Ever had the issue where the source IP is not the source IP? With Suricata and Sourcefire you can view the true client source IP and filter out or alert on it. For example, if there’s some known legit scanner Read more…
Threw together a pres on the easiest way to learn IPv6 I could come up with. IPv6_Pres Enjoy, if you’re into this type of stuff.
The folks at MITRE have created yet another awesome tool. CALDERA uses the ATT&CK model to simulate adversary behavior. It’s a great way to generate logs for hunting, or see how your detection stacks up. Here’s how I got it Read more…
Information: A user reported strange computer activity to their support staff. Support was so good that the first thing they did was to snap a memory image before the computer was rebooted. Once the technical staff acquired the memory, they Read more…
I love honeypots and wanted to give opencanary a shot cause I kept hearing how cool it was. It’s written in python, and very easy to configure and extend. The idea is to stick these in various places in your Read more…
Getting around protections with tunnels is very easy, but there are things you can do to detect and prevent them. A few are outlined at the bottom of this post. DNS Tunneling: First you need to set up DNS. Create Read more…
Software versions: Bro 2.5.1 – on Debian 8.9 bro server Logstash 2.2.4 on Debian 8.9 bro server Elasticsearch 2.4.6 on Debian 8.9 ELK server Kibana 4.3.0.9369 on Debian 8.9 ELK server First install Java on both systems: sudo add-apt-repository -y Read more…
This .htaccess blocks bots, search engine index, wget, curl, and access to itself. Enable via /etc/apache2/sites-available/whateversite.conf. <Directory “/var/www/html/whateversite”> AllowOverride All </Directory> .htaccess file. <Files .htaccess> deny from all </Files> RewriteEngine on RewriteBase / RewriteCond %{HTTP_USER_AGENT} AhrefsBot [OR] RewriteCond %{HTTP_USER_AGENT} Read more…
There are a number of things needed to stop ARP poisoning properly in a Cisco environment. DHCP snooping Trusted ports Dynamic ARP inspection A filter for static IPs DHCP snooping prevents rogue DHCP servers and is the groundwork for all Read more…
It’s easy to stop Optionsbleed with mod_security, unless you need HTTP OPTIONS on your web server. If you’re using CRS, you can uncomment rule number 900200 in crs-setup.conf. The idea here is to only allow what needs to be allowed, Read more…