This is a short post, put here as a “reminder to self” on browser caching.
A colleague recently set up an HTTP sinkhole with Apache. The setup redirected all the user requests to one specific resource.
When deploying the sinkhole, the web server logs showed that the first requests where logged with HTTP status code 200 (“OK”). The next requests however were logged with HTTP status code 304 (“Not Modified”).
The HTTP 304 code basically … Read more.
I had a guest post published on Proper Script Management: A Practical Guide.
The post lists some best practices when developing your scripts and how to measure the performance of your scripts.
In 2015 I did a posting on the Security Intelligence blog on How to Stay Up-to-Date on Security Trends. The post describes how you can streamline the process of following different news and threat information channels, classify them and bring them to good use.
One of the tools that you can use is RSS feeds. I personally use a setup of fever to grab different RSS feeds and then have them delivered in one central … Read more.
I love MISP, Malware Information Sharing Platform & Threat Sharing. I did three earlier posts on how to use and setup MISP. part 1, part 2 and part 3.
One of the nice new features by MISP is including feeds from different open source intelligence feed providers.
How does it work? Basically the feeds are provided as a JSON feed, you can browse them within MISP, import them individually or subscribe to the feed to … Read more.
According to isc.org “Passive DNS” or “passive DNS replication” is a technique invented by Florian Weimer in 2004 to opportunistically reconstruct a partial view of the data available in the global Domain Name System into a central database where it can be indexed and queried.
In practical terms passive DNS describes an historical database of DNS resolutions. What does this all mean? It means that you can lookup to what IP address a domain resolved … Read more.
Open source intelligence is collecting information from publicly available resources. If you are doing incident handling it’s one of the things that will use up a lot of your time. And it can quickly become very tedious. Imagine a list of IPs that you found hosts on your network connecting to. Query different public available resources (VirusTotal, Shodan, SANS, Cymon, XForce Exchange, …) for each and every IP and then converting that data into one … Read more.
The short answer : no, TOR exit nodes do not alter your content.
Vodafone eavesdrops on your conversation, causing this to … Read more.
This is the second part of a post on doing open source intel with recon-ng. The first part focused on gathering open source information for user accounts. This second part focuses on gathering domain and host information.
I started with one single domain. I’m interested in what other hosts related to this domain can be found. To do this I use the search command SEARCH domains-hosts.
The list shows modules that use for example Baidu, … Read more.
recon-ng is a tool for open source reconnaissance. Reconnaissance is the first phase in a penetration test and it is the act of gathering preliminary data or intelligence on your target.
Recon-ng has a look and feel similar to the Metasploit Framework and provides an easy to use interface to gather open source intelligence.
This is a post on doing open source intel with recon-ng. The post is split in two parts :
the … Read more.
I had a post published on the IBM Security Intelligence website : Defending Against Apache Web Server DDoS Attacks. I cover the use of the modules Modsecurity, mod_evasive and Fail2ban for protecting Apache web servers.
If you’re looking for general information on how to deal with DDoS attacks then have a look at the whitepaper DDoS: Proactive and reactive measures. That document serves as a guideline, help and advice for the Belgian public and private … Read more.