Sharing is caring. SANS / DShield provide a prebuilt Cowrie-based honeypot that's very easy to install.
You can find a tutorial here [1] as well as some old stuff here: [2]
So during the holidays/nights/weekends/whatever go install this - It runs well on a Raspberry Pi (and faster, stronger, fancier) so there's no longer any valid excuses not to honeypot!
Your home firewall can also easily be used for the purpose of honeypotting, just forward the relevant iptables/pf logs to DShield as well. Further details on configuring this can be found here [3]
[1] DShield Honeypot: https://isc.sans.edu/honeypot.html
[2] Peerlyst article "Are you submitting your logs to DSHIELD": https://www.peerlyst.com/posts/are-you-submitting-your-logs-to-dshield-martin-boller
[3] HowTo: Submitting logs to DShield https://isc.sans.edu/howto.html
InfoSec Worrier
Thoughts on InfoSec, Hacking, and Forensics. Occasional rants on Compliance and Vendors.
Monday, December 2, 2019
Monday, August 26, 2019
Windows 10 Evaluation Build 1903 Download for testlab
Keep forgetting the download link to Windows Evaluation Versions?
Basically it's always available at https://software-download.microsoft.com/download/pr/ $ISO_NAME
For Windows 10 build 1903 (May 2019) it is:
https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso
sha256sum (or get-filehash filename -Algorithm SHA256 | Format-List) should produce:
"ab4862ba7d1644c27f27516d24cb21e6b39234eb3301e5f1fb365a78b22f79b3"
Specifically for Packer:
The easiest way to find the ISO filename is to register on https://www.microsoft.com/en-us/evalcenter/
Get the name from that download and calculate the hash, then automate the installation (Using Packer or whatever your favorite is).
The same principle apply for Windows Server.
Server 2016: 17763.379.190312-0539.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso
is available at
https://software-download.microsoft.com/download/pr/17763.379.190312-0539.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso
Basically it's always available at https://software-download.microsoft.com/download/pr/ $ISO_NAME
For Windows 10 build 1903 (May 2019) it is:
https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso
sha256sum (or get-filehash filename -Algorithm SHA256 | Format-List) should produce:
"ab4862ba7d1644c27f27516d24cb21e6b39234eb3301e5f1fb365a78b22f79b3"
Specifically for Packer:
"variables": {
"iso_checksum": "ab4862ba7d1644c27f27516d24cb21e6b39234eb3301e5f1fb365a78b22f79b3",
"iso_checksum_type": "sha256",
"iso_url": "https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso",
"autounattend": "./answer_files/10/unattend.xml",
"disk_size": "61440"
}
The easiest way to find the ISO filename is to register on https://www.microsoft.com/en-us/evalcenter/
Get the name from that download and calculate the hash, then automate the installation (Using Packer or whatever your favorite is).
The same principle apply for Windows Server.
Server 2016: 17763.379.190312-0539.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso
is available at
https://software-download.microsoft.com/download/pr/17763.379.190312-0539.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso
Tuesday, August 13, 2019
It's about 5 years too late - But let us kill Internet Explorer
<RANT>
When even Microsoft doesn't support it anymore, there's a Window of Opportunity to get the funding to make it happen
Any system that still require IE is outdated and thus likely a security risk, so identify those and do something about it. Identify the developer or vendor of those applications and have them updated.
If a vendor still only support IE or Flash or Silverlight, look elsewhere, they're not worth your time and money.
The upgrade recommendation on Github should be read from right-to-left if you want to protect your privacy too:
</RANT>
Sunday, August 11, 2019
DMARC Reporting: Use Parsedmarc with Elastic
If you’re worried
about hosting your DMARC data (not least the Forensics reporting)
with a cloud provider, or just simply want to self-host because
You’re already running the Elastic Stack or Splunk and want to save the $$ for the provider, there’s a
tool for you called ‘Parsedmarc’ [1].
For further
information on the tool, please read the description at [1] (It would
be stupid repeating all of that here).
For the purpose of
installing Parsedmarc on the Elastic Stack, here’s a simple shell
script to do just that [2].
Prerequisites for
the script:
- Python3 Pip
- X-Pack Security - You really should use that, it's part of the Basic License now
- Run the script on the Elasticsearch node on which you want Parsedmarc to run
- I disagree with using Cloudflare for name resolution, if your local DNS resolvers aren't running faster and better than them, you should look into your DNS setup, as well as use RPZ's to protect your organization.
And please don't forget to spare a thought (or a dime) for @seanthegeek who made this possible.
Monday, August 5, 2019
Installing logstash-filter-tld plugin for newer Logstash versions
The logstash tld plugin (logstash-filter-tld) is used to extract the individual labels of a fqdn. This is great for analysis of e.g. domains from a Domain Generation Algorithm (DGA). Unfortunately this plugin does not work on newer logstash versions. (See https://github.com/logstash-plugins/logstash-filter-tld/pull/10)
This is caused by java version requirements. To make it work, all that is needed is changing that requirement, then (re)building the gem. This is a few simple steps (done on Debian below - substitute with your distros package manager).
On the development machine:
- apt-get -y install jruby bundler
- gem install bundler
- git clone https://github.com/logstash-plugins/logstash-filter-tld.git
- cd logstash-filter-tld/
- nano (or vi) logstash-filter-tld.gemspec
- change logstash-filter-tld.gemspec, '=1.4.6' '' to logstash-filter-tld.gemspec, '~> 3'
- gem build logstash-filter-tld.gemspec
- /usr/share/logstash/bin/logstash-plugin install --no-verify ./logstash-filter-tld-3.0.3.gem
For the logstash .conf-file(s) here's an example using the tld plugin:
filter { tld { source => "computer_name" } mutate { rename => { "[tld][domain]" => "highest_registered_domain" } rename => { "[tld][trd]" => "sub_domain" } rename => { "[tld][tld]" => "top_level_domain" } rename => { "[tld][sld]" => "parent_domain" } } }Take a look at these logstash configurations too: https://github.com/HASecuritySolutions/Logstash
This post was first published on Peerlyst: https://www.peerlyst.com/posts/installing-logstash-filter-tld-plugin-for-newer-logstash-versions-martin-boller
Friday, January 18, 2019
Skills shortage in Cyber Security
Part of the skills shortage in Cybersecurity is caused by the time wasted explaining the basics to the numerous tricksters in our line of work. It's nigh impossible to counter all the BS from the checkmark brigade. People don't scale.
The trouble is that the easy solutions are compelling, and that the lack of a consistent story is ruining it for all of us - it is easier to sell "we have a firewall, so it's secure" than "we need to improve our detection and response capabilities - and oh, btw. I need two more FTEs for Threat Hunting".
While wasting our time explaining the basics over and over again, we miss the opportunity to mentor and grow real competences in security and it has to stop. There's competences everywhere; In help-desk, in Dev, in HR, but they - too - are being held back by the personalities discussed above, so let's all help grow the ones that can make a difference and call out the tricksters.
The trouble is that the easy solutions are compelling, and that the lack of a consistent story is ruining it for all of us - it is easier to sell "we have a firewall, so it's secure" than "we need to improve our detection and response capabilities - and oh, btw. I need two more FTEs for Threat Hunting".
While wasting our time explaining the basics over and over again, we miss the opportunity to mentor and grow real competences in security and it has to stop. There's competences everywhere; In help-desk, in Dev, in HR, but they - too - are being held back by the personalities discussed above, so let's all help grow the ones that can make a difference and call out the tricksters.
Wednesday, July 11, 2018
IT (and InfoSec) titles and descriptions are mostly BS
What's in a word?
The following is a true story. Only the names have been changed to protect the guilty.
So this morning (GMT+2) I perused LinkedIn [1] ;) and stumbled upon a few titles and headlines that immediately gave food for thought - Not least combined with (some) knowledge of the suspects.
(Disclaimer: There's some genuinely good people using the word salads discussed below, so please be nice to them - or, actually, be nice to everyone).
General offenders
Anyone using the terms innovation or disruption appear to have never done any innovation or disruption themselves, but merely just talk about it. If You're copying (or repeating) what others have done You're not innovating, and certainly not disrupting. While we all stand on the shoulders of giants and are building on previous knowledge (which we should) there's nothing worse than listening to "Motivational Quotes" from someone you know as a mediocre developer and/or manager. Just stop it and use your time on becoming a good leader or whatever else makes you happy.
But that is likely too hard when You've spent your career being a sycophant?
Digitalization; If You're in IT, maybe you should think hard about your career if you missed the digitalization part of IT.
But more about that below.
Other headlines/titles
During the self-flaggelation (remember; Perusing LinkedIn) I stumbled upon this gem:
"Collaborative strategy enabler by means of IT and Digitalization"
What does this even mean?
IT is needed for Digitalization, so redundant information here, and some (most?) companies have a collaborative strategy [2], but it is likely to be different depending on the organizations business strategy and vision, so how does that ensure you can enable company X's specific strategy?
So basically it means "I'm in IT, maybe a leader"?
Last, but not least
Calling yourself a Rock Star or Thought Leader.....
Who the f... do you think you are, calling yourself a "Cyber Security Architect"?
Well, what's wrong with being a hypocrite! [3]
Subscribe to:
Posts (Atom)