During our time at Black Hat Asia, we made sure Snort ML (machine learning) was enabled. And it was definitely worth it. We had multiple triggers of the new Snort feature where it was able to detect a potential threat in the http parameters of an HTTP request. Let us dive into this new detection and see what it found!
Looking at the events, we can see multiple different IPs from a training class and one on the General Wi-Fi network triggering these events.
Investigating the event with the 192 address, we can see what it alerted on specifically. Here we can see that it alerted on the ‘HTTP URI’ field having the parameter of ‘?ip=%3Bifconfig’. This looks like an attempt to run the ifconfig command on a remote server. This is usually done after a webshell has been uploaded to a site and it is then used to enumerate the host it is on or to do other tasks like get a reverse shell for a more interactive shell.
In the packet data we can see the full request that was made.
Looking at another host that was in a training we can see that the Snort ML signature fired on another command as well. This is exactly what we want to see, we know now that the signature is able to detect different http parameters and determine if they are a threat. In this example we see the attacker trying to get a file output using the command ‘cat’ and then the file path.
With this investigation, I was able to determine the general Wi-Fi user was a part of the class as they were using the same IP addresses to attack as the rest of the class. This was interesting because it was a class on pwning Kubernetes cluster applications. We were able to ignore this specific instance as it is normal in this context (we call this a ‘Black Hat’ positive event) but we never would have seen these attacks without Snort ML enabled. If I had seen this come up in my environment, I would consider it a high priority for investigation.
Some extras for you, we have some dashboard data for you to peruse and see the stats of the FTD. Below is the Security Cloud Control dashboard.
Next, we have the FMC overview. You can see how high the SSL client application was and what our encrypted visibility engine (EVE) was able to identify.
Lastly, we have a dashboard on the top countries by IDS events.
Want to learn more about what we saw at Black Hat Asia 2025? Check out our main blog post — Black Hat Asia 2025: Innovation in the SOC — and our other Black Hat Asia 2025 content.
Acknowledgements
Thank you to the Cisco NOC team:
- Cisco Security: Christian Clasen, Shaun Coulter, Aditya Raghavan, Justin Murphy, Ivan Berlinson, and Ryan Maclennan
- Meraki Systems Manager: Paul Fidler, with Connor Loughlin supporting
- ThousandEyes: Shimei Cridlig and Patrick Yong
- Additional Support and Expertise: Tony Iaconbelli and Adi Sankar
Also, to our NOC partners Palo Alto Networks (especially James Holland and Jason Reverri), Corelight (especially Mark Overholser and Eldon Koyle), Arista Networks (especially Jonathan Smith), MyRepublic and the entire Black Hat / Informa Tech staff (especially Grifter ‘Neil Wyler’, Bart Stump, Steve Fink, James Pope, Michael Spicer, Jess Jung and Steve Oldenbourg).
About Black Hat
Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia.
For more information, please visit the Black Hat website.
We’d love to hear what you think. Ask a question, comment below, and stay connected with Cisco Security on social media!
Cisco Security Social Channels
