MISP or Malware Information Sharing Platform & Threat Sharing is an open source tool for sharing malware and threat information with the security community. It is available on Github and is used by a large number of CERTs and security teams.
This first post describes how to get MISP installed and get it up and running. The next post describes how you can use MISP to your benefit to share threat information with your … Read more.
The Tor Apple OSX Tor Bundle is a stripped Firefox browser that uses a local SOCKS proxy to anonymize the requests.
The SOCKS proxy that is used is tor.real, located at /Applications//TorBrowser.app/TorBrowser/Tor/tor.real.
Anonymous browsing is good but I needed a command line tool to fetch a web page or web site. More specific, I want to recursively download a website from the command line. Ideally you use wget for this. Unfortunately wget does not … Read more.
This is the third part in a post describing how to train your team for incident response and incident investigations.
The first part for training incident response and incident investigations covered how to analyze the e-mail headers and information in a suspicious e-mail. The second part analyzed the attachment which turned out to be a CryptoLocker.F variant.
The last step of my analysis involved executing the CryptoLocker virus in a fully networked VM. After resetting … Read more.
This is the second part in a post describing how to train your team for incident response and incident investigations.
The first part covered how to analyze the e-mail headers and information in a suspicious e-mail.
The e-mail contained one attachment : koen.vanimpe@c.d.zip. Unzipping the file resulted in a .scr file.
The sha1 is
MD5 is
I uploaded the scr file to Virustotal for further analysis. So far (22-Feb) no-one else submitted a similar sample. … Read more.
An incident response and incident investigation team needs to be able to quickly extract useful information from an incident. Instead of writing long theoretical documents I wanted to use the hands-on approach to serve as an example to train a team to quickly extract IOCs from an ongoing incident. What’s better for doing this than to analyze the behavior of CryptoLocker to train an incident response team and analyze the delivery of CryptoLocker?
IOCs or … Read more.
Mark Burnett recently released a set of passwords with an announcement on his blog in the post Today I Am Releasing Ten Million Passwords.
I used Pipal in the past to analyze WordPress login attempts so I decided to run it against this set.
It is no surprise to see that the top password is 123456. The top two words used to build passwords are password and qwerty.
The average password length is between … Read more.
I wanted to track DNS queries that get send to nameservers that do not serve a particular domain or network. I used a Bind DNS server that logged the query and returned a fixed response. The logs get parsed by Logstash and stored in Elasticsearch for analysis.
Installing bind is easy via the bind9 package :
This will add a new user ‘bind’ and store the configuration files in /etc/bind.
For this setup I … Read more.
One of the things that I find lacking in netcat is a timestamp feature. You can log the requests but you can not easy log the exact timestamps. Instead of writing a wrapper around netcat I wrote a small python script that can act as a simple TCP or UDP network server.
A lot of the code is inspired on code at http://ilab.cs.byu.edu/python/select/echoserver.html and http://www.binarytides.com/udp-socket-programming-in-winsock/
All of the code can be found on Github together … Read more.
I manage a number of WordPress sites. These sites get a lot of login attempts. Instead of dropping these attempts I decided to log them and build some stats.
I also wanted “something” that I could use to play with Pipal. Pipal is a password analyzer that provides useful statistics on a list of passwords. Note that it is NOT a password cracker.
I created a fake WordPress login form (wp-login.php) and installed this on … Read more.
The Elasticsearch ELK Stack (Elasticsearch, Logstash and Kibana) is an ideal solution for a search and analytics platform on honeypot data.
There are various howto’s describing how to get ELK running (see here, here and here) so I assume you already have a working ELK system.
This post describes how to import honeypot data into ELK. The easiest way to get all the necessary scripts and configuration files is by cloning the full repository.
If … Read more.
Graphs made with cudeso posts stats
By continuing to use the site, you agree to the use of cookies. more information
An HTTP cookie, is a small piece of text sent from a website and stored in your web browser. Cookies are a reliable mechanism for websites to remember your preferences and improve your browsing experience.
If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.