| Name | Category | Info |
|---|---|---|
| HTTP/3 Sept 2020 | Data | This is a simulation of HTTP/3, used by default in the Chromium web browser. The traffic is encapsulated in UDP packets. The protocol uses Google Quic v46 as transport layer and Quic Crypto over the common TLS, for enhanced security and performance. |
| wsd | Security | Web Services Dynamic Discovery (WS-Discovery) is a technical specification that defines a multicast discovery protocol to locate services on a local network. It operates over TCP and UDP port 3702 and uses IP multicast address 239.255.255.250. As the name suggests, the actual communication between nodes is done using web services standards, notably SOAP-over-UDP. |
| Name | Category | Info |
|---|---|---|
| ClientSim Radsec Accounting | Authentication | This simulates a Radius ClientSim Accounting using Transport Layer Security (TLS) over TCP. Here the client is using Radius Accounting protocol. |
| ClientSim Radsec Authentication | Authentication | This simulates a Radius ClientSim Access using Transport Layer Security (TLS) over TCP. Here the client is using Radius PAP protocol to authenticate to the server. |
| FTP 1MB File Download Simple | Data Transfer/File Sharing | This simulates a FTP session where a client downloads a 1MB file from the server. |
| Gmail 21KB Message | Email/WebMail | This simulates Google Mail where a message with 21KB attachment is sent and a response is being recieved. |
| Google Quic access Youtube Website | Data Transfer/File Sharing | Simulates a user accessing the Youtube website for the first time using the Google Chrome browser on Windows OS. |
| HTTP/3 access Google Maps Website - 0 RTT | Data Transfer/File Sharing | Simulates a user going back to the Google Maps website after a short time from accessing it using the Google Chrome browser on Windows OS. |
| HTTP/3 access Google Maps Website - 1 RTT | Data Transfer/File Sharing | Simulates a user accessing the Google Maps website for the first time using the Google Chrome browser on Windows OS. |
| POP3-Advanced Message size: 256-512 bytes | Email/WebMail | This simulates POP3 Advanced where the client establishes a POP3 session then retrieves a message of 256-512 bytes from a POP3 server. |
| TLSv1.2 HTTP Standard Response Size 10KB | Testing and Measurement | Simulates HTTP client-server communication where the client sends a GET request to the server and the server sends a 200 OK response with a standard 10KB (10240) payload. TLSv1.2 and cipher SSL_RSA_RC4_128_MD5 are used for traffic encryption. |
| TLSv1.2 HTTP Standard Response Size 100KB | Testing and Measurement | Simulates HTTP client-server communication where the client sends a GET request to the server and the server sends a 200 OK response with a standard 100KB (102400) payload. TLSv1.2 and cipher SSL_RSA_RC4_128_MD5 are used for traffic encryption. |
| WS-Discovery | Security | Simulates the WS-Discovery protocol in ad-hoc mode where a target service sends a hello message, client sends probe and resolve messages and the target services replies with the corresponding probe match and resolve matches and finally sends a bye message. |
| WS-Discovery Fault Message | Security | Simulates the WS-Discovery protocol where the clients sends a faulty message and recieves a standard amplified reply. |
| Name | Info |
|---|---|
| School From Home Traffic Mix | Traffic simulating the mix of all the applications which have contributed to a significant rise in global internet traffic due to School From Home situation in the year 2020. |
| Name | Category | Info |
|---|---|---|
| DDoS WS-Discovery Reflection (Initiator + Reflector) | Security | This denial of service attack represents a DDOS WS-Discovery reflection attack where a request payload of min 18 bytes (initiator) is replied back with an amplified 1953 bytes response (reflector). Client is the reflector here. |
| DDoS WS-Discovery Reflection (Reflector) | Security | This represents the reflector portion of a DDoS WS-Discovery reflection attack where reflectors sends large 1953 bytes response. Client is the reflector here. |
| Name | Info | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Raccoon Sep 2020 Campaign | This strikelist contains 6 strikes simulating the 'Raccoon Sep 2020 Campaign'. 1. The first strike simulates the download of the Raccoon malware. 2. The second strike simulates the traffic that occurs after the execution of the Raccoon malware. The victim issues an HTTPS GET request to the C2 server, server replies with a key for future decryption 3. The third strike simulates the traffic that occurs after the execution of the Raccoon malware. The victim issues an HTTPS GET request to the C2 server, server replies with a list of the required file to download. 4. The fourth strike simulates the download of the sqlite3.dll file used by the Raccoon malware. 5. The fifth strike simulates the download of the zipped library Dlls used by the Raccoon malware. 6. The sixth strike simulates the traffic that occurs after the execution of the Raccoon malware. The victim issues an HTTP POST request to the C2 server which contains host information such as hostname, username, operating system version, and hardware information like CPU/RAM It contains the following sequence of strikes: 1) /strikes/malware/apt/raccoon_sep_2020_campaign/malware_0db8ab2d54205ec35a058ce312e1015a0247b2ff.xml 2) /strikes/botnets/apt/raccoon_sep_2020_campaign/raccoon_sep_2020_campaign_info_fetch_command_control.xml 3) /strikes/botnets/apt/raccoon_sep_2020_campaign/raccoon_sep_2020_campaign_url_fetch_command_control.xml 4) /strikes/malware/apt/raccoon_sep_2020_campaign/malware_b423959793f14b1416bc3b7051bed58a1034025f.xml 5) /strikes/malware/apt/raccoon_sep_2020_campaign/malware_93c2ce5fc4924314318554e131cfbcd119f01ab6.xml 6) /strikes/botnets/apt/raccoon_sep_2020_campaign/raccoon_sep_2020_campaign_exfiltration_command_control.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 9.0 | E20-11ox1 | CVE-2020-4241CVSSCVSSv3CWE-78 | Exploits | This strike exploits a command injection vulnerability in IBM Spectrum Protect Plus. The vulnerability is due to a lack of input sanitization for injection or invalid characters in the filename parameter. When an attacker sends an HTTP POST request to the "/emi/api/uploadhttpscertificate" URI, command execution can occur. |
| 7.5 | E20-9vhw2 | CVE-2020-14625CVSSCVSSv3CWE-502 | Exploits | This strike exploits an insecure deserialization vulnerability in Oracle Coherence library, which is used in popular products such as Oracle WebLogic Server. The vulnerability is a result of insufficient validation of T3 requests in the UniversalExtractor class. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to a vulnerable server. Successful exploitation leads to remote code execution, in the context of the user running the Oracle WebLogic service. |
| Component | Info |
|---|---|
| Apps | Added new checkbox to generic "Raw Message" action to interpret the input string as base64 encoded. It will help with pcap replay scenarios using superflow dsl, where a pcap file is exported into yaml and each packet is sent using raw message action. the values passed to action fields should be xml-friendly therefore the current field only accepts ascii values. Using base64 will enable passing any arbitrary bytesting in base64 format. |