What is netflow and when do you use it?

Netflow is a feature that was introduced on Cisco routers and that provides the ability to collect IP network traffic as it enters or exits an interface. Netflow data allows you to have an overview of traffic flows, based on the network source and destination. Because of this it lets you understand who is using the network, the destination of your traffic, when the network is utilized and the type of applications that consume theRead more.

Intro to basic forensic investigation of a hard drive

For a recent project I had to do a basic forensic investigation of a hard drive. The assignment included two questions :

detect if there were viruses on the system analyzing the surf behavior of one of the users (policy related)

I want to share the steps that I took to do basic forensics on a cloned disk image. This is not an in-depth forensic investigation but it was enough for this assignment.

Read more.

Client side certificate authentication

TLS (Transport Layer Security) and its predecessor SSL provide secure communication over a computer network. The most common use for TLS/SSL is for establishing an encrypted link between a web server and a browser. This allows you to guarantee that all data passed between the browser and the web server is private and not tampered with.

You can use certificates on both sides, the server side and the client side.

Web site certificates, or serverRead more.

Bind DNS Sinkhole, Elasticsearch and Logstash

I wanted to track DNS queries that get send to nameservers that do not serve a particular domain or network. I used a Bind DNS server that logged the query and returned a fixed response. The logs get parsed by Logstash and stored in Elasticsearch for analysis.

Installing bind is easy via the bind9 package :

This will add a new user ‘bind’ and store the configuration files in /etc/bind.

For this setup IRead more.

Using ELK as a dashboard for honeypots

The Elasticsearch ELK Stack (Elasticsearch, Logstash and Kibana) is an ideal solution for a search and analytics platform on honeypot data.

There are various howto’s describing how to get ELK running (see here, here and here) so I assume you already have a working ELK system.

This post describes how to import honeypot data into ELK. The easiest way to get all the necessary scripts and configuration files is by cloning the full repository.

IfRead more.

Use privoxy and Tor for increased anonymity

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location (from https://www.torproject.org/).

There are Tor Bundles that you can install but you can also chain Tor through a proxy.

I’ll use an Ubuntu 1214 vmware machine to proxy my traffic.Read more.

Elasticsearch dynamic scripting vulnerability exploit

Update 20140716

“This could allow an attacker to execute OS commands.”. That is the notice on the security page of Elasticsearch.

A vulnerability that allows execution of system commands should always raise concern.

Some people running a public Elasticsearch instance reported cases where attackers were able to upload scripts. It turned out that when Elasticsearch was available on the Internet (port tcp/9200) and had dynamic scripting enabled then users could execute arbitrary scripts.Read more.

Install DionaeaFR web frontend to Dionaea honeypot on Ubuntu

Dionaea is a low-interaction honeypot. It is one of the honeypots that can be deployed through the Modern Honey Network. Next to the MHN dashboard I also wanted some specific data on the Dionaea honeypot. That is where DionaeaFR kicks in.

The installation is described in detail on the github page and on http://bruteforce.gr/visualizing-dionaeas-results-with-dionaeafr.html.

I had to add some extra packages and settings on a Ubuntu 12.04.4 LTS system. Below is the fullRead more.

Automatic Check of Expiration Date of GPG keys

After Heartbleed I wrote a small python script to have an automatic check of certification expiration date. The script is hosted on Github.

Next to SSL certificates there are also GPG keys that can (but do not have to) have an expiration date. If you manage a lot of (personal or shared) keys it can become difficult to keep track of expired or soon to be expired keys.

So I wrote a similar python scriptRead more.

Automatic Check of Expiration Date of Certificates

After Heartbleed and generating lots of different new certificates I searched for a tool that sends me an alert when a certificate is about to expire. Basically I need an automatic check of expiration date of certificates. My requirements were

daily checks; notification by email; check for certificates on internal and external network; check for certificates on non-web service (imap, pop, …).

There are a couple of tools that cover part of my requirements butRead more.