Monday, November 30, 2009

Splunk, in Cisco CSIRT


I am a big fan of Splunk, I should spend more time playing with the new free version. Here is how Cisco CSIRT team is using it.

Tuesday, November 24, 2009

Monday, November 16, 2009

DIY Threat Monitoring System, Part 2

This is my Part 2 of DIY, Threat Monitoring System. Here is an example of several connectors to download some public lists and save them internally for further processing.

The script will download the following lists:
CBL, Phishtank, GoogleSafeBrowsing, Dshield, TOR Exit nodes, MalwareDomainList, MalwareURL.


1- You will need to install some perl modules first:
Net::Google::SafeBrowsing::UpdateRequest
XML::RSS::Parser::Lite
LWP::Simple
2- Make sure that you have rsync installed
3- Request access to CBL
4- Request an API key from phishtank
5- Request an API key from Google Safe Browsing
6- Insert the API keys into the script (look for INSERT YOUR KEY HERE)
7- Run the script
8- All downloaded lists are located in one folder /radaar/connectors/temp

Note that the script is a quick and dirty one, any suggestions for enhancements are welcomed.

Thursday, November 12, 2009

DIY Threat Monitoring System

Building your own threat monitoring system can be done using the above architecture, you will need to write some connectors and parsers to filter data and check if your IPs or URLs appear in any of the free public databases I am using perl and shell scripts along with Mysql database. Visualization can be done using google charts API, which has nice easy-to-use charts.
If you are a cloud fan, you can use Amazon cloud for your system and Amazon SimpleDB instead of Mysql.

Comments? . . . . . .

Wednesday, November 11, 2009

More on Security Information Event Management (SIEM)

Anton Chuvakin in his blog is discussing SIEM must-have features, use cases, and different users.
nice reading, in addition to SANS paper on benchmarking SIEM.

Thursday, November 5, 2009

Enterprise Open Source Intelligence Gathering


A series of blog entries ( 1, 2, 3) by Tom Eston, about Open Source information gathering has some useful techniques and tools that can be easily used in enterprises for monitoring social media. An overall presentation is available here.

More tools can be found here.

Tuesday, November 3, 2009

Fast Flux statistics, from Arbor

Arbor is releasing statistics from their systems and spamtraps for tracking Fast-Flux networks.

Q3, 2009 statistics:



Q2, 2009 Statistics: