I’ve been receiving a few questions on how to produce the AfterGlow diagrams from Cowrie logs, described in an earlier blog post. Instead of repeating myself through email requests, an explanation here will be better. First of all, you will need to decide what you want to visualize. Showing the different attackers targeting a Cowrie […]
Those familiar with port scanning tools (like nmap), have probably heard of the Xmas scan option. This scanning strategy sets some unusual TCP flags, as the man page describes it: Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. Yesterday, my firewall was systematically scanned with a combination of […]
Installing IDS sensors in your network for monitoring traffic is not always feasible, for several possible reasons. Perhaps the network infrastructure is too complex, leading to blind spots. Maybe the affected network links have higher capacity than your ad hoc IDS sensor, causing packet loss on the sensor. Or your company may be organized in […]
Building a toolbox around threat intelligence can be done with freely available tools. Shared information about malicious behaviour allows you to detect and sometimes prevent activity from – and to – Internet resources that could compromise your systems’ security. I’ve already described how to use lists of malicious domain names in a BIND RPZ (Response […]
Tags:
BIND,
Bro,
comp,
DNS,
firewall,
NetFlow,
network,
ossec,
OTX,
security,
SiLK Comments Off on Threat intelligence: OTX, Bro, SiLK, BIND RPZ, OSSEC |
Read the rest of this entry »
Certain honeypot intruders are quite persistently trying to open outbound SSH tunnels, as described in an earlier article. So far I’ve seen a lot of attempts to open tunnels towards mail server TCP ports 25 (SMTP), 465 (SMTPS) and 587 (submission); web servers on TCP ports 80 (HTTP) and 443 (HTTPS); but also several other […]
As the saying goes, when all you have is a hammer, everything looks like a nail. Well, it’s not that bad, but with a tool like Logstalgia available there’s a pretty low threshold for looking for other ways to use it. So why not try visualizing honeypot login activity? I’ve been running a honeypot for […]
Previously I’ve written about visualizing firewall activity. Revitalizing a fireplot graphing tool gives a nice day-to-day overview, but after being reminded of Logstalgia in this Imgur post I wanted to give live visualization a shot. Logstalgia is a neat tool for visualizing activity, by feeding it log files or live feeds. It’s originally designed for […]
After running a small SSH-only honeypot for a week or so, I’m a bit surprised with the complexity of some of the attempted passwords. The passwords that are most frequently attempted are quite simple, as shown in the top 5 passwords for the root account: root [no password] 123456 synopass !Q@W#E These are less obvious: […]
Did you ever wonder where your network traffic goes (and originates from)? With the SiLK suite and optionally some JavaScript map classes it’s quite easy to find out. SiLK is a tool quite equal to Cisco‘s NetFlow, and SiLK does indeed accept NetFlow output from a router. Just like NetFlow tools, SiLK stores network traffic […]
Inspired by the efforts of a previous Redpill Linpro colleague, Espen Grøndahl, I’ve revived (or rather re-invented) his project “Fireplot”. By analyzing and filtering firewall logs, Fireplot graphs attempts to access blocked firewall ports, visualizing unexpected and unwanted activity towards my network. The Y axis is logarithmic, since activity towards lower ports is often more […]