Stephen Reese

Network Traffic Capture in Virtual Enviroments

This post demonstrates how you mirror interfaces on a virtual private server (VPS) in a cloud environment, e.g. virtual machine (VM) on a hypervisor where you do not have access to network or virtualization infrastructure where a network TAP or SPAN port would be available. This technique is used …

Detecting Tor traffic with Bro network traffic analyzer

This entry is a post in a series in order to identify Tor (the onion router) network traffic and usage using Bro Network Security Monitor. To learn more about both projects, please visit the aforementioned links. This post is not to argue the merits of allowing Tor to run on …

Online Information Security Analysis Tools and Resources

A list of sites that analysts may find useful in their day-to-day analysis of indicators and threats. While verifying and searching for new sources, I came across Links and resources for malware samples, Malware Analysis and Incident Response Tools for the Frugal and Lazy, and Free Online Tools for Looking …

Building Apache and ModSecurity from source

This entry describes settting up ModSecurity on a node in order to protect a few WordPress sites I host. There are a slew of guides out there describing ModSecurity builds but I wanted to leverage the latest ModSecurity and Apache MPM Event packages which typically are not included in most …

Detecting Tor network traffic with YaF and Python

This entry continues a series of posts on identifying Tor network traffic and usage. The entry will demonstrate how to parse the output of YaF records via mediator using a Python script in order to determine if the SSL certificate values match the pattern of Tor certificates. It is assumed …

Detecting Tor network traffic with SiLK

This entry continues a series of posts on identifying Tor network traffic and usage. This post is not to argue the merits of allowing Tor to run on a network. However, the entry will demonstrate how to create a set of Tor server IP addresses to parse network flow using …

Passive DNS collection and analysis using YaF and Mediator

Passive DNS is a useful tool for any analysts teams toolbox, I have noted several public sensors here but they only see data (queries and responses) that transverse their sensors. I have been working on setting up passive DNS using Yet another Flowmeter (YaF) and Mediator (YaF to MySQL) to …

Running Moloch

This is an overview of installing and running Moloch on a single host. After seeing the 2013 ShmooCon presentation, I have been looking forward to giving the tool a test-drive. Per the documentation, “Moloch is a open source large scale IPv4 full PCAP capturing, indexing and database system”. It is …

Running SnortAD

I recently fired up a Snort Anomaly Detection instance provided by the SnortAD project and wanted to share my experience for those who might be interested in trying it on your network. SnortAD is the third generation anomaly detection preprocessor for Snort and is a little different than its predecessors …

Mailing Lists

Here are a few technology and information security related mailing-lists that I subscribe to in no particular order. Leave a comment if you think I missed one. asterisk-users.lists.digium.com beginners.perl.org snort-users.lists.sourceforge.net nessus.list.nessus.org pauldotcom.mail.pauldotcom.com samurai-devel.lists.sourceforge.net …

Podcasts

Here is a list of information technology and security podcasts. Some are technical, others are higher level so YMMV. A source of information to keep me up to date on what is going on in the information technology realm. If you think of something I have missed, leave a commment …

Decoding XOR payload using first few bytes as key

I recently came across the need to decode an exclusive or (XOR) payload. In my case, the key to de-obfuscating the traffic was the first three bytes of each packets payload. While it is trivial to decode each payload, it was not reasonable for a large number of packets. For …

Block Command and Control requests using ASA 5500

I recently came across a blog post demonstrating how to use the Emerging Threats rule sets in order to block malware calls to command and control (C&C) hosts. Using the script referenced in the blog post may work fine, but I want to review and update when I feel …

Amazon S3 Server-Side Encryption using GSUtil

If you would like to enable server-side encryption which is a relatively new feature for your Amazon S3 data using GSUtil then you need specify the header value when pushing files to their cloud. $ gsutil -h "x-amz-server-side-encryption: AES256" cp /backups/files* s3://bucket Note that server-side encryption protects your data …

Block IRC and other communications with McAfee VirusScan

After seeing some suspicious activitiy in my McAfee antivirus logs, I learned the Access Protection functionality, specifically IRC communication setting may be able to thwart some of the aforementioned activity. There are a number of useful setting to log or even block attempts that are not enable by default. A …

Variance in rwfilter results from netflow v5 and YaF

Looking over some netflow data I notice some variance between the two sensors. Sensor s0 is v5 netflow data from a Cisco switch, s1 is from a network tap listening between a Router on a Stick and said Cisco switch. The latter is a capture from YaF listening on a …


Configure SiLK on Linux for NetFlow collection from a Cisco router

This guide walks through configuring SiLK from a source install on a Debian 6 host in order to collect NetFlow data from a Cisco router. The guides here and here written by CERT NetSA are quite good but lack some detail specific to the Debian distribution which required a bit …


Blocking evil with the Enhanced Mitigation Experience Toolkit EMET

While experimenting with EMET I decided to put together a little presentation demonstrating how it can be used to prevent exploitation of a known threat to Acrobat Reader. The presentation first demonstrates the exploit using Metasploit, provides some high level analysis and then goes on to describe how EMET can …