ipv6: Neighbour table overflow

One of my virtual machines hosted at Gandi had an excessive amount of error messages

The cause of this error message are the IPv6 router announcements that try to discover and configure the IPv6 neighbourhood. The excessive amount of messages were polluting the logs.

After contacting the Gandi helpdesk they provided insight on the cause of the error message and provided mitigations to prevent these type of errors. I had to update /etc/sysctl.conf withRead more.

Do Tor exit nodes alter your content? (or is Tor safer than Vodafone?)

The short answer : no, TOR exit nodes do not alter your content.

A recent post by @adrellias got my attention. The link in the post refers to an article where a user spots a case of content (Javascript) injection by Vodafone. The details can be found in the blogpost Am I hacked? Oh, it’s just Vodafone. Needless to say this is very bad behavior by Vodafone.

Vodafone eavesdrops on your conversation, causing this toRead more.

Introduction to Modbus TCP traffic

Modbus is a serial communication protocol. It is the most widespread used protocol within ICS.

It works in a Master / Slave mode. This means the Master has the pull the information from a Slave at regular times.

Modbus is a clear text protocol with no authentication.

Although it was initially developed for serial communication it is now often used over TCP. Other versions of Modbus (used in serial communication) are for example Modbus RTURead more.

Split terminal on OSX

I use Apple OSX for my day-to-day work. Because of my background with Linux and OpenBSD the OSX Terminal application is my most “popular” application.

Because I got spoiled with the ease of use of screen on Linux devices and the basic Terminal app on OSX is fairly limited in feature-set I was looking for an alternative that runs natively on OSX and provides similar features to screen.

TMUX is a terminal application that allowsRead more.

Using different public online malware analyser tools

Analyzing malware and extracting useful detection indicators (Indicators of Compromise, IOCs) for protecting your customers is a recurrent task if you do incident response. If you have your own malware analysis environment and you receive a suspected malicious file then uploading the file for processing and waiting for the analysis is one of the first steps in this process. However sometimes you have to rely on using different public online malware analyser tool for gettingRead more.

Recursive curl with Tor on Apple OSX

The Tor Apple OSX Tor Bundle is a stripped Firefox browser that uses a local SOCKS proxy to anonymize the requests.

The SOCKS proxy that is used is tor.real, located at /Applications//TorBrowser.app/TorBrowser/Tor/tor.real.

Anonymous browsing is good but I needed a command line tool to fetch a web page or web site. More specific, I want to recursively download a website from the command line. Ideally you use wget for this. Unfortunately wget does notRead more.

Use CryptoLocker to train your incident response team (part 2)

This is the second part in a post describing how to train your team for incident response and incident investigations.

The first part covered how to analyze the e-mail headers and information in a suspicious e-mail.

The e-mail contained one attachment : koen.vanimpe@c.d.zip. Unzipping the file resulted in a .scr file.

The sha1 is

MD5 is

I uploaded the scr file to Virustotal for further analysis. So far (22-Feb) no-one else submitted a similar sample.Read more.

Use CryptoLocker to train your incident response team (part 1)

An incident response and incident investigation team needs to be able to quickly extract useful information from an incident. Instead of writing long theoretical documents I wanted to use the hands-on approach to serve as an example to train a team to quickly extract IOCs from an ongoing incident. What’s better for doing this than to analyze the behavior of CryptoLocker to train an incident response team and analyze the delivery of CryptoLocker?

IOCs orRead more.

Using ELK as a dashboard for honeypots

The Elasticsearch ELK Stack (Elasticsearch, Logstash and Kibana) is an ideal solution for a search and analytics platform on honeypot data.

There are various howto’s describing how to get ELK running (see here, here and here) so I assume you already have a working ELK system.

This post describes how to import honeypot data into ELK. The easiest way to get all the necessary scripts and configuration files is by cloning the full repository.

IfRead more.

Analyzing MX records for .be domains

In a previous post I did an analysis of HTTP headers returned by Belgian websites. The list of websites was based on an old Alexa datafile and more or less reflected the most ‘popular’ Belgian websites. I now trimmed these domains to their top domain only (so www.site.be and alpha.site.be became site.be) and decided to check what type of MX records are defined for the different domains.

MX records are DNS records that specify aRead more.