Sandfly Types

Sandfly Types

Sandfly uses high level types to categorize the types of threats that can be seen on a host. These categories are:

  1. File
  2. Process
  3. User
  4. Directory
  5. Log
  6. Policy
  7. Incident
  8. Recon
  9. Custom

These categories cover the compromise elements you're likely to see on Linux. These types are described below.

File Sandflies

File type attacks are those that show suspicious signs of compromise that affect files on a Linux hosts. This can include items such as suspicious binaries, out of place system files, modified configuration files and the like.

File attacks are very common with Linux compromises. Usually attackers will replace, modify, move, or try to obscure files once on a host. Sandfly has a variety of ways to detect this behavior.

Process Sandflies

Process attacks are those involving anything suspicious that is a running executable on the system. This can include malware activity, or even normal system processes that are being used in unusual ways. This also includes processes being used for unusual or suspicious network activity or processes trying to hide their presence on the host.

User Sandflies

Attackers that gain access to a host often do many things with user accounts that look suspicious. For instance they will alter history files, put in backdoors into login scripts, or perform other operations that are unusual for a user. Sandfly looks for user level attacks and can report on them to help isolate compromised accounts.

Directory Sandflies

Directory attacks normally include anything an attacker may do to try to hide or obscure the presence of a directory. When a host is compromised many attackers will setup a hidden or suspicious directory to hide their tools and data. They may also load up stealth rootkits to hide these directories even further. Sandfly can detect these and other types of attack. Often Sandfly will give you the full path to the suspicious directory so you can investigate and see what an attacker may have been up to on the host.

Log Sandflies

Attackers that gain access to a host often try to conceal the activity by altering or deleting critical system audit logs. Sandfly has a variety of ways we can check for missing, altered, or damaged system log files that indicate someone is actively trying to conceal their presence.

Policy Sandflies

Policy sandflies are checks that may not be compromises in a strict sense, but could be mis-configurations that could lead to compromise. For example, open permissions on critical system files under /etc. Or systems that allow root login over SSH.

Sometimes policy sweeps may catch live malware as well. Often malware will install itself and deliberately make the system insecure on purpose to allow remote access. These checks can help you flag systems that suddenly show insecure changes which weren't present before.

By default these checks are disabled, but you may want to review them and enable them as you think is appropriate for your installation. They can be useful not only to find malware that may have changed a system, but also users that could have done things to make a system insecure which could cause trouble.

Incident Sandflies

Incident sandflies are special. They normally are deep dive investigation modules that have a higher system impact than normal sandflies designed for Incident Response (IR) or for users wishing to take a closer look at a computer.

Incident sandflies generally would be run for IR, or periodically by hand to look for signs of problems outside common system areas. These sandflies will cause longer CPU and disk spikes in activity. It is likely you'll notice them running on the remote host on your system monitoring tools vs. regular sandfly checks.

It is also possible that incident sandflies can generate false positives due to the extensive nature of their analysis and where they look for trouble. They bias towards reporting anything wrong and are less discriminating vs. regular sandflies.

With the above in mind, running incident sandflies every now and then manually is not a bad idea just to be sure all corners of your systems are being checked.

Recon Sandflies

Reconnaissance (Recon) sandflies are designed to gather system information in a passive way that is not looking for an attack, but uses the data to feed into backend analysis engines that can apply Machine Learning (ML) and other techniques to spot problems. Recon sandflies will run on a host and grab all process, user and other data if enabled. This data can then be used by a Security Information Event Management (SIEM) tool like Splunk and others to build trends over time.

By default, Recon sandflies are not enabled by default. They can generate a lot of data and unless you are using the information for analytics purposes you might not want to enable them. When enabled though, they will always run on the remote system whenever Sandfly logs into the host and grab the latest information for use.

Custom Sandflies

Sandfly allows you to create custom sandfly checks of your own. Any custom sandfly checks you create will be visible under this tab.


Did this page help you?