Upgrading Apache, unmet dependencies

I use a couple of Ubuntu Linux virtual machines via VMWare Fusion (OSX) for security testing. Some of the security tools have a web interface. Because I want to test with different environment setups I have /var/www/ mounted via Shared Folders on the host OSX. This has as advantage that

Files are stored centrally (on the host OS) Different environments can use the same files and configuration (if stored in /var/www) I can use nativeRead more.

Monitor your public assets via Shodan

Shodan is a powerful tool for doing passive reconnaissance. It’s also a great source of information that you can put to good use to monitor your publicly available assets. Shodan acts as a search engine (also see: : What is Shodan.io?), whatever that is connected to the internet will get indexed by their crawlers.

I wrote a script that takes one parameter (ideally a string) and

Fetches the information that is available at Shodan forRead more.

Submit malware samples to VMRay via MISP

I’m a happy user of MISP, Malware Information Sharing Platform & Threat Sharing. MISP core already contains a lot of features to satisfy your needs when it concerns threat and information sharing. But there’s always room for improvement. If you submit a feature request, MISP can be extended with your request. However changing the core is not always desirable. Also sometimes you want some feature to work just the way you want it, this doesn’tRead more.

Malware scanning of web directories with OWASP WebMalwareScanner

One of the recent incidents I had to handle involved a compromised webhost. This allowed me to do some Exploring webshells on a WordPress site. In the aftermath of the investigation I searched for tools that could have improved my tasks (evaluating which files might have been compromised).

One of the approaches I had in mind was take a hash of every file and then verify that hash with Virustotal. This would have worked inRead more.

Using Bro for building Passive DNS data

Passive DNS describes an historical database of DNS resolutions. I’ve written a previous post on Using Passive DNS for Incident Response, more specifically combining it with Moloch.

If you run your own corporate -internal- nameservers it makes sense to monitor what domains have been queried and what results were returned in the past. You can use the collection of internal queries for future incident response. You can use this collected information to cross-check with informationRead more.

Using the Digital First Aid Kit for Incident Response

Dealing with security incidents is always a collaborative process, involving both your constituency and external players. There are a number of tools that help you with detecting (and preventing) incidents. One of those tools is for example the MISP – Malware Information Sharing Platform & Threat Sharing

But once you have an incident … how you deal with it? Everyone has (or should have) written their own incident response procedures but did you know thatRead more.

Doing open source intelligence with SpiderFoot (part 2)

I did an earlier post on gathering open source intelligence with SpiderFoot. This post is a small update to incorporate the new version of Spiderfoot that was released recently.

A new version of Spiderfoot was recently released, including some extra modules. In my earlier post I described how I adjusted and added some modules. The new release of Spiderfoot contains part of my changes to the XForce module.

My initial change to Spiderfoot included aRead more.

HTTP 304 and Apache sinkhole

This is a short post, put here as a “reminder to self” on browser caching.

A colleague recently set up an HTTP sinkhole with Apache. The setup redirected all the user requests to one specific resource.

When deploying the sinkhole, the web server logs showed that the first requests where logged with HTTP status code 200 (“OK”). The next requests however were logged with HTTP status code 304 (“Not Modified”).

The HTTP 304 code basicallyRead more.

Proper Script Management: A Practical Guide

I had a guest post published on Proper Script Management: A Practical Guide.

The post lists some best practices when developing your scripts and how to measure the performance of your scripts.

Stay Up-to-Date on Security News with OPML feeds

In 2015 I did a posting on the Security Intelligence blog on How to Stay Up-to-Date on Security Trends. The post describes how you can streamline the process of following different news and threat information channels, classify them and bring them to good use.

One of the tools that you can use is RSS feeds. I personally use a setup of fever to grab different RSS feeds and then have them delivered in one centralRead more.