home.regit.org
Suricata » To Linux and beyond !
https://home.regit.org/tag/suricata
To Linux and beyond! Plaisirs et désillusions du monde moderne. Slides of my talks at Lecce. I’ve been invited by SaLUG. To Lecce to give some talks during their Geek Evening. I’ve done a talk on nftables and one of suricata. The nftables talk was about the motivation behind the change from iptables. Here are the slides: Nftables. Thanks a lot to Giuseppe Longo, Luca Greco and all the SaLUG team, you have been wonderful hosts! Pshitt: collect passwords used in SSH bruteforce. Passwords of SSH Intruders T...
home.regit.org
Python » To Linux and beyond !
https://home.regit.org/tag/python
To Linux and beyond! Plaisirs et désillusions du monde moderne. Efficient search of string in a list of strings in Python. I’m currently working on a script that parses Suricata EVE log. Files and try to detect if some fields in the log are present in a list of bad patterns. So the script has two parts which are reading the log file and searching for the string in a list of strings. This list can be big with a target of around 20000 strings. If event['http']['hostname'] in hostname list:. I was beginning...
home.regit.org
Coccigrep » To Linux and beyond !
https://home.regit.org/software/coccigrep
To Linux and beyond! Plaisirs et désillusions du monde moderne. Coccigrep is a semantic grep for the C language based on coccinelle. It can be used to find where a given structure is used in code files. coccigrep depends on the spatch program which comes with coccinelle. Latest version is 1.13: coccigrep-1.13.tar.gz. The source can be accessed via github. To find where in a set of files the structure named. Is used, you can run:. To find where in a set of files the. You can simply do:. Datalink) { SET PK...
home.regit.org
nftables » To Linux and beyond !
https://home.regit.org/tag/nftables
To Linux and beyond! Plaisirs et désillusions du monde moderne. Using DOM with nftables. DOM and SSH honeypot. Is a solution comparable to fail2ban. But it uses Suricata. SSH log instead of SSH server logs. The goal of DOM is to redirect the attacker based on its SSH client version. This allows to send attacker to a honeypot like pshitt. Directly after the first attempt. And this can be done for a whole network as Suricata does not need to be on the targeted box. Using DOM with nftables. Ct state new iif!
home.regit.org
Investigation on an attack tool used in China » To Linux and beyond !
https://home.regit.org/2014/02/chinese-scanner
To Linux and beyond! Plaisirs et désillusions du monde moderne. Investigation on an attack tool used in China. I’ve been playing lately with logstash. Using data from the ulogd JSON output plugin. And the Suricata full JSON output. As well as standard system logs. For suricata, you can have a look at this one. Ulogd output is really new and I was experimenting with it in Kibana. When adding some custom graphs, I’ve observed some strange things and decided to investigate. Key So, after doing a query on.
home.regit.org
Linux » To Linux and beyond !
https://home.regit.org/category/linux
To Linux and beyond! Plaisirs et désillusions du monde moderne. Out of [name]space issue. As Debian sid is using systemd it is super easy to find a decent troll subject. Here it was the usual thing, systemctl was not managing to start correctly the daemon and giving me some commands if I wanted to know more:. So after a little prayer to Linux copy paste god resulting in a call to journalctl I had the message:. So a daemon was not able to fork on a rather quiet system. Ssl 11:31 3:39 /usr/bin/java -Xms256...
home.regit.org
Netfilter » To Linux and beyond !
https://home.regit.org/tag/netfilter
To Linux and beyond! Plaisirs et désillusions du monde moderne. Slides of my talks at Lecce. I’ve been invited by SaLUG. To Lecce to give some talks during their Geek Evening. I’ve done a talk on nftables and one of suricata. The nftables talk was about the motivation behind the change from iptables. Here are the slides: Nftables. Thanks a lot to Giuseppe Longo, Luca Greco and all the SaLUG team, you have been wonderful hosts! Using DOM with nftables. DOM and SSH honeypot. But it uses Suricata. Table ip ...
home.regit.org
Development » To Linux and beyond !
https://home.regit.org/category/development
To Linux and beyond! Plaisirs et désillusions du monde moderne. My “Kernel packet capture technologies” talk at KR2015. I’ve just finished my talk on Linux kernel packet capture technologies at Kernel Recipes 2015. I would like to thanks the organizer. For their great work. I also thank Frank Tizzoni for the drawing. In that talk, I’ve tried to do an overview of the history of packet capture technologies in the Linux kernel. All that seen from userspace and from a Suricata. Slides of my talks at Lecce.
home.regit.org
Security » To Linux and beyond !
https://home.regit.org/tag/security
To Linux and beyond! Plaisirs et désillusions du monde moderne. Pshitt: collect passwords used in SSH bruteforce. I’ve been playing lately on analysis SSH bruteforce caracterization. I was a bit frustrated of just getting partial information:. Ulogd can give information about scanner settings. Suricata can give me information about software version. Sshd server logs shows username. But having username without having the password is really frustrating. As I want to really connect to the box running ssh wi...
SOCIAL ENGAGEMENT