, etc),
but what we don't see often is the same concept applied to the “online” world. How do you know if
your whois information is altered? Or if your DNS is tampered and all your users are being redirect to a
different site? Or even if someone hacked your web server and defaced your index page?

Call for Network Integrity Monitoring
Many tools are available to monitor the availability of web sites and other resources (FTP, SMTP, etc),
but we don't see the same applied to check the integrity of them. We need a reliable way to detect if any
or all aspects of the network presence of a company is altered, with a focus on the Internet, where any
attack is highly noticiable.

Internet presence is often viewed as:

      Web site
      Web applications
      DNS
      Whois
      Email

There are other aspects, but these are generally the face of a company online. Web site is often
controlled internally and modifications can be detected by most FIM products running on the server
itself. However, if the attack is more subtle, like a DNS redirection or a modification of the Whois with
the registrar, your FIM will not detect anything, but your users will access the wrong page.

Regarding the other resources, there is no way to know if they are correct, unless you check them often
and compare with the correct baseline.

Manual Network Integrity Monitoring
Integrity monitoring can be done with a handful of scripts and a daily (or hourly) cron job on most
Linux systems. On Windows, it is also possible, but since it lacks some basic networking tools (like
whois), we will focus on Linux. To start, you can setup lynx or wget to download your web site pages
and perform a md5/sha1 checksum to compare the outputs:

       mkdir /nim
       cd /nim
       lynx –dump –source http:// yoursite .com > /nim/tmp-source.txt
       lynx –dump http:// > /nim/tmp-dump.txt
       md5sum /nim/*.txt > file-wish-hashes.txt
       sha1sum /nim/*.txt >> file-wish-hashes.txt
       md5sum -c /nbim/file-with-hashes.txt
       sha1sum -c /nbim/file-with-hashes.txt

You can do the same to monitor the whois and DNS:

       whois > /nim/whois.txt
       host -t ANY > /nin/dns.txt
       md5sum /nim/*.txt > file-wish-hashes.txt
       sha1sum /nim/*.txt >> file-wish-hashes.txt
       md5sum -c /nim/file-with-hashes.txt
       sha1sum -c /bim/file-with-hashes.txt

After this is done for the first time, you can edit the scripts to only do the md5sum/sha1sum compare (-
c flag) and to run the diff command to see exactly what was modified:

        diff /nim/whois.txt /nim/whois-old.txt | mail -s “Change detail” you @
       cp -pr /nim/whois.txt /nin/whois-old.txt
       md5sum /nin/whois.txt > /nim/files-with-hashes.txt

This approach works well if you have just a handful or systems to monitor, otherwise it can gets too
complicated to keep track of all the scripts. Another issue is that if you are running it from within your
company, you may not be seeing the same that people from outsite are. That's why when you are
monitoring your Internet presence, it is better to use an outside look.

Automated and Free Network Integrity Monitoring
To solve some of the issues with the manual monitoring and provide a stable outside look to your
internet presence, we decided to develop a free network integrity monitoring application. It is called
Sucuri NBIM (yes, the snake) and it simplifies all these steps for the user. It also provides an historic
view of everything that changed, detailed diffs and availability information too (if a resource was ever

How powerful it can be? A few months back, during the development of this application, I got an email
notifying me that the whois information from one of my domains was modified. The alert was:

       Sucuri nbim: (whois) modified
       < Status: clientDeleteProhibited
       <     Status: clientTransferProhibited
       <     Status: clientUpdateProhibited
       <     Updated Date: 26-feb-2007
       >     Status: ok
       >     Updated Date: 07-jan-2009

       End of Notification

As you can see, someone remove the lock flag from my domain, which is usually only done if you plan
to transfer it to someone else. After a few minutes on the phone with the registrar, and all my passwords
updated, it was fixed. They also told me that they are seeing lots of brute force attacks trying to get
accounts in there.

Another example when Google's main web site was modified for mother's day:

       Sucuri nbim: (whois) modified
       < Google
       > Happy Mother's Day!

       End of Notification

Not an attack or anything, but shows how powerful it can be if anyone outside your domain ever
changes any of your sites.

To try NBIM and start doing Network-based integrity monitoring, visit, create an
account for free, add your domains and stay safe.


To top