115 lines
903 KiB
JSON
115 lines
903 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2016-11-11",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - BlackNurse Denial of Service Attack",
|
||
|
"publish_timestamp": "1484165842",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1483344746",
|
||
|
"uuid": "5825c994-18b0-4900-a73d-4558950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00bdbd",
|
||
|
"name": "ecsirt:availability=\"ddos\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#000a64",
|
||
|
"name": "europol-incident:availability=\"dos-ddos\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1478871596",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5825ca2c-85d0-4193-8f68-4311950d210f",
|
||
|
"value": "http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1478871648",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5825ca60-9220-4be6-9181-42fd950d210f",
|
||
|
"value": "http://soc.tdc.dk/blacknurse/blacknurse.pdf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1478871672",
|
||
|
"to_ids": true,
|
||
|
"type": "snort",
|
||
|
"uuid": "5825ca78-5058-4247-b218-4139950d210f",
|
||
|
"value": "alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:\"TDC-SOC - Possible BlackNurse attack from external source \"; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000012; rev:1;)"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1478871687",
|
||
|
"to_ids": true,
|
||
|
"type": "snort",
|
||
|
"uuid": "5825ca87-c1b4-4257-842a-4133950d210f",
|
||
|
"value": "alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:\"TDC-SOC - Possible BlackNurse attack from internal source\"; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000013; rev:1;)"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"data": "JVBERi0xLjUNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhkYS1ESykgL1N0cnVjdFRyZWVSb290IDYwIDAgUi9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4vTWV0YWRhdGEgMzgzIDAgUi9WaWV3ZXJQcmVmZXJlbmNlcyAzODQgMCBSPj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCA2L0tpZHNbIDMgMCBSIDI3IDAgUiAzNiAwIFIgMzkgMCBSIDQyIDAgUiA0NSAwIFJdID4+DQplbmRvYmoNCjMgMCBvYmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2VzPDwvRm9udDw8L0YxIDUgMCBSL0YyIDkgMCBSL0YzIDExIDAgUi9GNCAxMyAwIFIvRjUgMTUgMCBSL0Y2IDIxIDAgUj4+L0V4dEdTdGF0ZTw8L0dTNyA3IDAgUi9HUzggOCAwIFI+Pi9YT2JqZWN0PDwvSW1hZ2UyNiAyNiAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dC9JbWFnZUIvSW1hZ2VDL0ltYWdlSV0gPj4vQW5ub3RzWyAyMCAwIFJdIC9NZWRpYUJveFsgMCAwIDU5NS41IDg0Mi4yNV0gL0NvbnRlbnRzIDQgMCBSL0dyb3VwPDwvVHlwZS9Hcm91cC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJzL1MvU3RydWN0UGFyZW50cyAwPj4NCmVuZG9iag0KNCAwIG9iag0KPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCAzNDQ1Pj4NCnN0cmVhbQ0KeJy9XEtz3DYSvqtK/4FHMlVD4U3Q5UpVZDte5+m1tZuDKwdJlmSvLY1jT7KVf77H7W6AMxyCIDgzGOtADQkS/aHRb4A8++7z6v3t5fWqePz47LvV6vL63c3b4s3Z+XK1Wt7/fnbx96ebs5eXd+8fLlfvlw9nr/+8WuGl75fL1c3nb78tzp8+Kf44PWE1wz9rG1WwQre61oVVoha6+HxzevLbN8XD6cn5xenJ2fe84ByvX9yennC4mRW80LKt20Lz2hYX93DT89dNcfcFui3u6Mz6s+enJ2/Kovq9uPjh9OQZdPfP05O51He4NQUUDgwb7j3Cg4EVz35+UhRnL3EWfn7y4mnBzn66fLgrypuHxfPzKh+fmamtLRrV1KZJ4Q9A8eOCYk3N5c6gxOGgRCFMLZptVAakkcktVDVrmShYLTgepYGe7kYvv4oiXwPjVvCmEArEqXEcgH8twLM9eP1xSj+0NZ1GwlGblkAsNA6saYG5hW5qCyeI34319psN9ckbQ6qqo1pYbupGFCA5shDATDHou/+U3kzDDHpxyQCqUtRJRQvomzVqR3gW6CYfaJjONqleY8Ctx6BlLdcIlJJ100Tmc/rOcELbjoIbln9OSpD/ArRjSGFL/dmGQ3PIOhbJQhpnLfsq31Fva+WmlyOjODKqWIBwg0JdXL8pBeMpm8SzgeKCgW0fxfSmNCkcIh8OxetWxoBEpOhs7cjP4YweQHe6hsHqZtokdKbIiztgEDIiQ1wOVSXx8JSyNJZ3w5yhLBvuepIdeyfxqo2P+NfrKpioRFdx9KJRNbMzh7AzPcGheSAatq2FKBrDaiV2999676HbUEpbVSsbg3JRLTgv38FRlzdJXCYjLgF2HmxZBNd5JcuPgKotL+l4XTXlh1+qhZDlnwT2c8VN+aXiTXmTQt1kRC0hzLBRbiYZaHNCATk3Mgblu2qhytWqUn0GpuC1+8IbUQGpbd3urQKCHckUdB5NmZrvHlkLfiRYypDJ1wyUYndU4rjMUmBC5vEKadpagyiohqafW43WByLhcZMvZAx6shsHWxVtPcwIpEMN1n5kiv9NRuSmWkgFRmQhWrQiqnxfgVFZPoSuYH8ckMrIJooj7jiFUpBfe4pCMxSMOANVJK9K9hLF7W+O4OYBiw6hBCyKEaqzEmpqHR1Sk5OSEbWNjmlWUEgPrFWPYT8UFdKhCwqT7V5uXTu3oMFy+w4B5kDGO0AWsHUHngdbd6BZ4PEOEs3dAByPqckZoAG+aLvvP9o+NEjGOE4kDJJOGKR4N0mDZGytusIJicNTNDqXlRTlCuxRUy6j5mcPqhbYN0Y0aXgcraThMdOGJ95L0vAEkG1MQfciQjYnoBE1N3vRcOYmxfsDibQgVscmAuaMNUcnoiBOGSECAT/oxvKvCnIU57Hv6coVnhhw3/kwSGYxmj7uQCVnmD0kiYQRXpNDvySXWCMdksciJcyxr+OkCijCZoEiwXhvaYhr+XzX/RqtzY47zJ4rmfSFrn3CF8Y66Hyha5/whVEEHqHjlHNWYkh9vNH3PN449HES2Nl5CdFQyhix3m3CzU32lPR0YGON7gv4k2phIaHv3B2F3Ju4+7ay7sd1JWXfIaai8v1Qck7wQpRJ10j0/PxP8ld2NdjOp2mOC2cgRjiBcrrCLXmgYpOEJwpfHfX1SDnJkNyomj975ctBgpU/4eElVVkeFZVosJYAV36utC7P0RQ/qwQvXyXshBS5BiGZIrM1dxCDWex4QNSVBSDI/wnuy9zcVwJt3bBAHPA6xVCVDRdYXYwcxnH9VkF+/A88vABcyuF8lgKns4FrAdwW02b6SGnyCRwngQsgLFIQQjd9gMxjpLA7F0L3vDeEZpwL31eLxtVfl9VCl/dJSG02SFKiDg8Q4UKU0ooCGM4SYBTLBga8djvGnzoFIZt5l8pg8ru7lKh8xhlri2MQfiGnQRLyF9kRH8BfYSTQld8SKLNZYolrdPuok8pmdBVjrggbF94Z0bfay86OxEBKzJCbXgCkWvC+PWKJ+FJ1xpjT4iG6aQ0MQMOuUYdFCxEvF+seRj2x6pnTGfSjY11T7sV7WyslFoIbYSG4AacHwY1JBjfKZkImGaVB48iSwtnm5Q8YtE2AdWgyZjSu+8STMdc+kYzFOuiSMdc+kYzFOsBmO4HQszLefzdEYja19HjdG0G03QOMtg/TOghYjVznOWpC73RsQ9q8rpKJnaDlz57FuMCMza2jUN6Gqdx2OldgdGsh0l1If/mu4qJ8t6ILBa5TvkQv4TpZ+kooPbr8GM389hwHB3el5Mg4RjYB7EBJj1DSYpTSYyYb9W3uYWkIBMam57BhjVJqxymRILhJpunMT7kx5MMDyiRTD7cVSI2TIVck3KGMMAfRaK7i9jAk2R5uvOPZNZPraQxhMcMR7CKH0Kq8/nT5sEEcW2Oe1Vk6R+6zEK/Tjk365XzPO0w6VqtKlp/w16MzsCqixKMs/wvHZutYU8R5W5HFcaVi2i4CdmhV05NLZ3Lg6l2loB8t6cdHuntZGVZeIZ1LNFXuIt3zBYOF95VkdDedOQyrjyhun1LzHlvu3omLYTDHZ5i0DV/XPNckcUagRm95uGnXLhuME+Ku3bVPuPZYB51rd+0Trj3WQefa4+0uSor23w3RTYTzzWrMt8dv8BDjNwy8uwSNt3pW1VbHFvvndZW0IUwC8p4E/QaibTqr+qHiNm7V9yVtLU7IkPCnboEHCWM4sWXZXfb4NjsWLjVl9NtoYA4ZV26f69XfKQXX+03KiFJzBbJqQ96k7LqnN6dKrc2kOUr0lDbqQ+hUSqRF7ycFplnPK8l7laQ/0eKSeadWV3Z25vW1uzq+FDcLpxkrC/CWSlwDnOMh2oE8kWAFVHI2c9Bpxuj0WJ+doqJM6SsMzb0OExAi4fgVE4n8YzMGtwx/hbEZW48MLTsd/4S0LdjdtFUZDwC4wFAjHgC49okAINZBFwC49okAIIrAIfTsiefmEzc4ChM3DP03U7it0tt3y2mJL2Jvm+lV10RXKf8tIUNiWyHgiwq86MNfFWeYS3Msxa63Ukz4zz1hcCZqLkZgJF2WI+jne5qFdtplTfeU1osAO63QOY49oJ2hw9/klIqq9StllCZQC6UEdCCX9jDpt+aAjfktEP8A7KTj2pczEtIEPsaZg4Y1TsmOU5rhvP
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1483344708",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "586a0b44-3b80-433c-9069-3b4ebce2ab96",
|
||
|
"value": "Blacknurse_v.1.7.pdf"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1479210539",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "582af62b-a4a4-46b6-bee0-441b950d210f",
|
||
|
"value": "\u00e2\u20ac\u0153We recommend that you grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.\u00e2\u20ac\u009d"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1483344746",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "586a0b6a-224c-45d7-a53f-4060bce2ab96",
|
||
|
"value": "http://www.blacknurse.dk/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|