CSA (312-39) SOC Simulation Lab
Step into the role of a SOC Analyst. Analyze raw IDS signatures, understand evasion techniques, and determine the exact threat vector targeting the web infrastructure. You will learn to decode regex patterns to identify malicious payloads.
Scenario Context
You are a Tier 2 SOC Analyst at a mid-sized e-commerce company. The L1 analyst has escalated a cluster of alerts from the Suricata IDS sensor monitoring the external-facing web application. The analyst noted that multiple requests triggered an alert, but the payloads appear garbled in the HTTP GET parameters. They provided you with the IDS rule signature that fired to help you determine what the attacker is attempting.
Security Environment
index=ids sourcetype=suricata signature_id=2009714
| table _time, src_ip, dest_port, http.url, payload_printable
# Offending Payload Snippet (URL Encoded):
GET /search?q=%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E HTTP/1.1
# Rule PCRE Match Condition:
pcre:"/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/i"
*Note: The regex evaluates the hex-encoded ASCII values alongside standard characters.
Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex
/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/|.What does this event log indicate?
Expert Insight: Senior Analyst Debrief
What is happening: The IDS is detecting a threat actor attempting to inject an HTML <img> tag into the application. To bypass simple WAF rules that look for the exact string <img, the attacker is using URL encoding (e.g., %3C for <, %69 for i) and mixed casing (i vs %49 which is uppercase I). The regex is explicitly designed to catch these obfuscation attempts.
Why the correct answer is correct (Option C)
C. XSS Attack: Cross-Site Scripting (XSS) often leverages the HTML <img> tag because it allows an attacker to execute JavaScript without requiring the victim to click anything. By injecting something like <img src=x onerror=alert(document.cookie)>, the browser fails to load the broken image ('x') and immediately triggers the malicious script inside the onerror event handler. The regex maps perfectly to identifying obfuscated <img ... > payloads.
Why the other options are wrong
A. Directory Traversal: This attack attempts to access files outside the web root directory. An IDS signature for traversal would look for patterns like ../, ..\, or their encoded variants (%2E%2E%2F), not HTML image tags.
B. Parameter Tampering: While the payload is technically being inserted into a parameter, "Parameter Tampering" generally refers to manipulating values (like changing an item's price from $100 to $1 in a hidden field). It does not specifically involve injecting HTML/JS elements.
D. SQL Injection: SQLi aims to manipulate database queries. Signatures for SQLi look for SQL syntax characters (', --, ;) and keywords (UNION, SELECT, SLEEP). Injecting an image tag into a database will not cause database command execution.
SOC Mini-Lesson: Reading Evasion Regex
As a SOC Analyst, you cannot just rely on the alert title. You must read the detection logic to confirm false positives vs. true positives.
Let's break down the PCRE (Perl Compatible Regular Expressions):
((\%3C)|<): Matches the opening bracket, either URL-encoded or raw.((\%69)|i|(\%49)): Matches 'i' (lowercase), '%69' (encoded i), or '%49' (encoded uppercase I).((\%6D)|m|(\%4D)): Matches 'm', '%6D' (m), or '%4D' (M).((\%67)|g|(\%47)): Matches 'g', '%67' (g), or '%47' (G).[^\n]+: Matches the rest of the payload (the malicious script) until the end of the line.((\%3E)|>): Matches the closing bracket.
Takeaway: Attackers know standard signatures exist. They use encoding (Hex/URL), Base64, and case-randomization (<iMg ...>) to evade them. Your SIEM/IDS rules must account for this, just like this Snort/Suricata rule does.
Ready for more SOC scenarios?
Practice real-world log analysis and threat detection with ExamRange.
Explore CSA Simulations