Hashing Malicious Packets. Am I thinking too much?

Hello all. Pretty new on my netsec journey. I’ve just finished Security+ and have spent the last week testing a production version of Security onion. Today I noticed an insane amount of traffic from an unknown public IP. We were getting hundreds of SIP requests and sending back hundreds of “403 error” replies.

As I said I’m pretty new to cybersec and so my wireshark reading skills aren’t great, but I did notice all of the packet captures I looked through were pretty much the same.

Hypothetically – Could I just take something such as the userid we were getting from the packet capture or some other information that identifies these requests, hash them, and add a signature rule in a Firewall rejecting the packets matching that hash?

Would this be a stupid idea? I know I could just add a ‘block all’ on that specific IP address but If I notice the “attacker” has a specific marker like the hostname we get is “attacker PC-1” and I want to block all IPs with that hostid. From how I understand it, the HIDS/NIDS hits on the incoming packet as it contains the hash of ‘userid = attacker PC-1’. Is this way of thinking correct?

I saw someone posting about it somewhere and I want to see if I understood correctly and make sure that I have the correct thinking process from the view of a “cyber security analyst”. Thanks everyone.

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s