At work, our security team uses a SIM to do lots of things, and one of the more important ones is incident response and investigation. Today I was watching events from McAfee ePO and stumbled across the following event:
Destination Address: XX.XX.36.92
File Name: 'Script executed by IEXPLORE.EXE'
((source_address = "XX.XX.36.92") AND
((request_url EndsWith ".js") OR
(request_url EndsWith ".htm") OR
(request_url EndsWith ".html")))
(Note: I did not have to type this all out. It was a short series of mouse clicks in the SIM GUI.)
And it took no time at all to find the firewall log event I was looking for:
Source Address: XX.XX.36.92
Destination Address: XX.XX.121.99
Request Url: http://XX.XX.121.99:80/incs/sfhover.js
$ wget http://XX.XX.121.99:80/incs/sfhover.js
Connecting to XX.XX.121.99:80... connected.
HTTP request sent, awaiting response... 200 OK
100%[====================================>] 751 --.--K/s
13:12:40 (4.75 MB/s) - `sfhover.js' saved [751/751]
$ cat sfhover.js
for (var i=0; i
It was an onmouseover call that set McAfee off, and in this case, it's benign. Two minutes to run down a possible exploit with code and get back to work. Sorry, but that's just cool.