I have been in a few environments where installing a full blown PCAP analyser is just not possible. Therefore I created a Python script that will go through a PCAP file, split up IP flows and spit it out in a JSON format. This depicts TCP and UDP flows with the amount of traffic uploaded and downloaded, it also attempts to map IP addresses to domains using DNS requests found in the same PCAP file.
One problem that all security professionals have is staying ahead of the attacks. Honeypots help in this regard by gaining an insight into how the naydoers attack vulnerable systems. I therefore set out to create a reproduceable honeypot system that could be deployed to any target in a secure and reproduceable manner.
The 2 requirements was to automate the installation of the honeypot software and to integrate the logging to a central system where the logs could be analysed.
Below is an analysis of the vDOS database log leek. It was done using an ELK stack which can be found here:
Types of attacks The below pie chart shows the different types of attacks. It shows that more than 50% of the attacks were DNS based attacks followed by NTP. This doesn’t come as a big shock as these protocols can easily be amplified due to the amount of misconfigured servers publicly available
vDOS was a booter service ran out of Israel allowing anyone to DDOS victims. In July 2016 Brian Krebs obtained a database dump from the booter service giving insight into the techniques used and victims of the service.
You can see Brian’s posts here:
To analyse the database I’ve written a Vagrantfile which installs the ELK stack and uses logstash to put the vDOS log file into Elasticsearch, Kibana can then be used to analyse the data.
Lambda Lambda is an AWS feature that allows you to run functions based on triggers such as API calls, SNS events or s3 file uploads. The advantage of Lambda is Amazon takes care of all the infrastructure for you so all you have to care about is the function. Amazon will elastically spin the infrastructure up and down to accommodate the load and even better will only charge you for the time your function is running.
Recently I was contacted about an alert popping up on a laptop asking the user to phone a support number because their computer was compromised. My initial thoughts were that this was some malware most likely some form of Ransomware asking the user to phone the number to get their files back.
After analysing the laptop it turned out to be a much more simple but annoying phishing technique. It looked like the user had clicked an advert on facebook which redirected them to the fishing page
Dirty COW (CVE-2016-5195) is the latest vulnerability to be given a brand and is being dubbed the biggest privilege escalation vulnerability to date on Linux.
The reason for all the hype is because of the amount of devices the vulnerability affects as it has been in the linux kernel since 2.6.22 (2007) and is easily exploitable reliably. That’s enough of the background info, follow the link above if you want to learn more.
A new dangerous and wide spread vulnerability has been found in the GNU C Library (glib) and has been nicknamed GHOST after the function that is affected, the real name for this is CVE-2015-0235.
The work carried out by Qualys (https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability) has found that certain functions in the library are vulnerable to a buffer overflow attack giving the attacker full remote access to the victim.
“During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc.
Alienvault by default installs just one partition and in some cases errors on some installations, by editing the preseed file you can split the partitioning up with LVM and avoid any errors.
Best practice is to split up the filesystem in to separate sections so filling up /var does not corrupt the main root partition, doing this with LVM allows you to add extra disks later on.
As Alienvault can store a lot of data, utilising LVM is extremely useful so you can expand your partitions on the fly later on.
A check plugin for Nagios to monitor processes and their utilization of system resources.
https://github.com/thomasweaver/check_cpu_proc This plugin takes in a process name and then uses the command ps to work out how much memory and cpu all the processes of that name are taking up in percentage. It will output performance data for CPU Usage Percentage, Memory Usage Percentage, VSZ, RSS and the number of processes of that name.