Splunk, in Cisco CSIRT

I am a big fan of Splunk, I should spend more time playing with the new free version. Here is how Cisco CSIRT team is using it.

Obfuscating Malicious IFrames

This is an interesting discussion about obfuscating malicious IFrames.

DIY Threat Monitoring System, Part 2

This is my Part 2 of DIY, Threat Monitoring System. Here is an example of several connectors to download some public lists and save them internally for further processing.

The script will download the following lists:
CBL, Phishtank, GoogleSafeBrowsing, Dshield, TOR Exit nodes, MalwareDomainList, MalwareURL.


1- You will need to install some perl modules first:
Net::Google::SafeBrowsing::UpdateRequest
XML::RSS::Parser::Lite
LWP::Simple
2- Make sure that you have rsync installed
3- Request access to CBL
4- Request an API key from phishtank
5- Request an API key from Google Safe Browsing
6- Insert the API keys into the script (look for INSERT YOUR KEY HERE)
7- Run the script
8- All downloaded lists are located in one folder /radaar/connectors/temp

Note that the script is a quick and dirty one, any suggestions for enhancements are welcomed.

DIY Threat Monitoring System

Building your own threat monitoring system can be done using the above architecture, you will need to write some connectors and parsers to filter data and check if your IPs or URLs appear in any of the free public databases I am using perl and shell scripts along with Mysql database. Visualization can be done using google charts API, which has nice easy-to-use charts.

If you are a cloud fan, you can use Amazon cloud for your system and Amazon SimpleDB instead of Mysql.

Comments? . . . . . .

More on Security Information Event Management (SIEM)

Anton Chuvakin in his blog is discussing SIEM must-have features, use cases, and different users.

nice reading, in addition to SANS paper on benchmarking SIEM.

Enterprise Open Source Intelligence Gathering

A series of blog entries ( 1, 2, 3) by Tom Eston, about Open Source information gathering has some useful techniques and tools that can be easily used in enterprises for monitoring social media. An overall presentation is available here.

More tools can be found here.

Malicious IPs and URL FREE Databases

Lenny Zeltser is always inspiring me with his topics, he recently published a list of public blocklist or suspected malicious IPs or URLs.

I have my own list below, the issue is how to use these IPs and URLs for your benefits? The answer is a project I am working on, stay tuned.

CBL BlackList: (Spam ip, FREE)

UCEProtect: (Spam ip, FREE)

MS SNDS (Spam ip, FREE)

SpamHaus: (Spam, $$) There are lots of other SPAM databases, just google them..

Malware Domain list: (domains, FREE)
Google safe browsing (domain, FREE)
TOR Exit nodes list (ip, FREE)
Phishtank: (urls, FREE)
DShield: (ip, FREE)
XSS: (url, FREE)
projecthoneypot (FREE)
OpenDNS: (domain, FREE)
Defacement Tracking (Zone-h, Arabic-m, Turk-h, FREE)
Arbor ATLAS: (ip, FREE)
Shadow: (ip, FREE)
SURBL (url, FREE)
dronebl (ip, FREE)
tracker (ip, FREE)

stopbadware (AS, FREE)

FastFluxMonitor (FastFlux, Free)

hpHosts (ip, url, FREE)

Zeus Tracker (FREE)

Fast Flux statistics, from Arbor

Arbor is releasing statistics from their systems and spamtraps for tracking Fast-Flux networks.

Q3, 2009 statistics:

Q2, 2009 Statistics:

Materials, Louisville Infosec 2009

Louisville Infosec 2009 conference videos are available here.