Introduction to Modbus TCP traffic

Modbus is a serial communication protocol. It is the most widespread used protocol within ICS.

It works in a Master / Slave mode. This means the Master has the pull the information from a Slave at regular times.

Modbus is a clear text protocol with no authentication.

Although it was initially developed for serial communication it is now often used over TCP. Other versions of Modbus (used in serial communication) are for example Modbus RTURead more.

Logging nfsen queries

In two previous posts I covered “What is netflow and when do you use it?” and “Use netflow with nfdump and nfsen“.

Nfsen provides a web interface on netflow data made available via nfdump. Because of the nature of the netflow data it is important to have strict access controls and extensive logging on the nfsen access. You should have a complete access and query log of who did what at any given time.

AccessRead more.

What is netflow and when do you use it?

Netflow is a feature that was introduced on Cisco routers and that provides the ability to collect IP network traffic as it enters or exits an interface. Netflow data allows you to have an overview of traffic flows, based on the network source and destination. Because of this it lets you understand who is using the network, the destination of your traffic, when the network is utilized and the type of applications that consume theRead more.

Intro to basic forensic investigation of a hard drive

For a recent project I had to do a basic forensic investigation of a hard drive. The assignment included two questions :

detect if there were viruses on the system analyzing the surf behavior of one of the users (policy related)

I want to share the steps that I took to do basic forensics on a cloned disk image. This is not an in-depth forensic investigation but it was enough for this assignment.

Read more.

Client side certificate authentication

TLS (Transport Layer Security) and its predecessor SSL provide secure communication over a computer network. The most common use for TLS/SSL is for establishing an encrypted link between a web server and a browser. This allows you to guarantee that all data passed between the browser and the web server is private and not tampered with.

You can use certificates on both sides, the server side and the client side.

Web site certificates, or serverRead more.

Bind DNS Sinkhole, Elasticsearch and Logstash

I wanted to track DNS queries that get send to nameservers that do not serve a particular domain or network. I used a Bind DNS server that logged the query and returned a fixed response. The logs get parsed by Logstash and stored in Elasticsearch for analysis.

Installing bind is easy via the bind9 package :

This will add a new user ‘bind’ and store the configuration files in /etc/bind.

For this setup IRead more.

Using ELK as a dashboard for honeypots

The Elasticsearch ELK Stack (Elasticsearch, Logstash and Kibana) is an ideal solution for a search and analytics platform on honeypot data.

There are various howto’s describing how to get ELK running (see here, here and here) so I assume you already have a working ELK system.

This post describes how to import honeypot data into ELK. The easiest way to get all the necessary scripts and configuration files is by cloning the full repository.

IfRead more.

Use privoxy and Tor for increased anonymity

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location (from

There are Tor Bundles that you can install but you can also chain Tor through a proxy.

I’ll use an Ubuntu 1214 vmware machine to proxy my traffic.Read more.

Elasticsearch dynamic scripting vulnerability exploit

Update 20140716

“This could allow an attacker to execute OS commands.”. That is the notice on the security page of Elasticsearch.

A vulnerability that allows execution of system commands should always raise concern.

Some people running a public Elasticsearch instance reported cases where attackers were able to upload scripts. It turned out that when Elasticsearch was available on the Internet (port tcp/9200) and had dynamic scripting enabled then users could execute arbitrary scripts.Read more.

Install DionaeaFR web frontend to Dionaea honeypot on Ubuntu

Dionaea is a low-interaction honeypot. It is one of the honeypots that can be deployed through the Modern Honey Network. Next to the MHN dashboard I also wanted some specific data on the Dionaea honeypot. That is where DionaeaFR kicks in.

The installation is described in detail on the github page and on

I had to add some extra packages and settings on a Ubuntu 12.04.4 LTS system. Below is the fullRead more.