I'm at DerbyCon this weekend, and I can recommend some of the talks as being of special interest to intrusion analysts.
Doug Burks did a great talk on the new beta version of Security Onion. If you're not familiar with Security Onion, it's a distribution with pre-configured versions of Snort, Sguil, Snorby, Elsa, PRADS, Bro, Suricata, Network Miner, Squert and more. Doug has taken the project from originally being a Live CD to a enterprise level project supporting a network of distributed sensors. This is really the easiest way to get up and running with IDS and analysis tools. If you're just starting out and want a platform to to work with and learn on, the sensor and console can both be installed on the same box with a few clicks and a few answers to some basic questions.
H.D. Moore of Metasploit fame did the first talk of the conference on the "Wild West" of the Internet, sharing results from his massive survey of ports, services and platforms. The results are somewhat shocking, as we haven't come nearly as far as we'd like to think in locking down our infrastructure. The basic security tenants of patching, upgrading, shutting down unneeded services and not exposing unneeded services to the public are still not being heeded.
Finally, the talk by Jeff Moss was excellent. Jeff spoke on the general direction of network and information security, he talked about his current tenure with ICANN, and laid out the political and financial forces that are shaping the direction of the Internet. Highly recommended.
Sunday, September 30, 2012
Tuesday, September 25, 2012
You can quickly decode base64 while doing analysis from the shell by using the Linux base64 command.
In the data below, we have a base64 encoded string that our IDS has alerted on.
src=\"data:text/html;base64,PGh0bWw+PGhlYWQ+PGJhc2UgdGFyZ2V0PSdfdG9wJyAvPgo8c2NyaXB0IHR5cGU9J3RleHQvamF2YXNjcmlwdCc+CmZ1bmN0aW9uIG5ld193aW5kb3coKSB7Cgl2YXIgYW5jaG9ycyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdhJyk7CgkJZm9yKHZhciBpID0gMDsgaSA8IGFuY2hvcnMubGVuZ3RoOyBpKyspIHsKCQlhbmNob3JzW2ldLnRhcmdldCA9ICdfdG9wJzsKCQkJfQoJCX0Kd2luZG93Lm9ubG9hZCA9IG5ld193aW5kb3c7Cjwvc2NyaXB0Pgo8L2hlYWQ+PGJvZHk+PGRpdiBzdHlsZT0idGV4dC1hbGlnbjogY2VudGVyOyI+PHA+PGltZyBzcmM9Imh0dHA6Ly9jMzkuc21hYXRvLm5ldC9vYXBpL2ltZy9hZHNwYWNlci5naWY/ZT0xMDYiIGFsdD0iIiAvPjwvcD48L2Rpdj48L2JvZHk+PC9odG1sPg==\" target=\"_top\" width=\"100%\" style=\"min-height: 48px; max-height: 52px;\" ......
To decode this (assuming we got the full packet(s) and have the entire string, we can copy the base 64 string and echo it into base64, using the –d parameter to decode:
[jeff@analysis3 wgets]# echo 'PGh0bWw+PGhlYWQ+PGJhc2UgdGFyZ2V0PSdfdG9wJyAvPgo8c2NyaXB0IHR5cGU9J3RleHQvamF2YXNjcmlwdCc+CmZ1bmN0aW9uIG5ld193aW5kb3coKSB7Cgl2YXIgYW5jaG9ycyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdhJyk7CgkJZm9yKHZhciBpID0gMDsgaSA8IGFuY2hvcnMubGVuZ3RoOyBpKyspIHsKCQlhbmNob3JzW2ldLnRhcmdldCA9ICdfdG9wJzsKCQkJfQoJCX0Kd2luZG93Lm9ubG9hZCA9IG5ld193aW5kb3c7Cjwvc2NyaXB0Pgo8L2hlYWQ+PGJvZHk+PGRpdiBzdHlsZT0idGV4dC1hbGlnbjogY2VudGVyOyI+PHA+PGltZyBzcmM9Imh0dHA6Ly9jMzkuc21hYXRvLm5ldC9vYXBpL2ltZy9hZHNwYWNlci5naWY/ZT0xMDYiIGFsdD0iIiAvPjwvcD48L2Rpdj48L2JvZHk+PC9odG1sPg==' | base64 -d
- ► 2017 (10)
- ► 2016 (14)
- ► 2015 (12)
- ► 2014 (26)
- ► 2013 (29)
- ▼ 2012 (23)
- ► 2011 (40)
- ► 2010 (35)
- ► 2009 (62)
- ► 2008 (16)