IBM QRadar

Hi all,

Sorry if this has been asked before, but I have attempted some google/forum searches without much success.

Over the past few months we have received multiple flow-based offences for 'Outbound connection to IP categorised as Anonymisation Services' and 'Outbound connection to IP categorised as Bots'.

Unfortunately the associated rule summary doesn't have a very detailed description, is there a database or support page where can I find detailed descriptions for all X-Force QRadar content?

I would like to confirm whether this content is attempting to identify internal hosts initiating outbound network connections to anonymisation services such a Tor [Breach of Policy | Possible Compromised Host] or Botnet/C2 [Possible Compromised Host]?

We are currently generating offences whenever an XF-categorised IP, such as a tor exit node or exploited host, initiates an inbound connection to our public-facing web infrastructure, as the return flows are being tagged with the Pre-NAT [RFC1918] source address of our servers rather than the Public/Post-NAT IP.  Event data supports this, with only inbound sessions being logged by the Firewalls from the offending sources [correlated by SessionID/VendorFlowID].  Has anyone else experienced similar detections?  Are these rules known to produce high FP rates where the host is public-facing and NAT'd?

Kind regards,

Hi

these are more questions than can be answered in a brief statement. However I will try as good as i can.

As rules are very different there is no central database explaining what each of them does. Usecasemanager is the best way for analyzing them and finetune depending on your needs. Using your knowledge about your outbound connections you should check the out of the box rules which are just a template and add your tests regearding PreNAT etc . This is your infrastructure. Only you can finetune it. Nobody else knows! Follow the hints given in use case manager for finetuning.

Yes and there are many false positives in a large environment depending on your specific rule. Focusing on IP adresses categorized as bad by Xforce is a good approach. However this is not a guarantee for not having false pos depending on the speed of refset updates and the way you are using XF lookup. Automatically? Your NG firewall should block bad IPs anyway.

Im not sure about your last statement

"We are currently generating offences whenever an XF-categorised IP, such as a tor exit node or exploited host, initiates an inbound connection to our public-facing web infrastructure, as the return flows are being tagged with the Pre-NAT [RFC1918] source address of our servers rather than the Public/Post-NAT IP.  Event data supports this, with only inbound sessions being logged by the Firewalls from the offending sources [correlated by SessionID/VendorFlowID].  Has anyone else experienced similar detections?  Are these rules known to produce high FP rates where the host is public-facing and NAT'd?"

My understanding is that all this tests are already built into your rules. Public facing IPs will have very high rates even with your test conditions. However there should not be any successful connections. Use flow data for verification. So you have to differentiate between successful and failed connections. Only the first type should generate offenses. The others should write metadata only you can monitor to see peaks coming in without the need to work on offenses .

My 0.2 cent

Hi all,

Sorry if this has been asked before, but I have attempted some google/forum searches without much success.

Over the past few months we have received multiple flow-based offences for 'Outbound connection to IP categorised as Anonymisation Services' and 'Outbound connection to IP categorised as Bots'.

Unfortunately the associated rule summary doesn't have a very detailed description, is there a database or support page where can I find detailed descriptions for all X-Force QRadar content?

I would like to confirm whether this content is attempting to identify internal hosts initiating outbound network connections to anonymisation services such a Tor [Breach of Policy | Possible Compromised Host] or Botnet/C2 [Possible Compromised Host]?

We are currently generating offences whenever an XF-categorised IP, such as a tor exit node or exploited host, initiates an inbound connection to our public-facing web infrastructure, as the return flows are being tagged with the Pre-NAT [RFC1918] source address of our servers rather than the Public/Post-NAT IP.  Event data supports this, with only inbound sessions being logged by the Firewalls from the offending sources [correlated by SessionID/VendorFlowID].  Has anyone else experienced similar detections?  Are these rules known to produce high FP rates where the host is public-facing and NAT'd?

Kind regards,

Recently I posted a video trying to clarify that:
https://youtu.be/O_kSV6-Efio

Hi

these are more questions than can be answered in a brief statement. However I will try as good as i can.

As rules are very different there is no central database explaining what each of them does. Usecasemanager is the best way for analyzing them and finetune depending on your needs. Using your knowledge about your outbound connections you should check the out of the box rules which are just a template and add your tests regearding PreNAT etc . This is your infrastructure. Only you can finetune it. Nobody else knows! Follow the hints given in use case manager for finetuning.

Yes and there are many false positives in a large environment depending on your specific rule. Focusing on IP adresses categorized as bad by Xforce is a good approach. However this is not a guarantee for not having false pos depending on the speed of refset updates and the way you are using XF lookup. Automatically? Your NG firewall should block bad IPs anyway.

Im not sure about your last statement

"We are currently generating offences whenever an XF-categorised IP, such as a tor exit node or exploited host, initiates an inbound connection to our public-facing web infrastructure, as the return flows are being tagged with the Pre-NAT [RFC1918] source address of our servers rather than the Public/Post-NAT IP.  Event data supports this, with only inbound sessions being logged by the Firewalls from the offending sources [correlated by SessionID/VendorFlowID].  Has anyone else experienced similar detections?  Are these rules known to produce high FP rates where the host is public-facing and NAT'd?"

My understanding is that all this tests are already built into your rules. Public facing IPs will have very high rates even with your test conditions. However there should not be any successful connections. Use flow data for verification. So you have to differentiate between successful and failed connections. Only the first type should generate offenses. The others should write metadata only you can monitor to see peaks coming in without the need to work on offenses .

My 0.2 cent

Hi all,

Sorry if this has been asked before, but I have attempted some google/forum searches without much success.

Over the past few months we have received multiple flow-based offences for 'Outbound connection to IP categorised as Anonymisation Services' and 'Outbound connection to IP categorised as Bots'.

Unfortunately the associated rule summary doesn't have a very detailed description, is there a database or support page where can I find detailed descriptions for all X-Force QRadar content?

I would like to confirm whether this content is attempting to identify internal hosts initiating outbound network connections to anonymisation services such a Tor [Breach of Policy | Possible Compromised Host] or Botnet/C2 [Possible Compromised Host]?

We are currently generating offences whenever an XF-categorised IP, such as a tor exit node or exploited host, initiates an inbound connection to our public-facing web infrastructure, as the return flows are being tagged with the Pre-NAT [RFC1918] source address of our servers rather than the Public/Post-NAT IP.  Event data supports this, with only inbound sessions being logged by the Firewalls from the offending sources [correlated by SessionID/VendorFlowID].  Has anyone else experienced similar detections?  Are these rules known to produce high FP rates where the host is public-facing and NAT'd?

Kind regards,

Recently I posted a video trying to clarify that:
https://youtu.be/O_kSV6-Efio

Hi

these are more questions than can be answered in a brief statement. However I will try as good as i can.

As rules are very different there is no central database explaining what each of them does. Usecasemanager is the best way for analyzing them and finetune depending on your needs. Using your knowledge about your outbound connections you should check the out of the box rules which are just a template and add your tests regearding PreNAT etc . This is your infrastructure. Only you can finetune it. Nobody else knows! Follow the hints given in use case manager for finetuning.

Yes and there are many false positives in a large environment depending on your specific rule. Focusing on IP adresses categorized as bad by Xforce is a good approach. However this is not a guarantee for not having false pos depending on the speed of refset updates and the way you are using XF lookup. Automatically? Your NG firewall should block bad IPs anyway.

Im not sure about your last statement

"We are currently generating offences whenever an XF-categorised IP, such as a tor exit node or exploited host, initiates an inbound connection to our public-facing web infrastructure, as the return flows are being tagged with the Pre-NAT [RFC1918] source address of our servers rather than the Public/Post-NAT IP.  Event data supports this, with only inbound sessions being logged by the Firewalls from the offending sources [correlated by SessionID/VendorFlowID].  Has anyone else experienced similar detections?  Are these rules known to produce high FP rates where the host is public-facing and NAT'd?"

My understanding is that all this tests are already built into your rules. Public facing IPs will have very high rates even with your test conditions. However there should not be any successful connections. Use flow data for verification. So you have to differentiate between successful and failed connections. Only the first type should generate offenses. The others should write metadata only you can monitor to see peaks coming in without the need to work on offenses .

My 0.2 cent

Hi all,

Sorry if this has been asked before, but I have attempted some google/forum searches without much success.

Over the past few months we have received multiple flow-based offences for 'Outbound connection to IP categorised as Anonymisation Services' and 'Outbound connection to IP categorised as Bots'.

Unfortunately the associated rule summary doesn't have a very detailed description, is there a database or support page where can I find detailed descriptions for all X-Force QRadar content?

I would like to confirm whether this content is attempting to identify internal hosts initiating outbound network connections to anonymisation services such a Tor [Breach of Policy | Possible Compromised Host] or Botnet/C2 [Possible Compromised Host]?

We are currently generating offences whenever an XF-categorised IP, such as a tor exit node or exploited host, initiates an inbound connection to our public-facing web infrastructure, as the return flows are being tagged with the Pre-NAT [RFC1918] source address of our servers rather than the Public/Post-NAT IP.  Event data supports this, with only inbound sessions being logged by the Firewalls from the offending sources [correlated by SessionID/VendorFlowID].  Has anyone else experienced similar detections?  Are these rules known to produce high FP rates where the host is public-facing and NAT'd?

Kind regards,

Hi

these are more questions than can be answered in a brief statement. However I will try as good as i can.

As rules are very different there is no central database explaining what each of them does. Usecasemanager is the best way for analyzing them and finetune depending on your needs. Using your knowledge about your outbound connections you should check the out of the box rules which are just a template and add your tests regearding PreNAT etc . This is your infrastructure. Only you can finetune it. Nobody else knows! Follow the hints given in use case manager for finetuning.

Yes and there are many false positives in a large environment depending on your specific rule. Focusing on IP adresses categorized as bad by Xforce is a good approach. However this is not a guarantee for not having false pos depending on the speed of refset updates and the way you are using XF lookup. Automatically? Your NG firewall should block bad IPs anyway.

Im not sure about your last statement

"We are currently generating offences whenever an XF-categorised IP, such as a tor exit node or exploited host, initiates an inbound connection to our public-facing web infrastructure, as the return flows are being tagged with the Pre-NAT [RFC1918] source address of our servers rather than the Public/Post-NAT IP.  Event data supports this, with only inbound sessions being logged by the Firewalls from the offending sources [correlated by SessionID/VendorFlowID].  Has anyone else experienced similar detections?  Are these rules known to produce high FP rates where the host is public-facing and NAT'd?"

My understanding is that all this tests are already built into your rules. Public facing IPs will have very high rates even with your test conditions. However there should not be any successful connections. Use flow data for verification. So you have to differentiate between successful and failed connections. Only the first type should generate offenses. The others should write metadata only you can monitor to see peaks coming in without the need to work on offenses .

My 0.2 cent

Hi all,

Sorry if this has been asked before, but I have attempted some google/forum searches without much success.

Over the past few months we have received multiple flow-based offences for 'Outbound connection to IP categorised as Anonymisation Services' and 'Outbound connection to IP categorised as Bots'.

Unfortunately the associated rule summary doesn't have a very detailed description, is there a database or support page where can I find detailed descriptions for all X-Force QRadar content?

I would like to confirm whether this content is attempting to identify internal hosts initiating outbound network connections to anonymisation services such a Tor [Breach of Policy | Possible Compromised Host] or Botnet/C2 [Possible Compromised Host]?

We are currently generating offences whenever an XF-categorised IP, such as a tor exit node or exploited host, initiates an inbound connection to our public-facing web infrastructure, as the return flows are being tagged with the Pre-NAT [RFC1918] source address of our servers rather than the Public/Post-NAT IP.  Event data supports this, with only inbound sessions being logged by the Firewalls from the offending sources [correlated by SessionID/VendorFlowID].  Has anyone else experienced similar detections?  Are these rules known to produce high FP rates where the host is public-facing and NAT'd?

Kind regards,