IBM Security QRadar

Hi Community,

I came across some interesting event and would like to share with you. I was checking on some Firewall Event and found this.


Seems ok since BILD.de is a known domain . However, we I checked on the payload information I came across this:


BlLD.de -> small L.
I use Chrome and Firefox. What kind of settings do you use to avoid something like this?

Thank you!

Regards,

Bruno

------------------------------
BrunoMarX
------------------------------

Hi Bruno, interesting question.
What is your QRadar question? Of course we are able to detect something like that using rules. This would require a refset including bad urls like this one. Is that your question? Or are you referring to browser settings? Chrome and firefox handle this in different ways.
Chrome default setting will offer you to visit the website which has a marketing redirect attached. URL = "BlLD.de"
Firefox will not even offer the marketing page but will present google result rightaway when you include google results in your search settings. Only when you deactivate your history you will see the redirected site.

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Tue June 22, 2021 08:05 AM
From: BrunoMarX
Subject: Font type and QRadar Properties

Hi Community,

I came across some interesting event and would like to share with you. I was checking on some Firewall Event and found this.


Seems ok since BILD.de is a known domain . However, we I checked on the payload information I came across this:


BlLD.de -> small L.
I use Chrome and Firefox. What kind of settings do you use to avoid something like this?

Thank you!

Regards,

Bruno

------------------------------
BrunoMarX
------------------------------

Hi Bruno, 

strange and confusing for an analyst looking at the events. How are the other letters i in other payload fields in your installation? Maybe it is dependent on the browser or the User Preference settings. In my intstallation the small i is displayed like this:


I use User Preference locale: English (United Kingdom) in QRadar and "Standar font"="Times New Roman", "Sans-serif font"=Arial in Chrome.

Regards,

Martin

------------------------------
Martin Schmitt
------------------------------

Original Message:
Sent: Tue June 22, 2021 08:05 AM
From: BrunoMarX
Subject: Font type and QRadar Properties

Hi Community,

I came across some interesting event and would like to share with you. I was checking on some Firewall Event and found this.


Seems ok since BILD.de is a known domain . However, we I checked on the payload information I came across this:


BlLD.de -> small L.
I use Chrome and Firefox. What kind of settings do you use to avoid something like this?

Thank you!

Regards,

Bruno

------------------------------
BrunoMarX
------------------------------