Playing with bot ruleset I start to analyze some differences between them in special enable x disable rules based on classtype or category . As base I'm using VRT tarball from Nov 23th and ET emerging-all from Dec 22nd .
About VRT (I only analyzed plain-text rules):
Total Plain-text Rules: 16301
Total Enable: 4597
Total Disable: 11704
Enable rules x Category/Classtype
1370 Status: Enable Category: attempted-user
925 Status: Enable Category: misc-activity
646 Status: Enable Category: trojan-activity
419 Status: Enable Category: attempted-admin
287 Status: Enable Category: successful-recon-limited
249 Status: Enable Category: protocol-command-decode
114 Status: Enable Category: attempted-dos
111 Status: Enable Category: misc-attack
108 Status: Enable Category: rpc-portmap-decode
106 Status: Enable Category: policy-violation
77 Status: Enable Category: attempted-recon
42 Status: Enable Category: shellcode-detect
34 Status: Enable Category: bad-unknown
32 Status: Enable Category: web-application-attack
16 Status: Enable Category: denial-of-service
13 Status: Enable Category: suspicious-filename-detect
12 Status: Enable Category: suspicious-login
10 Status: Enable Category: unsuccessful-user
6 Status: Enable Category: web-application-activity
5 Status: Enable Category: successful-admin
4 Status: Enable Category: system-call-detect
4 Status: Enable Category: string-detect
4 Status: Enable Category: network-scan
1 Status: Enable Category: unknown
1 Status: Enable Category: successful-user
1 Status: Enable Category: not-suspicious
General Category/Classtype
3764 attempted-user
3612 attempted-admin
3516 protocol-command-decode
1228 misc-activity
1119 trojan-activity
520 web-application-activity
425 web-application-attack
358 attempted-recon
328 bad-unknown
308 successful-recon-limited
301 policy-violation
266 attempted-dos
198 misc-attack
133 rpc-portmap-decode
67 shellcode-detect
35 suspicious-filename-detect
32 denial-of-service
19 suspicious-login
15 not-suspicious
12 unsuccessful-user
9 successful-admin
8 non-standard-protocol
6 default-login-attempt
5 system-call-detect
5 network-scan
4 unknown
4 string-detect
3 unusual-client-port-connection
1 successful-user
About ET
Total Plain-text Rules: 11517
Total Enable: 9644
Total Disable: 1873
Enable rules x Category/Classtype
5049 Status: Enable Category: web-application-attack
1617 Status: Enable Category: trojan-activity
474 Status: Enable Category: attempted-user
376 Status: Enable Category: trojan-activity
339 Status: Enable Category: protocol-command-decode
295 Status: Enable Category: attempted-admin
265 Status: Enable Category: policy-violation
206 Status: Enable Category: policy-violation
176 Status: Enable Category: attempted-recon
167 Status: Enable Category: bad-unknown
102 Status: Enable Category: misc-attack
81 Status: Enable Category: misc-activity
81 Status: Enable Category: attempted-dos
80 Status: Enable Category: rpc-portmap-decode
54 Status: Enable Category: web-application-activity
40 Status: Enable Category: misc-activity
32 Status: Enable Category: web-application-attack
30 Status: Enable Category: shellcode-detect
16 Status: Enable Category: denial-of-service
16 Status: Enable Category: attempted-recon
13 Status: Enable Category: not-suspicious
12 Status: Enable Category: suspicious-filename-detect
12 Status: Enable Category: attempted-admin
11 Status: Enable Category: unsuccessful-user
11 Status: Enable Category: misc-attack
10 Status: Enable Category: successful-admin
10 Status: Enable Category: string-detect
10 Status: Enable Category: attempted-dos
9 Status: Enable Category: suspicious-login
5 Status: Enable Category: default-login-attempt
4 Status: Enable Category: unknown
4 Status: Enable Category: suspicious-login
4 Status: Enable Category: successful-user
4 Status: Enable Category: non-standard-protocol
4 Status: Enable Category: network-scan
3 Status: Enable Category: web-application-activity
3 Status: Enable Category: system-call-detect
3 Status: Enable Category: successful-recon-limited
3 Status: Enable Category: successful-dos
3 Status: Enable Category: bad-unknown
2 Status: Enable Category: unusual-client-port-connection
2 Status: Enable Category: not-suspicious
1 Status: Enable Category: successful-admin
1 Status: Enable Category: string-detect
1 Status: Enable Category: shellcode-detect
1 Status: Enable Category: denial-of-service
1 Status: Enable Category: attempted-user
General Category/Classtype
5213 web-application-attack
1799 trojan-activity
643 attempted-user
568 policy-violation
410 trojan-activity
384 protocol-command-decode
373 attempted-admin
300 misc-activity
276 attempted-recon
268 policy-violation
238 bad-unknown
137 shellcode-detect
136 attempted-dos
134 misc-attack
95 web-application-activity
88 rpc-portmap-decode
80 misc-activity
39 not-suspicious
36 web-application-attack
27 successful-user
25 attempted-recon
20 unusual-client-port-connection
17 misc-attack
17 denial-of-service
16 suspicious-filename-detect
16 attempted-admin
14 successful-admin
13 attempted-dos
12 bad-unknown
11 unsuccessful-user
11 unknown
11 suspicious-login
11 string-detect
10 not-suspicious
10 non-standard-protocol
7 default-login-attempt
5 system-call-detect
5 successful-recon-limited
5 network-scan
4 web-application-activity
4 suspicious-login
4 suspicious-filename-detect
4 shellcode-detect
4 attempted-user
3 successful-dos
2 string-detect
2 denial-of-service
1 successful-admin
1 non-standard-protocol
In summary:
- ET has almost double rules enable by default
- VRT most enable rules focus on attempted-user
- ET most enable rules focus on web-application-attack and trojan-activity
- Rules from ET and VRT target different protections what you should analyze where you will seat your sensor for best decision or using both and mixing them
I just did some basic scripting and my numbers could not be accurate but it's a good base .
Happy Snorting!
Rodrigo Montoro (Sp0oKeR)
quinta-feira, 23 de dezembro de 2010
quarta-feira, 6 de outubro de 2010
Palestras no Brasil - OWASP e H2HC
Caros,
Faz um tempo desde o último post mas a vida anda corrida por esses lados . Faço esse post para comentar mais 2 palestras aceitas só que agora no Brasil felizmente .
A primeira ocorrerá no OWASP AppSec Brasil que acontecerá em Campinas onde falarei do uso do Modsecurity WAF para Virtual Patching ( http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Speakers)
Mais info: http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Calls
Outra que tive o prazer de ser aceito e falarei pela primeira vez sera a Hackers to Hackers Conference aka H2HC . Nela falarei sobre minha pdf de scoring da estrutura do pdf o que me deixa bem feliz de falar sobre ela por aqui também.
Mais info: http://www.h2hc.com.br
Espero encontrar com vocês lá .
Happy Hacking!
Rodrigo "Sp0oKeR" Montoro
Faz um tempo desde o último post mas a vida anda corrida por esses lados . Faço esse post para comentar mais 2 palestras aceitas só que agora no Brasil felizmente .
A primeira ocorrerá no OWASP AppSec Brasil que acontecerá em Campinas onde falarei do uso do Modsecurity WAF para Virtual Patching ( http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Speakers)
Mais info: http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Calls
Outra que tive o prazer de ser aceito e falarei pela primeira vez sera a Hackers to Hackers Conference aka H2HC . Nela falarei sobre minha pdf de scoring da estrutura do pdf o que me deixa bem feliz de falar sobre ela por aqui também.
Mais info: http://www.h2hc.com.br
Espero encontrar com vocês lá .
Happy Hacking!
Rodrigo "Sp0oKeR" Montoro
quarta-feira, 8 de setembro de 2010
PDF Talk Accepted at Toorcon San Diego
I'm very excited that my talk was accepted at Toorcon San Diego. About the conference:
Who: Hackers Like You.
What: ToorCon 12
When: OCT 22rd-24th
Where: San Diego Convention Center
Why: What Could possibly go wrong?
I'll be talking about part of my research at Trustwave Spiderlabs Research where we are doing a new way to detect malicious pdf files . The title for my talk: "Scoring PDF structure to detect malicious files"
Preliminary Agenda for Toorcon: http://sandiego.toorcon.org/index.php?option=com_content&task=section&id=3&Itemid=9#lineup
Hope to see you there!
Rodrigo "Sp0oKeR" Montoro
Who: Hackers Like You.
What: ToorCon 12
When: OCT 22rd-24th
Where: San Diego Convention Center
Why: What Could possibly go wrong?
I'll be talking about part of my research at Trustwave Spiderlabs Research where we are doing a new way to detect malicious pdf files . The title for my talk: "Scoring PDF structure to detect malicious files"
Preliminary Agenda for Toorcon: http://sandiego.toorcon.org/index.php?option=com_content&task=section&id=3&Itemid=9#lineup
Hope to see you there!
Rodrigo "Sp0oKeR" Montoro
quinta-feira, 2 de setembro de 2010
Snort Rules - Using content:"GET "; or not ?
I'm doing some tests with different rules since I'm creating a rules test labs and based on some old read/thread and one simple test here I started to look why do we use content:"GET "; in a lot of rules since it'll not be the first match mostly.
My first test that I started to notice what I read before was about using http_method or not with engine 2.8.6 .
My pcap I created a very simple GET / (packet 5)
$ tshark -r get-NoHost.pcap
1 0.000000 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=534894464 TSER=0
2 0.001384 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [ACK]
Seq=1 Ack=1 Win=524280 Len=0 TSV=534894464 TSER=134793051
3 3.798825 192.168.21.1 -> 192.168.21.131 TCP [TCP Dup ACK 2#1]
61599 > http [ACK] Seq=1 Ack=1 Win=524280 Len=0 TSV=534894502
TSER=134794001
4 7.348575 192.168.21.1 -> 192.168.21.131 TCP [TCP segment of a
reassembled PDU]
5 7.892566 192.168.21.1 -> 192.168.21.131 HTTP GET / HTTP/1.0
6 8.197800 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [ACK]
Seq=19 Ack=325 Win=524280 Len=0 TSV=534894546 TSER=134795100
7 8.202863 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [ACK]
Seq=19 Ack=326 Win=524280 Len=0 TSV=534894546 TSER=134795102
8 8.202895 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [FIN,
ACK] Seq=19 Ack=326 Win=524280 Len=0 TSV=534894546 TSER=134795102
I used those rules for testing the basics in my lab:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule One - GET";content:"GET";http_
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Five GET without http_method and only content";content:"GET";sid:
And as result I got
$ perl rule-test-check.pl get-NoHost.pcap rules-samples/rules-new.rules snort.conf
SpiderLabs Rules Test version 0.1 Alpha
Result: Checked 123456 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule One - GET";content:"GET";http_
Result: NoCheck 654321 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Two - POST";content:"POST";http_
Result: NoCheck 23465324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Three GET without http_method";content:"GET";
Result: Checked 9845324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Four GET without http_method but using fast_pattern";content:"GET";
Result: Checked 4365324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Five GET without http_method and only content";content:"GET";sid:
Count Summary
Checked: 3
NotChecked: 2
Where:
Checked means that there is some output for this sid for one basic check at least (I'm using as base content GET since we have the packet number 5 with it) .
Based on that I remembered a good thread where Will Metacalf and Steve discuss some new features and http_modifiers use http://sourceforge.net/
So I tested based on some very basic grep at emerging-all.rules "grep content:"GET " emerging-all.rules " . Using the rules that were output I ran my test against those rules (around 1047 rules) and the summary results:
Checked: 4
NotChecked: 1043
I started to figured out that content:"GET "; when we use that is tobe the first match BUT if you don't specify fast_pattern by default it'll be the bigger content to match ( http://vrt-sourcefire.
Original
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/us01d/in.php"; reference:url,garwarner.
After sed
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET ";fast_pattern; nocase; depth:4; uricontent:"/us01d/in.php"; reference:url,garwarner.
Fast pattern matcher: Content
Fast pattern set: yes
Fast pattern only: no
Negated: no
Pattern offset,length: none
Pattern truncated: no
Original pattern
"GET|20|"
Final pattern
"GET|20|"
I rerun the same test and I got:
Checked: 976
NotChecked: 71
* Where NotChecked are mostly some GET content in a different way since I'm doing pretty basic grep/sed and not being so accurate =) .
The last test I changed fast_pattern to http_method but http_method only receive the normalize buffer but the default fast_pattern is the same , that's mean bigger content so no change from the first result.
So my question is: do we really need to analyze GET or POST (probably the same behavior since it's a short name) ? Did somebody try/test something like this before ? am I getting nuts talking about this? =D
In my opinion we could remove content:"GET "; from the rules since it'll only use some checks and "decrease" the performance . I think we already have lot of point that make sure that it's a http traffic since using $HTTP_PORTS , flow , uricontent that comes from http_inspect and so on.
My first test that I started to notice what I read before was about using http_method or not with engine 2.8.6 .
My pcap I created a very simple GET / (packet 5)
$ tshark -r get-NoHost.pcap
1 0.000000 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=534894464 TSER=0
2 0.001384 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [ACK]
Seq=1 Ack=1 Win=524280 Len=0 TSV=534894464 TSER=134793051
3 3.798825 192.168.21.1 -> 192.168.21.131 TCP [TCP Dup ACK 2#1]
61599 > http [ACK] Seq=1 Ack=1 Win=524280 Len=0 TSV=534894502
TSER=134794001
4 7.348575 192.168.21.1 -> 192.168.21.131 TCP [TCP segment of a
reassembled PDU]
5 7.892566 192.168.21.1 -> 192.168.21.131 HTTP GET / HTTP/1.0
6 8.197800 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [ACK]
Seq=19 Ack=325 Win=524280 Len=0 TSV=534894546 TSER=134795100
7 8.202863 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [ACK]
Seq=19 Ack=326 Win=524280 Len=0 TSV=534894546 TSER=134795102
8 8.202895 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [FIN,
ACK] Seq=19 Ack=326 Win=524280 Len=0 TSV=534894546 TSER=134795102
I used those rules for testing the basics in my lab:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule One - GET";content:"GET";http_
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Two - POST";content:"POST";http_
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Three GET without
http_method";content:"GET";
http_method";content:"GET";
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Four GET without http_method but using fast_pattern";content:"GET";
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Five GET without http_method and only content";content:"GET";sid:
And as result I got
$ perl rule-test-check.pl get-NoHost.pcap rules-samples/rules-new.rules snort.conf
SpiderLabs Rules Test version 0.1 Alpha
Result: Checked 123456 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule One - GET";content:"GET";http_
Result: NoCheck 654321 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Two - POST";content:"POST";http_
Result: NoCheck 23465324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Three GET without http_method";content:"GET";
Result: Checked 9845324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Four GET without http_method but using fast_pattern";content:"GET";
Result: Checked 4365324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Five GET without http_method and only content";content:"GET";sid:
Count Summary
Checked: 3
NotChecked: 2
Where:
Checked means that there is some output for this sid for one basic check at least (I'm using as base content GET since we have the packet number 5 with it) .
Based on that I remembered a good thread where Will Metacalf and Steve discuss some new features and http_modifiers use http://sourceforge.net/
So I tested based on some very basic grep at emerging-all.rules "grep content:"GET " emerging-all.rules " . Using the rules that were output I ran my test against those rules (around 1047 rules) and the summary results:
Checked: 4
NotChecked: 1043
I started to figured out that content:"GET "; when we use that is tobe the first match BUT if you don't specify fast_pattern by default it'll be the bigger content to match ( http://vrt-sourcefire.
Original
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/us01d/in.php"; reference:url,garwarner.
fast_pattern debug choosing the biggest content found
Fast pattern matcher: URI content
Fast pattern set: no
Fast pattern only: no
Negated: no
Pattern offset,length: none
Pattern truncated: no
Original pattern
"/us01d/in.php"
Final pattern
"/us01d/in.php"
Fast pattern set: no
Fast pattern only: no
Negated: no
Pattern offset,length: none
Pattern truncated: no
Original pattern
"/us01d/in.php"
Final pattern
"/us01d/in.php"
After sed
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET ";fast_pattern; nocase; depth:4; uricontent:"/us01d/in.php"; reference:url,garwarner.
Rules fast_pattern debug using this option
Fast pattern matcher: Content
Fast pattern set: yes
Fast pattern only: no
Negated: no
Pattern offset,length: none
Pattern truncated: no
Original pattern
"GET|20|"
Final pattern
"GET|20|"
I rerun the same test and I got:
Checked: 976
NotChecked: 71
* Where NotChecked are mostly some GET content in a different way since I'm doing pretty basic grep/sed and not being so accurate =) .
The last test I changed fast_pattern to http_method but http_method only receive the normalize buffer but the default fast_pattern is the same , that's mean bigger content so no change from the first result.
So my question is: do we really need to analyze GET or POST (probably the same behavior since it's a short name) ? Did somebody try/test something like this before ? am I getting nuts talking about this? =D
In my opinion we could remove content:"GET "; from the rules since it'll only use some checks and "decrease" the performance . I think we already have lot of point that make sure that it's a http traffic since using $HTTP_PORTS , flow , uricontent that comes from http_inspect and so on.
Some friends that I discussed about this told some point as : "maybe the attack can only be done using GET so it's good to specify since using POST will generate a false positive". My argument is the opposite since most rules we are not sure if that works with GET and/or POST only if we don't use them as part of the rule we will mitigate False Negatives and maybe save lot of CPU's cycle (but we need test to make sure about that) . I really prefer couple of FP than FN's .
What do you think ?
Regards,
Rodrigo "Sp0oKeR" Montoro
quarta-feira, 1 de setembro de 2010
(IN)Secure Magazine Issue 17 released
New release of this awesome digital and free magazine
To download it: http://www.net-security.org/insecuremag.php
Regards,
Rodrigo "Sp0oKeR" Montoro
- Review: BlockMaster SafeStick secure USB flash drive
- The devil is in the details: Securing the enterprise against the cloud
- Cybercrime may be on the rise, but authentication evolves to defeat it
- Learning from bruteforcers
- PCI DSS v1.3: Vital to the emerging demand for virtualization and cloud security
- Security testing - the key to software quality
- A brief history of security and the mobile enterprise
- Payment card security: Risk and control assessments
- Security as a process: Does your security team fuzz?
- Book review: Designing Network Security, 2nd Edition
- Intelligent security: Countering sophisticated fraud
To download it: http://www.net-security.org/insecuremag.php
Regards,
Rodrigo "Sp0oKeR" Montoro
sexta-feira, 27 de agosto de 2010
ISSA Day Julho com Conviso falando Blackhat/Defcon/B-Sides
O Capítulo Brasil da ISSA convida a todos os interessados a participar do ISSA Day de Agosto 2010.
O evento é gratuito e aberto a qualquer interessado e tem o apoio da empresa Conviso IT Security.
Data: 31 de Agosto de 2010, das 19:00h às 22:00h
Agenda:
19h00 – Credenciamento,
19h30 – Palestra da ISSA - Por que ser ISSA?
20h00 – Abertura falando sobre a Conviso.
20h15 – O processo de segurança em desenvolvimento, que não é ISO 15.408
21h00 – Palestra sobre a Black Hat e Defcon
21h45 – Sorteio de Treinamento Conviso e Encerramento – Com HH
Local:
Bar Genoino.
Rua Joaquim Távora 1217, Vila Mariana – São Paulo – SP
Para se inscrever: http://www.issabrasil.org/2010/08/24/issa-day-agosto-2010/
Estarei lá certamente =)!
Happy Hacking!
Rodrigo "Sp0oKeR" Montoro
O evento é gratuito e aberto a qualquer interessado e tem o apoio da empresa Conviso IT Security.
Agenda:
19h00 – Credenciamento,
19h30 – Palestra da ISSA - Por que ser ISSA?
20h00 – Abertura falando sobre a Conviso.
20h15 – O processo de segurança em desenvolvimento, que não é ISO 15.408
21h00 – Palestra sobre a Black Hat e Defcon
21h45 – Sorteio de Treinamento Conviso e Encerramento – Com HH
Local:
Bar Genoino.
Rua Joaquim Távora 1217, Vila Mariana – São Paulo – SP
Para se inscrever: http://www.issabrasil.org/2010/08/24/issa-day-agosto-2010/
Estarei lá certamente =)!
Happy Hacking!
Rodrigo "Sp0oKeR" Montoro
quarta-feira, 18 de agosto de 2010
Updated some info for SET (Social Engineer Toolkit) PDF’s x AntiVirus & Scoring System
Virus Total Public API will make my live much easier . Look previous post about it http://spookerlabs.blogspot.com/2010/08/virus-total-public-api.html .
Some results really surprised me . Take a look and do your all conclusions .
Best AntiVirus to detect SET Malicious PDF (higher is better):
7 "Sophos"
7 "Microsoft"
7 "GData"
7 "F-Secure"
7 "F-Prot"
7 "ClamAV"
7 "BitDefender"
7 "Avast5"
7 "Avast"
6 "Sunbelt"
6 "nProtect"
6 "McAfee-GW-Edition"
6 "eTrust-Vet"
5 "Symantec"
5 "PCTools"
4 "eSafe"
3 "NOD32"
3 "Kaspersky"
3 "Ikarus"
3 "Emsisoft"
3 "Antiy-AVL"
2 "McAfee"
1 "VBA32"
1 "Panda"
1 "AVG"
1 "Authentium"
1 "AntiVir"
1 "AhnLab-V3"
Missed PDF detection for SET malicious PDF's (higher is worst) :
7 "VirusBuster"
7 "ViRobot"
7 "TrendMicro-HouseCall"
7 "TrendMicro"
7 "TheHacker"
7 "SUPERAntiSpyware"
7 "Rising"
7 "Prevx"
7 "Norman"
7 "Jiangmin"
7 "Fortinet"
7 "DrWeb"
7 "Comodo"
7 "CAT-QuickHeal"
6 "VBA32"
6 "Panda"
6 "AVG"
6 "Authentium"
6 "AntiVir"
6 "AhnLab-V3"
5 "McAfee"
4 "NOD32"
4 "Kaspersky"
4 "Ikarus"
4 "Emsisoft"
4 "Antiy-AVL"
3 "eSafe"
2 "Symantec"
2 "PCTools"
1 "Sunbelt"
1 "nProtect"
1 "McAfee-GW-Edition"
1 "eTrust-Vet"
As we can see lot of AntiVirus missed all PDF from SET what is a big problem for companies . Some AntiVirus have some methods that VirusTotal doesn't emulate and possible those methods could detect them .
I'll do a big analysis against all my pdf's and share the results .
Happy Hacking!
Rodrigo "Sp0oKeR" Montoro
Some results really surprised me . Take a look and do your all conclusions .
Best AntiVirus to detect SET Malicious PDF (higher is better):
7 "Sophos"
7 "Microsoft"
7 "GData"
7 "F-Secure"
7 "F-Prot"
7 "ClamAV"
7 "BitDefender"
7 "Avast5"
7 "Avast"
6 "Sunbelt"
6 "nProtect"
6 "McAfee-GW-Edition"
6 "eTrust-Vet"
5 "Symantec"
5 "PCTools"
4 "eSafe"
3 "NOD32"
3 "Kaspersky"
3 "Ikarus"
3 "Emsisoft"
3 "Antiy-AVL"
2 "McAfee"
1 "VBA32"
1 "Panda"
1 "AVG"
1 "Authentium"
1 "AntiVir"
1 "AhnLab-V3"
Missed PDF detection for SET malicious PDF's (higher is worst) :
7 "VirusBuster"
7 "ViRobot"
7 "TrendMicro-HouseCall"
7 "TrendMicro"
7 "TheHacker"
7 "SUPERAntiSpyware"
7 "Rising"
7 "Prevx"
7 "Norman"
7 "Jiangmin"
7 "Fortinet"
7 "DrWeb"
7 "Comodo"
7 "CAT-QuickHeal"
6 "VBA32"
6 "Panda"
6 "AVG"
6 "Authentium"
6 "AntiVir"
6 "AhnLab-V3"
5 "McAfee"
4 "NOD32"
4 "Kaspersky"
4 "Ikarus"
4 "Emsisoft"
4 "Antiy-AVL"
3 "eSafe"
2 "Symantec"
2 "PCTools"
1 "Sunbelt"
1 "nProtect"
1 "McAfee-GW-Edition"
1 "eTrust-Vet"
As we can see lot of AntiVirus missed all PDF from SET what is a big problem for companies . Some AntiVirus have some methods that VirusTotal doesn't emulate and possible those methods could detect them .
I'll do a big analysis against all my pdf's and share the results .
Happy Hacking!
Rodrigo "Sp0oKeR" Montoro
terça-feira, 17 de agosto de 2010
Virus Total Public API
Today I started to play with Virus Total Public API http://www.virustotal.com/advanced.html
My initial idea was to send files using command line and get the results quickly so I don't need a web browser and spend time uploading the file .
I read their inital samples/docs and build a mix of codes using python (most retrieve from their samples) and perl (only language I can try somehting) . By now what I have :
$ perl vt-auto.pl /LABS/pdf-basics/samples/AdamSamples/15
Sending file /LABS/pdf-basics/samples/AdamSamples/15 to Virus Total ...
Response from VT with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"
Waiting 120 seconds to wait file /LABS/pdf-basics/samples/AdamSamples/15 be scanned ...
Sending request fo Virus Total about /LABS/pdf-basics/samples/AdamSamples/15 with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"
Report Results for /LABS/pdf-basics/samples/AdamSamples/15 :
"nProtect": "Trojan-Exploit/W32.Pidief.16718.AV"
"CAT-QuickHeal": ""
"McAfee": "Exploit-PDF.b.gen"
"TheHacker": ""
"VirusBuster": "JS.Crypt.BSP"
"NOD32": "PDF/Exploit.Pidief.AUT"
"F-Prot": "JS/Psyme.HU"
"Symantec": "Trojan.Pidief.D"
"Norman": "JS/Shellcode.GS"
"TrendMicro-HouseCall": "TROJ_PIDIEF.ADY"
"Avast": "JS:Pdfka-PO"
"eSafe": "PDF.Exploit.2"
"ClamAV": "Suspect.PDF.ObfuscatedJS-5"
"Kaspersky": "Exploit.Win32.Pidief.aut"
"BitDefender": "Exploit.PDF-JS.Gen"
"ViRobot": ""
"Sophos": "Mal/PdfEx-C"
"Comodo": "TrojWare.Win32.Exploit.Pidief.aut"
"F-Secure": "Exploit.PDF-JS.Gen"
"DrWeb": "Exploit.PDF.166"
"AntiVir": "EXP/Pidief.JX"
"TrendMicro": "TROJ_PIDIEF.ADY"
"Emsisoft": "Exploit.Pidief!IK"
"eTrust-Vet": "PDF/Pidief.IQ"
"Authentium": "PDF/Obfusc.D!Camelot"
"Jiangmin": ""
"Antiy-AVL": "Exploit/Win32.Pidief"
"Microsoft": "Exploit:Win32/Pdfjsc.AS"
"SUPERAntiSpyware": ""
"Prevx": ""
"GData": "Exploit.PDF-JS.Gen"
"AhnLab-V3": "PDF/Shellcode"
"VBA32": ""
"Sunbelt": "Exploit.PDF-JS.Gen (v)"
"PCTools": "Trojan.Pidief"
"Rising": ""
"Ikarus": "Exploit.Pidief"
"Fortinet": ""
"AVG": "Exploit"
"Panda": ""
"Avast5": "JS:Pdfka-PO"
Detection : (31/41)
I'll improve and fix the code so I can share because now it's impossible . That 120 seconds that I wait is just to make sure that the scan will finish before I try to retrive the results but sometimes depending on file size it'll probably fail .
Nice resource from VirusTotal Team , congratulations!
Happy Hacking!
Rodrigo "Sp0oKeR" Montoro
My initial idea was to send files using command line and get the results quickly so I don't need a web browser and spend time uploading the file .
I read their inital samples/docs and build a mix of codes using python (most retrieve from their samples) and perl (only language I can try somehting) . By now what I have :
$ perl vt-auto.pl /LABS/pdf-basics/samples/AdamSamples/15
Sending file /LABS/pdf-basics/samples/AdamSamples/15 to Virus Total ...
Response from VT with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"
Waiting 120 seconds to wait file /LABS/pdf-basics/samples/AdamSamples/15 be scanned ...
Sending request fo Virus Total about /LABS/pdf-basics/samples/AdamSamples/15 with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"
Report Results for /LABS/pdf-basics/samples/AdamSamples/15 :
"nProtect": "Trojan-Exploit/W32.Pidief.16718.AV"
"CAT-QuickHeal": ""
"McAfee": "Exploit-PDF.b.gen"
"TheHacker": ""
"VirusBuster": "JS.Crypt.BSP"
"NOD32": "PDF/Exploit.Pidief.AUT"
"F-Prot": "JS/Psyme.HU"
"Symantec": "Trojan.Pidief.D"
"Norman": "JS/Shellcode.GS"
"TrendMicro-HouseCall": "TROJ_PIDIEF.ADY"
"Avast": "JS:Pdfka-PO"
"eSafe": "PDF.Exploit.2"
"ClamAV": "Suspect.PDF.ObfuscatedJS-5"
"Kaspersky": "Exploit.Win32.Pidief.aut"
"BitDefender": "Exploit.PDF-JS.Gen"
"ViRobot": ""
"Sophos": "Mal/PdfEx-C"
"Comodo": "TrojWare.Win32.Exploit.Pidief.aut"
"F-Secure": "Exploit.PDF-JS.Gen"
"DrWeb": "Exploit.PDF.166"
"AntiVir": "EXP/Pidief.JX"
"TrendMicro": "TROJ_PIDIEF.ADY"
"Emsisoft": "Exploit.Pidief!IK"
"eTrust-Vet": "PDF/Pidief.IQ"
"Authentium": "PDF/Obfusc.D!Camelot"
"Jiangmin": ""
"Antiy-AVL": "Exploit/Win32.Pidief"
"Microsoft": "Exploit:Win32/Pdfjsc.AS"
"SUPERAntiSpyware": ""
"Prevx": ""
"GData": "Exploit.PDF-JS.Gen"
"AhnLab-V3": "PDF/Shellcode"
"VBA32": ""
"Sunbelt": "Exploit.PDF-JS.Gen (v)"
"PCTools": "Trojan.Pidief"
"Rising": ""
"Ikarus": "Exploit.Pidief"
"Fortinet": ""
"AVG": "Exploit"
"Panda": ""
"Avast5": "JS:Pdfka-PO"
Detection : (31/41)
I'll improve and fix the code so I can share because now it's impossible . That 120 seconds that I wait is just to make sure that the scan will finish before I try to retrive the results but sometimes depending on file size it'll probably fail .
Nice resource from VirusTotal Team , congratulations!
Happy Hacking!
Rodrigo "Sp0oKeR" Montoro
segunda-feira, 16 de agosto de 2010
SET (Social Engineer Toolkit) PDF’s x AntiVirus & Scoring System
Since Social Engineer Toolkit aka SET is being using in the wild I solved to create their pdf’s and tests against AntiVirus Vendors and against new detection scoring based on Spiderlabs Research .
[---] The Social-Engineer Toolkit (SET) [---]
[---] Written by David Kennedy (ReL1K) [---]
[---] Version: 0.6.1 [---]
[---] Codename: 'Arnold Palmer' [---]
[---] Report bugs to: davek@social-engineer.org [---]
[---] Java Applet Written by: Thomas Werth [---]
[---] Homepage: http://www.secmaniac.com [---]
[---] Framework: http://www.social-engineer.org [---]
[---] Over 1 million downloads and counting. [---]
Welcome to the Social-Engineer Toolkit (SET). Your one
stop shop for all of your social-engineering needs..
Follow me on Twitter: dave_rel1k
DerbyCon 2011 Sep29-Oct02 - A new era begins...
http://www.derbycon.com
Select from the menu on what you would like to do:
1. Spear-Phishing Attack Vectors
2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Listener
5. Mass Mailer Attack
6. Teensy USB HID Attack Vector
7 Update the Metasploit Framework
8. Update the Social-Engineer Toolkit
9. Help, Credits, and About
10. Exit the Social-Engineer Toolkit
Enter your choice: 1
1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu
Enter your choice: 1
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow
7. Custom EXE to VBA (sent via RAR) (RAR required)
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
Enter the number you want (press enter for default):
1. Windows Reverse TCP Shell
2. Windows Meterpreter Reverse_TCP
3. Windows Reverse VNC
4. Windows Reverse TCP Shell (x64)
5. Windows Meterpreter Reverse_TCP (X64)
6. Windows Shell Bind_TCP (X64)
Enter the payload you want (press enter for default):
* All payload 1 – Windows Reverse TCP Shell with port 2345
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
http://www.virustotal.com/file-scan/report.html?id=377ba41782bbeb25c9816d76ec190fb6f4b88c7bbaecc26653a4a6ecc479f3ea-1281835639
File name:flashplayer-newfunction.pdf
Submission date: 2010-08-15 01:27:19 (UTC)
Result: 15/ 42 (35.7%)
$ pdf-analisys.pl -s1 -f flashplayer-newfunction.pdf
flashplayer-newfunction.pdf Malicious PDF Detected
2. Adobe Collab.collectEmailInfo Buffer Overflow
http://www.virustotal.com/file-scan/report.html?id=a4ac73a6efee530a05ea05eeeaa3d8efc137e4eb3bcf4d492c2b318264da2f77-1281836155
File name: collab-collectEmailInfo.pdf
Submission date: 2010-08-15 01:35:55 (UTC)
Result: 17/ 42 (40.5%)
$ pdf-analisys.pl -s1 -f collab-collectEmailInfo.pdf
collab-collectEmailInfo.pdf Malicious PDF Detected
3. Adobe Collab.getIcon Buffer Overflow
http://www.virustotal.com/file-scan/report.html?id=631893cd75bcf60ec82a3f59d3bd3f7f166874641a4ed62ceee28852889ec6e2-1281836494
File name: collab-getIcon.pdf
Submission date: 2010-08-15 01:41:34 (UTC)
Result: 15/ 42 (35.7%)
pdf-analisys.pl -s1 -f collab-getIcon.pdf
collab-getIcon.pdf Malicious PDF Detected
4. Adobe JBIG2Decode Memory Corruption Exploit
http://www.virustotal.com/file-scan/report.html?id=814f20d28de287e76dbfacb14d90dbfab8e0b1e11e16212b88ca3216f2189117-1281836756
File name: JBIG2Decode.pdf
Submission date: 2010-08-15 01:45:56 (UTC)
Result: 15/ 42 (35.7%)
$ pdf-analisys.pl -s1 -f JBIG2Decode.pdf
JBIG2Decode.pdf Malicious PDF Detected
5. Adobe PDF Embedded EXE Social Engineering
http://www.virustotal.com/file-scan/report.html?id=484ba7800fd549b82b6ac4dab5100f3017a0995cc47be13977703a168d1bcef3-1281837936
File name: embeddedfile.pdf
Submission date: 2010-08-15 02:05:36 (UTC)
Result: 15/ 41 (36.6%)
$ pdf-analisys.pl -s1 -f embeddedfile.pdf
embeddedfile.pdf Malicious PDF Detected
6. Adobe util.printf() Buffer Overflow
http://www.virustotal.com/file-scan/report.html?id=99e01802391f77c5c93cdf52cb2eacb5673e6acf7ac90776d477948a7fa1222d-1281838414
File name: utilprintf.pdf
Submission date: 2010-08-15 02:13:34 (UTC)
Result: 16/ 42 (38.1%)
$ pdf-analisys.pl -s1 -f utilprintf.pdf
utilprintf.pdf Malicious PDF Detected
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
http://www.virustotal.com/file-scan/report.html?id=0ce18c65373f113916b108508b3afc481e460f77353d1e3ddd259dbd29bab5a1-1281838713
File name: U3D.pdf
Submission date: 2010-08-15 02:18:33 (UTC)
Result: 11/ 42 (26.2%)
pdf-analisys.pl -s1 -f U3D.pdf
U3D.pdf Malicious PDF Detected
Clamav Results
collab-collectEmailInfo.pdf: OK
collab-getIcon.pdf: OK
embeddedfile.pdf: Exploit.PDF-22612 FOUND
flashplayer-newfunction.pdf: OK
JBIG2Decode.pdf: OK
U3D.pdf: OK
utilprintf.pdf: OK
----------- SCAN SUMMARY -----------
Known viruses: 813894
Engine version: 0.96.1
Scanned files: 7
Infected files: 1
* Clamav just updated to new engine 0.96.2 that detected all 7 samples as malicious so UPDATE your engine ASAP .
Virus Total Results
Result: 15/ 42 (35.7%)
Result: 17/ 42 (40.5%)
Result: 15/ 42 (35.7%)
Result: 15/ 42 (35.7%)
Result: 15/ 41 (36.6%)
Result: 16/ 42 (38.1%)
Result: 11/ 42 (26.2%)
Average Detection: 14,85 / 42 or 35,37%
Top5* AntiVirus Results
* Top5 antivirus based on most common names not in detection rates
** Payloads listed bellow:
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
Scoring System Results
collab-collectEmailInfo.pdf Malicious PDF Detected
collab-getIcon.pdf Malicious PDF Detected
embeddedfile.pdf Malicious PDF Detected
flashplayer-newfunction.pdf Malicious PDF Detected
JBIG2Decode.pdf Malicious PDF Detected
U3D.pdf Malicious PDF Detected
utilprintf.pdf Malicious PDF Detected
We sent some papers to a couple of conferences to star to share those information . I’ll let you know if we get approve and where =) .
Let’s keep improving our research and sharing each time more and more information. In the future we’ll share all the information , scoring and parser .
Regards,
Rodrigo "Sp0oKeR" Montoro
[---] The Social-Engineer Toolkit (SET) [---]
[---] Written by David Kennedy (ReL1K) [---]
[---] Version: 0.6.1 [---]
[---] Codename: 'Arnold Palmer' [---]
[---] Report bugs to: davek@social-engineer.org [---]
[---] Java Applet Written by: Thomas Werth [---]
[---] Homepage: http://www.secmaniac.com [---]
[---] Framework: http://www.social-engineer.org [---]
[---] Over 1 million downloads and counting. [---]
Welcome to the Social-Engineer Toolkit (SET). Your one
stop shop for all of your social-engineering needs..
Follow me on Twitter: dave_rel1k
DerbyCon 2011 Sep29-Oct02 - A new era begins...
http://www.derbycon.com
Select from the menu on what you would like to do:
1. Spear-Phishing Attack Vectors
2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Listener
5. Mass Mailer Attack
6. Teensy USB HID Attack Vector
7 Update the Metasploit Framework
8. Update the Social-Engineer Toolkit
9. Help, Credits, and About
10. Exit the Social-Engineer Toolkit
Enter your choice: 1
1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu
Enter your choice: 1
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow
7. Custom EXE to VBA (sent via RAR) (RAR required)
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
Enter the number you want (press enter for default):
1. Windows Reverse TCP Shell
2. Windows Meterpreter Reverse_TCP
3. Windows Reverse VNC
4. Windows Reverse TCP Shell (x64)
5. Windows Meterpreter Reverse_TCP (X64)
6. Windows Shell Bind_TCP (X64)
Enter the payload you want (press enter for default):
* All payload 1 – Windows Reverse TCP Shell with port 2345
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
http://www.virustotal.com/file-scan/report.html?id=377ba41782bbeb25c9816d76ec190fb6f4b88c7bbaecc26653a4a6ecc479f3ea-1281835639
File name:flashplayer-newfunction.pdf
Submission date: 2010-08-15 01:27:19 (UTC)
Result: 15/ 42 (35.7%)
$ pdf-analisys.pl -s1 -f flashplayer-newfunction.pdf
flashplayer-newfunction.pdf Malicious PDF Detected
2. Adobe Collab.collectEmailInfo Buffer Overflow
http://www.virustotal.com/file-scan/report.html?id=a4ac73a6efee530a05ea05eeeaa3d8efc137e4eb3bcf4d492c2b318264da2f77-1281836155
File name: collab-collectEmailInfo.pdf
Submission date: 2010-08-15 01:35:55 (UTC)
Result: 17/ 42 (40.5%)
$ pdf-analisys.pl -s1 -f collab-collectEmailInfo.pdf
collab-collectEmailInfo.pdf Malicious PDF Detected
3. Adobe Collab.getIcon Buffer Overflow
http://www.virustotal.com/file-scan/report.html?id=631893cd75bcf60ec82a3f59d3bd3f7f166874641a4ed62ceee28852889ec6e2-1281836494
File name: collab-getIcon.pdf
Submission date: 2010-08-15 01:41:34 (UTC)
Result: 15/ 42 (35.7%)
pdf-analisys.pl -s1 -f collab-getIcon.pdf
collab-getIcon.pdf Malicious PDF Detected
4. Adobe JBIG2Decode Memory Corruption Exploit
http://www.virustotal.com/file-scan/report.html?id=814f20d28de287e76dbfacb14d90dbfab8e0b1e11e16212b88ca3216f2189117-1281836756
File name: JBIG2Decode.pdf
Submission date: 2010-08-15 01:45:56 (UTC)
Result: 15/ 42 (35.7%)
$ pdf-analisys.pl -s1 -f JBIG2Decode.pdf
JBIG2Decode.pdf Malicious PDF Detected
5. Adobe PDF Embedded EXE Social Engineering
http://www.virustotal.com/file-scan/report.html?id=484ba7800fd549b82b6ac4dab5100f3017a0995cc47be13977703a168d1bcef3-1281837936
File name: embeddedfile.pdf
Submission date: 2010-08-15 02:05:36 (UTC)
Result: 15/ 41 (36.6%)
$ pdf-analisys.pl -s1 -f embeddedfile.pdf
embeddedfile.pdf Malicious PDF Detected
6. Adobe util.printf() Buffer Overflow
http://www.virustotal.com/file-scan/report.html?id=99e01802391f77c5c93cdf52cb2eacb5673e6acf7ac90776d477948a7fa1222d-1281838414
File name: utilprintf.pdf
Submission date: 2010-08-15 02:13:34 (UTC)
Result: 16/ 42 (38.1%)
$ pdf-analisys.pl -s1 -f utilprintf.pdf
utilprintf.pdf Malicious PDF Detected
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
http://www.virustotal.com/file-scan/report.html?id=0ce18c65373f113916b108508b3afc481e460f77353d1e3ddd259dbd29bab5a1-1281838713
File name: U3D.pdf
Submission date: 2010-08-15 02:18:33 (UTC)
Result: 11/ 42 (26.2%)
pdf-analisys.pl -s1 -f U3D.pdf
U3D.pdf Malicious PDF Detected
Clamav Results
collab-collectEmailInfo.pdf: OK
collab-getIcon.pdf: OK
embeddedfile.pdf: Exploit.PDF-22612 FOUND
flashplayer-newfunction.pdf: OK
JBIG2Decode.pdf: OK
U3D.pdf: OK
utilprintf.pdf: OK
----------- SCAN SUMMARY -----------
Known viruses: 813894
Engine version: 0.96.1
Scanned files: 7
Infected files: 1
* Clamav just updated to new engine 0.96.2 that detected all 7 samples as malicious so UPDATE your engine ASAP .
Virus Total Results
Result: 15/ 42 (35.7%)
Result: 17/ 42 (40.5%)
Result: 15/ 42 (35.7%)
Result: 15/ 42 (35.7%)
Result: 15/ 41 (36.6%)
Result: 16/ 42 (38.1%)
Result: 11/ 42 (26.2%)
Average Detection: 14,85 / 42 or 35,37%
Top5* AntiVirus Results
** Payloads listed bellow:
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
Scoring System Results
collab-collectEmailInfo.pdf Malicious PDF Detected
collab-getIcon.pdf Malicious PDF Detected
embeddedfile.pdf Malicious PDF Detected
flashplayer-newfunction.pdf Malicious PDF Detected
JBIG2Decode.pdf Malicious PDF Detected
U3D.pdf Malicious PDF Detected
utilprintf.pdf Malicious PDF Detected
We sent some papers to a couple of conferences to star to share those information . I’ll let you know if we get approve and where =) .
Let’s keep improving our research and sharing each time more and more information. In the future we’ll share all the information , scoring and parser .
Regards,
Rodrigo "Sp0oKeR" Montoro
quinta-feira, 5 de agosto de 2010
Pic from Vegas/Blackhat/Caesar
Only picture with part of Brazilian friends in Vegas in front of Caesars after Blackhat 2010
Nice Blackhat staff shirt no ? =D
I'll write a post about Blackhat/Defcon/Spiderlabs meeting during this week yet =)
Regards,
Rodrigo Montoro (Sp0oKeR)
 |
| Mab , Rodrigo , Wendel , Bruno and Fio |
Nice Blackhat staff shirt no ? =D
I'll write a post about Blackhat/Defcon/Spiderlabs meeting during this week yet =)
Regards,
Rodrigo Montoro (Sp0oKeR)
quarta-feira, 4 de agosto de 2010
RazorBack - New Sourcefire VRT Project
VRT guys just released at Defcon 18 version 0.1 for RazorBack . The project is REALLY interesting and it's targeting client-side attack mostly since that's currently where most attacks are .
What is RazorBack ?
Project Razorback™ is an undertaking by the Sourcefire VRT.
The project page could be found here : http://labs.snort.org/razorback/
There you will find the slides, papers, 0.1 files version. Besides that they created a new channel at irc.freenode.net #razorback .
I'll try to do lot of test in next week and post about those here .
For sure this project will grow a lot quickly and kickass in the future . Get involved . I'll for sure .
Happy Snorting!
Rodrigo Montoro (Sp0oKeR)
What is RazorBack ?
Project Razorback™ is an undertaking by the Sourcefire VRT.
Razorback is a framework for an intelligence driven security solution. It consists of a Dispatcher at the core of the system, surrounded by Nuggets of varying types.
The project page could be found here : http://labs.snort.org/razorback/
There you will find the slides, papers, 0.1 files version. Besides that they created a new channel at irc.freenode.net #razorback .
I'll try to do lot of test in next week and post about those here .
For sure this project will grow a lot quickly and kickass in the future . Get involved . I'll for sure .
Happy Snorting!
Rodrigo Montoro (Sp0oKeR)
terça-feira, 27 de julho de 2010
Snort 2.9.0 Beta Available
Awesome new features coming with snort 2.9.0 . I'll do lot of tests after Blackhat/Defcon .
A beta version of Snort 2.9.0 is now available on snort.org, at
http://www.snort.org/snort-
Snort 2.9.0 introduces:
* Feature rich IPS mode including improvements to Stream for
inline deployments. Additionally a common active response API is
used for all packet responses, including those from Stream,
Respond, or React. A new response module, respond3, supports the
syntax of both resp & resp2, including strafing for passive
deployments. When Snort is deployed inline, a new preprocessor
has been added to handle packet normalization to allow Snort
to interpret a packet the same way as the receiving host.
* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket. For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links. See README.daq for details
on using Snort and the new DAQ.
* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.
* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.
* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.
* Ability to "test" drop rules using Inline Test Mode. Snort will
indicate a packet would have been dropped in the unified2 or
console event log if policy mode was set to inline.
* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule
options.
* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.
* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms. Visit http://www.intel.com to find out more about
Intel Quick Assist. The following document describes Snort's
integration with the Quick Assist Technology
http://download.intel.com/
* Reference applications for reading unified2 output that handle
all unified2 record formats used by Snort.
Please see the Release Notes and ChangeLog for more details.
Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.
Happy Snorting!
The Snort Release Team
A beta version of Snort 2.9.0 is now available on snort.org, at
http://www.snort.org/snort-
Snort 2.9.0 introduces:
* Feature rich IPS mode including improvements to Stream for
inline deployments. Additionally a common active response API is
used for all packet responses, including those from Stream,
Respond, or React. A new response module, respond3, supports the
syntax of both resp & resp2, including strafing for passive
deployments. When Snort is deployed inline, a new preprocessor
has been added to handle packet normalization to allow Snort
to interpret a packet the same way as the receiving host.
* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket. For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links. See README.daq for details
on using Snort and the new DAQ.
* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.
* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.
* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.
* Ability to "test" drop rules using Inline Test Mode. Snort will
indicate a packet would have been dropped in the unified2 or
console event log if policy mode was set to inline.
* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule
options.
* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.
* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms. Visit http://www.intel.com to find out more about
Intel Quick Assist. The following document describes Snort's
integration with the Quick Assist Technology
http://download.intel.com/
* Reference applications for reading unified2 output that handle
all unified2 record formats used by Snort.
Please see the Release Notes and ChangeLog for more details.
Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.
Happy Snorting!
The Snort Release Team
sexta-feira, 23 de julho de 2010
Updates/New Features at ViCheck and VirusTotal
This week those nice online tools made great enhancements specially ViCheck
From ViCheck Blog:
For recently processed documents such as PDF or MS Office (engine >=193) we are now highlighting more information about the embedded executable such as the encryption/cipher method and information about the key.
To read and see samples about those:
http://vicheck.blogspot.com/2010/07/email-report-enhancements.html
http://vicheck.blogspot.com/2010/07/report-page-enhancements.html
From Virus Total Blog:
They added new engine from SUPERAntiSpyware ( http://www.superantispyware.com/ ) what I help to improve the AV detection rates. Hope it's something not too static only . I really never heard about this engine before .
To read about this: http://blog.hispasec.com/virustotal/49
Happy Hacking!
Rodrigo Montoro (Sp0oKeR)
From ViCheck Blog:
Report page enhancements and Email Report
To read and see samples about those:
http://vicheck.blogspot.com/2010/07/email-report-enhancements.html
http://vicheck.blogspot.com/2010/07/report-page-enhancements.html
From Virus Total Blog:
They added new engine from SUPERAntiSpyware ( http://www.superantispyware.com/ ) what I help to improve the AV detection rates. Hope it's something not too static only . I really never heard about this engine before .
To read about this: http://blog.hispasec.com/virustotal/49
Happy Hacking!
Rodrigo Montoro (Sp0oKeR)
quinta-feira, 22 de julho de 2010
Blackhat / Defcon Las Vegas (english)
Guys,
This week I'm going to Vegas cause 3 reasons (not in particular order) :
1-) I'm invited to be staff at Blackhat. I'll be Speaker Proctor and I'm very excited with that since I will be in touch with awesome security guys and specially I'll have a Staff T-shirt with my nickname (that's too nerds I know but I love conferences tshirts).
2-) Defcon as always good talks and 10% of Blackhat's price what make it perfect to go .
3-) Spiderlabs Summer Meeting where all my spiderlabs team will meet there, discuss projects, futures , keep in touch in person since we are world spread.
Sites:
http://www.blackhat.com
http://www.defcon.org
http://www.trustwave.com/spiderlabs
If you are going to Vegas ping me and let's talk and have some beers.
Beside me lot of brazilian will be there too as Thiago Bordini, Clebeer , Bruno (mphx2) , Luiz Eduardo (le) , Willian Caprino (Billy) , Cristiane Baffa, Wendel , Rodrigo Rubira (bsdaemon) , Fernando Amatte and others .
Happy Hacking!
Rodrigo Montoro(Sp0oKeR)
This week I'm going to Vegas cause 3 reasons (not in particular order) :
1-) I'm invited to be staff at Blackhat. I'll be Speaker Proctor and I'm very excited with that since I will be in touch with awesome security guys and specially I'll have a Staff T-shirt with my nickname (that's too nerds I know but I love conferences tshirts).
2-) Defcon as always good talks and 10% of Blackhat's price what make it perfect to go .
3-) Spiderlabs Summer Meeting where all my spiderlabs team will meet there, discuss projects, futures , keep in touch in person since we are world spread.
Sites:
http://www.blackhat.com
http://www.defcon.org
http://www.trustwave.com/spiderlabs
If you are going to Vegas ping me and let's talk and have some beers.
Beside me lot of brazilian will be there too as Thiago Bordini, Clebeer , Bruno (mphx2) , Luiz Eduardo (le) , Willian Caprino (Billy) , Cristiane Baffa, Wendel , Rodrigo Rubira (bsdaemon) , Fernando Amatte and others .
Happy Hacking!
Rodrigo Montoro(Sp0oKeR)
Blackhat / Defcon Las Vegas (pt_BR)
Caros,
Essa semana estou indo para Las Vegas por 3 motivos:
1-) Fui convidado para ser Staff na Blackhat, estou muito feliz com isso e quem sabe nao abro porta para outros brasilieiros nos anos seguintes . Serei o que chamam de Speaker Proctor e como bom nerds o que estou mega empolgado sera com a camiseta de staff com meu nick la
2-) Defcon como sempre o melhor custo beneficio de eventos visto que custa 10% da Blackhat
3-) Spiderlabs Summer Meeting ou seja, reuniao de todo o time do Spiderlabs no mundo que acontece em conjunto com as duas conferencias, combinacao perfeita de datas .
Sites:
http://www.blackhat.com
http://www.defcon.org
http://www.trustwave.com/spiderlabs
Se for para la entre em contato para papearmos e tomarmos uma cerveja .
Happy Hacking!
Rodrigo Montoro(Sp0oKeR)
Essa semana estou indo para Las Vegas por 3 motivos:
1-) Fui convidado para ser Staff na Blackhat, estou muito feliz com isso e quem sabe nao abro porta para outros brasilieiros nos anos seguintes . Serei o que chamam de Speaker Proctor e como bom nerds o que estou mega empolgado sera com a camiseta de staff com meu nick la
2-) Defcon como sempre o melhor custo beneficio de eventos visto que custa 10% da Blackhat
3-) Spiderlabs Summer Meeting ou seja, reuniao de todo o time do Spiderlabs no mundo que acontece em conjunto com as duas conferencias, combinacao perfeita de datas .
Sites:
http://www.blackhat.com
http://www.defcon.org
http://www.trustwave.com/spiderlabs
Se for para la entre em contato para papearmos e tomarmos uma cerveja .
Happy Hacking!
Rodrigo Montoro(Sp0oKeR)
terça-feira, 20 de julho de 2010
Not Malicious PDF - Which online tool should we trust ?
Guys,
Since people trust this blog and what I write here I always try my best. Unfortunatly sometimes we make some mistakes. My last post was about 0/43 malicious PDF not being detect by any Antivirus , since the begin I was in doubt about if it was malicious or not so I tested against some webtools as you read at my last post http://spookerlabs.blogspot.com/2010/07/malicious-pdf-not-detected-by-any.html
When I got 0/43 and analyzing the PDF structure with Didier Stevens tools I can say that the score was 1 x 1 since VirusTotal considered normal and pdfid pointed to something not common .
One point that I listed in the other post was the JSunpack Detection that just trys to find the word getAnnots (since it's not common used) . Another point that I was looking and not feel confortable was about JoeDoc results that told the PDF was exploitable at 9.2 version and CVE-2009-1492 just affects until 9.1 version
From : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1492
"The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments. "
Based on that the real results about the tools and this analysis :
$ ./jsunpackn.py c0610pall_MPA_Kit.re.pdf -V
[suspicious:3] [PDF] c0610pall_MPA_Kit.re.pdf.maybe.vir
suspicious: getAnnots CVE-2009-1492 detected
rule getAnnots: decodedPDF
{
meta:
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
strings:
$cve20091492 = "getAnnots" nocase fullword
condition:
1 of them
}
PDF Structure - "Failed" but I can say that I analyzed lot of samples and this isn't a common file format for normal PDF
1 Page file
/Javascript e /JS options
/EmbeddedFiles
JoeDoc - Failed - http://www.joedoc.org
Joedoc (Beta) has detected the the following results:
Runtime detections:
- Successful exploit on Acrobat 9.2
- Successful exploit on Acrobat 9.0
- Successful exploit on Acrobat 8.1.2
- No exploit on Acrobat 7.0.5
This sample is that kind of sample that have everything to be malicious but it's not. To make sure I installed a VM and opened this file (Adobe 8 version) and a new sample that reported as the same that @2gg shared again that make feel confortable to say that it's a False Positive .
Sorry about that but I'll always try my best and I'll triple check next time since double check failed! Anyway in my opinion is better a False Positive with this uncommon file that you can handle that a False Negative with something much similar and malicious for real .
Keep reading since we will have lot of good stuff about our research in the future and for sure with few False Positives and Negatives as any malware detection tool .
Regards ,
Rodrigo Montoro (Sp0oKeR)
Since people trust this blog and what I write here I always try my best. Unfortunatly sometimes we make some mistakes. My last post was about 0/43 malicious PDF not being detect by any Antivirus , since the begin I was in doubt about if it was malicious or not so I tested against some webtools as you read at my last post http://spookerlabs.blogspot.com/2010/07/malicious-pdf-not-detected-by-any.html
When I got 0/43 and analyzing the PDF structure with Didier Stevens tools I can say that the score was 1 x 1 since VirusTotal considered normal and pdfid pointed to something not common .
One point that I listed in the other post was the JSunpack Detection that just trys to find the word getAnnots (since it's not common used) . Another point that I was looking and not feel confortable was about JoeDoc results that told the PDF was exploitable at 9.2 version and CVE-2009-1492 just affects until 9.1 version
From : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1492
"The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments. "
Based on that the real results about the tools and this analysis :
JSunpack - Failed
$ ./jsunpackn.py c0610pall_MPA_Kit.re.pdf -V
[suspicious:3] [PDF] c0610pall_MPA_Kit.re.pdf.maybe.vir
suspicious: getAnnots CVE-2009-1492 detected
rule getAnnots: decodedPDF
{
meta:
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
strings:
$cve20091492 = "getAnnots" nocase fullword
condition:
1 of them
}
www.vicheck.ca - Failed
Date: 2010-07-15 18:59:54
Web submission from 187.105.222.250.
c0610pall_MPA_Kit.re.pdf:
EXECUTABLE SCAN: Javascript obfuscation syncAnnotScan to hide blocks (pdfexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=e40b33d95cb79765664d76e26d694efb
Confidence ranking: 75 (2 hits).
External hash searches:
VIRUS SCAN VirusTotal: 0/42 not detected
REPORT http://www.virustotal.com/analisis/10e735332a0bfb899a0a8ec83cb15f78915bf0a1fdbd311226f26e7501c5d766-1279207142
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New
Web submission from 187.105.222.250.
c0610pall_MPA_Kit.re.pdf:
EXECUTABLE SCAN: Javascript obfuscation syncAnnotScan to hide blocks (pdfexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=e40b33d95cb79765664d76e26d694efb
Confidence ranking: 75 (2 hits).
External hash searches:
VIRUS SCAN VirusTotal: 0/42 not detected
REPORT http://www.virustotal.com/analisis/10e735332a0bfb899a0a8ec83cb15f78915bf0a1fdbd311226f26e7501c5d766-1279207142
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New
1 Page file
/Javascript e /JS options
/EmbeddedFiles
Virustotal - OK - http://www.virustotal.com
JoeDoc - Failed - http://www.joedoc.org
Joedoc (Beta) has detected the the following results:
Runtime detections:
- Successful exploit on Acrobat 9.2
- Successful exploit on Acrobat 9.0
- Successful exploit on Acrobat 8.1.2
- No exploit on Acrobat 7.0.5
This sample is that kind of sample that have everything to be malicious but it's not. To make sure I installed a VM and opened this file (Adobe 8 version) and a new sample that reported as the same that @2gg shared again that make feel confortable to say that it's a False Positive .
Sorry about that but I'll always try my best and I'll triple check next time since double check failed! Anyway in my opinion is better a False Positive with this uncommon file that you can handle that a False Negative with something much similar and malicious for real .
Keep reading since we will have lot of good stuff about our research in the future and for sure with few False Positives and Negatives as any malware detection tool .
Regards ,
Rodrigo Montoro (Sp0oKeR)
segunda-feira, 19 de julho de 2010
Malicious PDF not detected by any antivirus signature (Updated/Incorrect)
Please read the new post explaining what this post was wrong
http://spookerlabs.blogspot.com/2010/07/not-malicious-pdf-which-online-tool.html
Regards,
Today I got something curious in my PDF analysis:
@2gg a friend from twitter sent me some samples and 3 of them I tried to run against VirusTotal to make sure my research isn't generating False Positives(FP). For my surprise I uploaded a file to there and I got the detection Results: 0/43 .
File name: c0610pall_MPA_Kit.re.pdf
Submission date: 2010-07-15 15:42:59 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)
Our Research result was:
/LABS/pdf-basics$ perl pdf-analisys.pl -f c0610pall_MPA_Kit.re.pdf
c0610pall_MPA_Kit.re.pdf Malicious PDF Detected
That means that my script was generating a FP but based on analysis using Didier Stevens tools I was thinking that Antivirus failed totally against this sample.
So I ran the PDF against jsunpack-n to have a third test and I got:
$ ./jsunpackn.py c0610pall_MPA_Kit.re.pdf -V
[suspicious:3] [PDF] c0610pall_MPA_Kit.re.pdf.maybe.vir
suspicious: getAnnots CVE-2009-1492 detected
info: [decodingLevel=0] JavaScript in PDF 1298 bytes, with 1329 bytes headers
info: [decodingLevel=1] found JavaScript
info: file: saved /LABS/pdf-basics/samples/twitter2/c0610pall_MPA_Kit.re.pdf.maybe.vir to (./files/original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181)
file: decoding_438f8880e0e100142aae652071590ba9ea2c572a: 2627 bytes
file: original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181: 1406792 bytes
Talking to Mila from http://contagiodump.blogspot.com she pointed me to jsunpack result online http://jsunpack.jeek.org/dec/go?report=763c8312212dc379e18facb9d96815af36eb79ba .
Another things that pointed me that it a malicious file and I needed to figured out how to comprove was based on pdfid output :
PDFiD 0.0.11 c0610pall_MPA_Kit.re.pdf
PDF Header: %PDF-1.7
obj 60
endobj 60
stream 21
endstream 22
xref 2
trailer 2
startxref 2
/Page 1
/Encrypt 0
/ObjStm 2
/JS 1 /JavaScript 2
/AA 0
/OpenAction 0
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/URI 2
/EmbeddedFile 0
/EmbeddedFiles 1
/cmd 0
/Action 0
/Launch 0
/Colors > 2^24 0
Based on that I started to test more in deep to try to make sure about this 0/43 result isn't a false negative or my research was generating a false positive
Analyzing JSunpack detection code I found
rule getAnnots: decodedPDF
{
meta:
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
strings:
$cve20091492 = "getAnnots" nocase fullword
condition:
1 of them
}
That means that those alert didn't really mean that something is trying to exploit the flaw since getAnnots is a feature (not widely or common used) at PDF .
So @snowfl0w from http://contagiodump.blogspot.com pointed me to a very nice check website called https://www.vicheck.ca where I sent the sample and got the follow results:
=============================================
Thank you for your recent submission to vicheck.ca.
Date: 2010-07-15 18:59:54
Web submission from 187.105.222.250.
c0610pall_MPA_Kit.re.pdf:
EXECUTABLE SCAN: Javascript obfuscation syncAnnotScan to hide blocks (pdfexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=e40b33d95cb79765664d76e26d694efb
Confidence ranking: 75 (2 hits).
External hash searches:
VIRUS SCAN VirusTotal: 0/42 not detected
REPORT http://www.virustotal.com/analisis/10e735332a0bfb899a0a8ec83cb15f78915bf0a1fdbd311226f26e7501c5d766-1279207142
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New
=============================================
As last test I sent it to joedoc.org and I got good results too
Joedoc (Beta) has detected the the following results:
Runtime detections:
- Successful exploit on Acrobat 9.2
- Successful exploit on Acrobat 9.0
- Successful exploit on Acrobat 8.1.2
- No exploit on Acrobat 7.0.5
Special thanks for @2gg and @snowfl0w
** About Virus Total it basically runs the sample against signatures and some AV protections have some behavior analysis among other tests that weren't realized against this sample.
Regards,
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com/2010/07/not-malicious-pdf-which-online-tool.html
Regards,
[suspicious:3] [PDF] c0610pall_MPA_Kit.re.pdf.maybe.vir
suspicious: getAnnots CVE-2009-1492 detected
info: [decodingLevel=0] JavaScript in PDF 1298 bytes, with 1329 bytes headers
info: [decodingLevel=1] found JavaScript
info: file: saved /LABS/pdf-basics/samples/twitter2/c0610pall_MPA_Kit.re.pdf.maybe.vir to (./files/original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181)
file: decoding_438f8880e0e100142aae652071590ba9ea2c572a: 2627 bytes
file: original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181: 1406792 bytes
- Successful exploit on Acrobat 9.0
sexta-feira, 16 de julho de 2010
ISSA Day Julho @ Checkpoint
Caros,
Lembro que o ISSA Day eh um evento gratuito e excelente oportunidade de networking alem de boas palestras
O Capítulo Brasil da ISSA convida a todos os interessados a participar do ISSA Day de Julho 2010.
O evento é gratuito e aberto a qualquer interessado e tem o apoio da empresa Check Point.
Data: 20 de Julho de 2010
Agenda:
19:00h – Apresentação ISSA Brasil
19:30h – Daniel Bortolazzo (Check Point) – Palestra sobre DLP
20:30h – Coffee Break / Networking
21:00h – Cleber Brandão (BrConnection) / Rodrigo Branco (Check Point) – Palestra sobre Análise e Pesquisas de Malware usando ferramentas Open Source e Desenvolvendo Ferramentas Corporativas
Local:
Check Point Software Technologies (Brazil) Ltda.
Rua Samuel Morse, 120 – Itaim Bibi
04576-060 – São Paulo, SP Brazil
Quem se interessar tem que se inscrever: http://www.issabrasil.org/2010/07/16/issa-day-julho-2010/
Happy Hacking!
Rodrigo Montoro(Sp0oKeR)
Lembro que o ISSA Day eh um evento gratuito e excelente oportunidade de networking alem de boas palestras
O Capítulo Brasil da ISSA convida a todos os interessados a participar do ISSA Day de Julho 2010.
O evento é gratuito e aberto a qualquer interessado e tem o apoio da empresa Check Point.
Data: 20 de Julho de 2010
Agenda:
19:00h – Apresentação ISSA Brasil
19:30h – Daniel Bortolazzo (Check Point) – Palestra sobre DLP
20:30h – Coffee Break / Networking
21:00h – Cleber Brandão (BrConnection) / Rodrigo Branco (Check Point) – Palestra sobre Análise e Pesquisas de Malware usando ferramentas Open Source e Desenvolvendo Ferramentas Corporativas
Local:
Check Point Software Technologies (Brazil) Ltda.
Rua Samuel Morse, 120 – Itaim Bibi
04576-060 – São Paulo, SP Brazil
Quem se interessar tem que se inscrever: http://www.issabrasil.org/2010/07/16/issa-day-julho-2010/
Happy Hacking!
Rodrigo Montoro(Sp0oKeR)
quarta-feira, 7 de julho de 2010
Intrusion Prevention Summit (Online) – July 8, 2010
Meio de ultima hora mas recebi isso no linkedin e achei bem interessante pois alem de ser free tambem sera online (em ingles).
I have included below links to a free online summit on Intrusion Prevention that takes place on July 8. At this summit, leading experts will look at the emerging threat landscape and provide tips to ensure your security management program can best overcome these new challenges in intrusion prevention. It will also cover key aspects in detecting, patching and immunizing your network to prevent repeated attacks from occurring. Hear leading industry experts from TechTarget, Vodafone, SecureWorks, ISACA, Fortinet and more as they discuss the latest innovations, best practices, barriers to implementation and measurable benefits of intrusion prevention.
Register here: http://www.brighttalk.com/r/svf
Intrusion Prevention Summit Presentations Include:
“When Prevention Fails: The Role of IPS in Incident Response”
C. Matthew Curtin, Founder, Interhack
“Threat Prevention for 2010 and Beyond”
Jason Clark, SE Manager, US Channels, Fortinet
“Network Intrusion Prevention vs. Anomaly Detection
Mike Fratto, Editor, Network Computing
“Top Risks Associated with Implementing IPS”
Marco Ermini, Network Security Manager, Vodafone Group Services
“The Digital Disaster – Dealing with Computer Incidents”
Jan Collie, Manager Director & Principal Investigator, The Digital Detective Ltd.
“Why “Human Intelligence” is Critical to Effective IPS
Paul Pearston, Security Solutions Architect, SecureWorks
“Intrusion Prevention, Are We Joking?
Mark Henshaw, Director, ISACA London & Chairman, ISACA Winchester
“What’s the Future for Intrusion Prevention? Key 2011 Trends”
Ron Condon, UK Bureau Chief, TechTarget
Register here: http://www.brighttalk.com/r/svf
Posted By Holger Schulze
Happy Detection!
Rodrigo Montoro(Sp0oKeR
I have included below links to a free online summit on Intrusion Prevention that takes place on July 8. At this summit, leading experts will look at the emerging threat landscape and provide tips to ensure your security management program can best overcome these new challenges in intrusion prevention. It will also cover key aspects in detecting, patching and immunizing your network to prevent repeated attacks from occurring. Hear leading industry experts from TechTarget, Vodafone, SecureWorks, ISACA, Fortinet and more as they discuss the latest innovations, best practices, barriers to implementation and measurable benefits of intrusion prevention.
Register here: http://www.brighttalk.com/r/svf
Intrusion Prevention Summit Presentations Include:
“When Prevention Fails: The Role of IPS in Incident Response”
C. Matthew Curtin, Founder, Interhack
“Threat Prevention for 2010 and Beyond”
Jason Clark, SE Manager, US Channels, Fortinet
“Network Intrusion Prevention vs. Anomaly Detection
Mike Fratto, Editor, Network Computing
“Top Risks Associated with Implementing IPS”
Marco Ermini, Network Security Manager, Vodafone Group Services
“The Digital Disaster – Dealing with Computer Incidents”
Jan Collie, Manager Director & Principal Investigator, The Digital Detective Ltd.
“Why “Human Intelligence” is Critical to Effective IPS
Paul Pearston, Security Solutions Architect, SecureWorks
“Intrusion Prevention, Are We Joking?
Mark Henshaw, Director, ISACA London & Chairman, ISACA Winchester
“What’s the Future for Intrusion Prevention? Key 2011 Trends”
Ron Condon, UK Bureau Chief, TechTarget
Register here: http://www.brighttalk.com/r/svf
Posted By Holger Schulze
Happy Detection!
Rodrigo Montoro(Sp0oKeR
segunda-feira, 14 de junho de 2010
Nova turma - Treinamento Snort Basico - 07/08/2010
Primeiramente agradecer a todos (15 participantes) da turma do dia 12 de Junho do treinamento Snort Maos na Massa com a Temporeal Eventos.
Abaixo alguns depoimentos que recebemos
Dando continuadade ao treinamento realizaremos a proxima turma no dia 7 de agosto de 2010.
Para se inscrever: http://www.temporealeventos.com.br/?area=87
Happy Snorting!
Rodrigo Montoro(Sp0oKeR)
Abaixo alguns depoimentos que recebemos
| Depoimentos | ||
"Muito bom, atendeu minhas expectativas. Recomendo a todos!" Thiago D. Magnani "Como primeiro contato com a ferramenta, gostei muito. O Snort Tutorial Mão na Massa antendeu minhas expectativas. Recomendo!." Marcelo Solha "O treinamento superou minhas expectativas". André Gustavo Miura "Os professores do treinamento são muito bons; são excelentes". Leonardo Silva |
Dando continuadade ao treinamento realizaremos a proxima turma no dia 7 de agosto de 2010.
Para se inscrever: http://www.temporealeventos.com.br/?area=87
Happy Snorting!
Rodrigo Montoro(Sp0oKeR)
terça-feira, 8 de junho de 2010
OWASP AppSec Brasil 2010 - Chamada de mini-cursos
**APPSEC BRASIL 2010**
**CHAMADA DE MINI-CURSOS**
O OWASP (Open Web Application Security Project) solicita propostas de apresentações para a conferência AppSec Brasil 2010, que ocorrerá na Fundação CPqD em Campinas, SP, de 16 a 19 de novembro de 2010. Haverá mini-cursos nos dias 16 e 17, seguidos de sessões plenárias de trilha única nos dias 18 e 19 de novembro de 2010.
Buscamos pessoas e organizações que queiram ministrar mini-cursos sobre segurança de aplicações. Destacamos os seguintes tópicos de interesse:
- Modelagem de ameaças em aplicações (Application Threat Modeling)
- Riscos de Negócio em Segurança de aplicações (Business Risks with
Application Security)
- Aplicações de Revisões de Código (Hands-on Source Code Review)
- Métricas Aplicadas a Segurança de Aplicações (Metrics for
Application Security)
- Ferramentas e Projetos do OWASP (OWASP Tools and Projects)
- Tópicos de Privacidade em Aplicações e Armazenamento de Dados (Privacy Concerns with Applications and Data Storage)
- Práticas de Programação Segura (Secure Coding Practices)
- Programas de Segurança para todo o Ciclo de Vida de aplicações (Secure Development Lifecycle Programs)
- Tópicos de Segurança para tecnologias específicas (AJAX, XML,Flash, etc) (Technology specific presentations on security such as AJAX, XML, etc)
- Controles de Segurança para aplicações Web (Web Application Security countermeasures)
- Testes de Segurança de aplicações Web (Web Application Security Testing)
- Segurança de Web Services ou XML (Web Services, XML and Application Security)
A lista de tópicos não é exaustiva; outros tópicos podem ser abordados, desde que em consonância com o tema central do evento.
Para submeter uma proposta, preencha o formulário disponível em
http://www.owasp.org/images/4/43/OWASP_AppSec_Brasil_2010_CFT%28pt-br%29.rtf.zip ,
que deve ser enviado por email para organizacao2010@appsecbrasil.org .
Cada mini-curso poderá ter 1 ou 2 dias (8 horas por dia) de duração e deverão estar em conformidade com as regras definidas pelo OWASP em seu "Speaker Agreement". A conferência pagará aos instrutores pelo menos 30% do fatuamente de seus mini-cursos. Cursos que consigam atrair mais que o número mínimo de alunos poderão receber percentagens
maiores (mais detalhes abaixo). Não haverá qualquer outro tipo de remuneração (passagens, hospedagem, etc) para os apresentadores ou autores dos mini-cursos. Caso seja necessário um arranjo diferente, favor entrar em contacto com o comitê organizador pelo email abaixo.
**Remuneração**
Os instrutores e autores dos cursos serão remunerados conforme a quantidade de alunos. Se o curso atrair apenas o número mínimo de alunos, a remuneração será 30% do faturamento. Para cada 10 alunos a mais, a remuneração será acrescida de 5% do faturamento, até um máximo
de 45% do faturamento do curso. Por exemplo, para um curso de 1 dia para uma turma de 10 a 19 alunos, os instrutores e autores receberão 30% do faturamento do curso. Para turmas entre 20 e 29 alunos, a remuneração sobe para 35% do faturamento e assim sucessivamente.
Em casos excepcionais, poderá ser acordado um esquema diferente para remuneração dos instrutores. Possíveis interessados devem entrar em contacto com a comissão organizadora pelo email organizacao2010@appsecbrasil.org
**Valores das inscrições**
Cursos de 1 dia: R$ 450 por aluno
Cursos de 2 días: R$ 900 por aluno
**Mínimo de alunos**
10 alunos para cursos de 1 dia
20 alunos para cursos de 2 dias
**Datas importantes:**
A data limite para apresentação de propostas é 26 de julho de 2010 às 23:59, horário de Brasília.
A notificação de aceitação ocorrerá até o dia 16 de agosto de 2010.
A versão final do material dos mini-cursos deverá ser enviada até o dia 15 de setembro de 2010.
A comissão organizadora da conferência pode ser contactada pelo e-mail: organizacao2010@appsecbrasil.org
Para mais informações, favor consultar as seguintes páginas:
Página da conferência:http://www.owasp.org/index.php/AppSec_Brasil_2010_(pt-br)
OWASP Speaker Agreement (em inglês):http://www.owasp.org/index.php/Speaker_Agreement
Página do OWASP: http://www.owasp.org
Página da conferência no Easychair: http://www.easychair.org/conferences/?conf=appsecbr2010
Formulário para apresentação de propostas: http://www.owasp.org/images/4/43/OWASP_AppSec_Brasil_2010_CFT%28pt-br%29.rtf.zip
********* ATENÇÃO: Não serão aceitas propostas sem TODAS as informações solicitadas no formulário *********
Favor divulgar a todos os possíveis interessados.
_______________________________________________
Owasp-brazilian mailing list
Owasp-brazilian@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-brazilian
**CHAMADA DE MINI-CURSOS**
O OWASP (Open Web Application Security Project) solicita propostas de apresentações para a conferência AppSec Brasil 2010, que ocorrerá na Fundação CPqD em Campinas, SP, de 16 a 19 de novembro de 2010. Haverá mini-cursos nos dias 16 e 17, seguidos de sessões plenárias de trilha única nos dias 18 e 19 de novembro de 2010.
Buscamos pessoas e organizações que queiram ministrar mini-cursos sobre segurança de aplicações. Destacamos os seguintes tópicos de interesse:
- Modelagem de ameaças em aplicações (Application Threat Modeling)
- Riscos de Negócio em Segurança de aplicações (Business Risks with
Application Security)
- Aplicações de Revisões de Código (Hands-on Source Code Review)
- Métricas Aplicadas a Segurança de Aplicações (Metrics for
Application Security)
- Ferramentas e Projetos do OWASP (OWASP Tools and Projects)
- Tópicos de Privacidade em Aplicações e Armazenamento de Dados (Privacy Concerns with Applications and Data Storage)
- Práticas de Programação Segura (Secure Coding Practices)
- Programas de Segurança para todo o Ciclo de Vida de aplicações (Secure Development Lifecycle Programs)
- Tópicos de Segurança para tecnologias específicas (AJAX, XML,Flash, etc) (Technology specific presentations on security such as AJAX, XML, etc)
- Controles de Segurança para aplicações Web (Web Application Security countermeasures)
- Testes de Segurança de aplicações Web (Web Application Security Testing)
- Segurança de Web Services ou XML (Web Services, XML and Application Security)
A lista de tópicos não é exaustiva; outros tópicos podem ser abordados, desde que em consonância com o tema central do evento.
Para submeter uma proposta, preencha o formulário disponível em
http://www.owasp.org/images/4/
que deve ser enviado por email para organizacao2010@appsecbrasil.
Cada mini-curso poderá ter 1 ou 2 dias (8 horas por dia) de duração e deverão estar em conformidade com as regras definidas pelo OWASP em seu "Speaker Agreement". A conferência pagará aos instrutores pelo menos 30% do fatuamente de seus mini-cursos. Cursos que consigam atrair mais que o número mínimo de alunos poderão receber percentagens
maiores (mais detalhes abaixo). Não haverá qualquer outro tipo de remuneração (passagens, hospedagem, etc) para os apresentadores ou autores dos mini-cursos. Caso seja necessário um arranjo diferente, favor entrar em contacto com o comitê organizador pelo email abaixo.
**Remuneração**
Os instrutores e autores dos cursos serão remunerados conforme a quantidade de alunos. Se o curso atrair apenas o número mínimo de alunos, a remuneração será 30% do faturamento. Para cada 10 alunos a mais, a remuneração será acrescida de 5% do faturamento, até um máximo
de 45% do faturamento do curso. Por exemplo, para um curso de 1 dia para uma turma de 10 a 19 alunos, os instrutores e autores receberão 30% do faturamento do curso. Para turmas entre 20 e 29 alunos, a remuneração sobe para 35% do faturamento e assim sucessivamente.
Em casos excepcionais, poderá ser acordado um esquema diferente para remuneração dos instrutores. Possíveis interessados devem entrar em contacto com a comissão organizadora pelo email organizacao2010@appsecbrasil.
**Valores das inscrições**
Cursos de 1 dia: R$ 450 por aluno
Cursos de 2 días: R$ 900 por aluno
**Mínimo de alunos**
10 alunos para cursos de 1 dia
20 alunos para cursos de 2 dias
**Datas importantes:**
A data limite para apresentação de propostas é 26 de julho de 2010 às 23:59, horário de Brasília.
A notificação de aceitação ocorrerá até o dia 16 de agosto de 2010.
A versão final do material dos mini-cursos deverá ser enviada até o dia 15 de setembro de 2010.
A comissão organizadora da conferência pode ser contactada pelo e-mail: organizacao2010@appsecbrasil.
Para mais informações, favor consultar as seguintes páginas:
Página da conferência:http://www.owasp.org/index.
OWASP Speaker Agreement (em inglês):http://www.owasp.org/index.
Página do OWASP: http://www.owasp.org
Página da conferência no Easychair: http://www.easychair.org/
Formulário para apresentação de propostas: http://www.owasp.org/images/4/
********* ATENÇÃO: Não serão aceitas propostas sem TODAS as informações solicitadas no formulário *********
Favor divulgar a todos os possíveis interessados.
______________________________
Owasp-brazilian mailing list
Owasp-brazilian@lists.owasp.
https://lists.owasp.org/
segunda-feira, 24 de maio de 2010
Quando uma falha no site do pwnies vira a melhor falha ...
Para quem nao conhece o pwnies award acontece para dar um premio para hypes , falhas toscas entre outros que voce pode ver aqui http://pwnies.com/
Acompanhando timeline no twitter publicaram uma falha de CSRF que no site http://pwnies.com/ no qual ele faz voce votar ("sem saber") pois o site possui a falha.
Basica analise do post que vem com shortnerurl o que induz as pessoas clicarem e elas nem saberam o que aconteceu (menos mal que nao acontece nada malicioso).
A URL em si que vi no twitter http://bit.ly/9PFdhq
Seguindo a mesma chegamos :
-bash-3.00$ telnet bit.ly 80
Connected to bit.ly (128.121.234.46).
Escape character is '^]'.
HEAD /9PFdhq HTTP/1.1
Host:bit.ly
HTTP/1.1 301 Moved
Server: nginx/0.7.42
Date: Mon, 24 May 2010 20:31:32 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: _bit=4bfae224-002e8-00432-aba08fa8;domain=.bit.ly;expires=Sat Nov 20 15:31:32 2010;path=/; HttpOnly
Location: http://204.232.205.92/lolpwnie.html
MIME-Version: 1.0
Content-Length: 297
Fazendo o dump do source do lolpwnie.html temos
bash-3.00$ links --source http://204.232.205.92/lolpwnie.html
Resultado/Codigo postado aqui http://pastebin.com/B4fPditn
Ou seja, quando voce abre a URL , voce votara que a melhor falha foi "Pwnies.com CSRF Vulnerability" o que no minimo fica ironico
Updated:
Ele ja corrigiram a falha, agora quando tenta acessar o CSRF vem a mensagem "Submission failed. Please try later or email your submission to info@pwnies.com"
Happy Hacking!
Rodrigo Montoro(Sp0oKeR)
Acompanhando timeline no twitter publicaram uma falha de CSRF que no site http://pwnies.com/ no qual ele faz voce votar ("sem saber") pois o site possui a falha.
Basica analise do post que vem com shortnerurl o que induz as pessoas clicarem e elas nem saberam o que aconteceu (menos mal que nao acontece nada malicioso).
A URL em si que vi no twitter http://bit.ly/9PFdhq
Seguindo a mesma chegamos :
-bash-3.00$ telnet bit.ly 80
Connected to bit.ly (128.121.234.46).
Escape character is '^]'.
HEAD /9PFdhq HTTP/1.1
Host:bit.ly
HTTP/1.1 301 Moved
Server: nginx/0.7.42
Date: Mon, 24 May 2010 20:31:32 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: _bit=4bfae224-002e8-00432-aba08fa8;domain=.bit.ly;expires=Sat Nov 20 15:31:32 2010;path=/; HttpOnly
Location: http://204.232.205.92/lolpwnie.html
MIME-Version: 1.0
Content-Length: 297
Fazendo o dump do source do lolpwnie.html temos
bash-3.00$ links --source http://204.232.205.92/lolpwnie.html
Resultado/Codigo postado aqui http://pastebin.com/B4fPditn
Ou seja, quando voce abre a URL , voce votara que a melhor falha foi "Pwnies.com CSRF Vulnerability" o que no minimo fica ironico
Updated:
Ele ja corrigiram a falha, agora quando tenta acessar o CSRF vem a mensagem "Submission failed. Please try later or email your submission to info@pwnies.com"
Happy Hacking!
Rodrigo Montoro(Sp0oKeR)
quinta-feira, 6 de maio de 2010
PDF / Javascripts Maliciosos
Caros,
Estou a procura de pdf maliciosos para analise. Caso tenham recebido algum e possa repassar ficarei bem grato. Pretendo postar alguns resultados das analises .
Exemplos de javascripts maliciosos tambem sao bem vindos.
Happy Research!
Rodrigo Montoro(Sp0oKeR)
Estou a procura de pdf maliciosos para analise. Caso tenham recebido algum e possa repassar ficarei bem grato. Pretendo postar alguns resultados das analises .
Exemplos de javascripts maliciosos tambem sao bem vindos.
Happy Research!
Rodrigo Montoro(Sp0oKeR)
quarta-feira, 5 de maio de 2010
SRW - Snort Rules Week estara de volta!
Caros,
O SRW - Snort Rules Week deu uma parada por falta de tempo mas na proxima semana estara com tudo de volta e possivelmente informacoes baseadas num mundo mais real e nao somente na analise estatica das regras.
Em segundo plano tambem pretendo fazer a versao no formato podcast o que ficaria melhor para discutirmos as tendencias mas essa segunda etapa possivelmente so em Junho.
Fiquem atento e nos acompanhem!
Happy Snorting!
Rodrigo Montoro
O SRW - Snort Rules Week deu uma parada por falta de tempo mas na proxima semana estara com tudo de volta e possivelmente informacoes baseadas num mundo mais real e nao somente na analise estatica das regras.
Em segundo plano tambem pretendo fazer a versao no formato podcast o que ficaria melhor para discutirmos as tendencias mas essa segunda etapa possivelmente so em Junho.
Fiquem atento e nos acompanhem!
Happy Snorting!
Rodrigo Montoro
quarta-feira, 28 de abril de 2010
(IN)SECURE Magazine issue 25 released
Table of contents
Para baixa-la: http://www.net-security.org/secworld.php?id=9111
Happy Hacking!
Rodrigo Montoro(Sp0oKeR)
- The changing face of penetration testing: Evolve or die!
- Review: SmartSwipe
- Unusual SQL injection vulnerabilities and how to exploit them
- Take note of new data notification rules
- RSA Conference 2010 coverage
- Corporate monitoring: Addressing security, privacy, and temptation in the workplace
- Cloud computing and recovery, not just backup
- EJBCA: Make your own certificate authority
- Advanced attack detection using OSSIM
- AND MORE!
Para baixa-la: http://www.net-security.org/secworld.php?id=9111
Happy Hacking!
Rodrigo Montoro(Sp0oKeR)
quinta-feira, 1 de abril de 2010
Podcast Segurança Nacional - [i shot the sheriff] Edição 73 - 31.03.2010
Duração: 1 hora e 15 minutos
Eventos
RUXCON 2010 CALL FOR PAPERS
Gamesec 2010 CFP - Conference on Decision and Game Theory for Security
PlumberCOn CFP
HITB Dubai Agenda
EC2ND 2010 CFP
Noticias
Stay Safe – PodCast
Law Enforcement Appliance Subverts SSL
Cisco's Backdoor For Hackers
PCI Council And Passwords: Do As We Say, Not As We Do
U.S. enables Chinese hacking of Google
YSTS Schedule Highlights
Para ouvi-lo: http://www.naopod.com.br
Happy Hacking
Rodrigo Montoro(Sp0oKeR)
Eventos
RUXCON 2010 CALL FOR PAPERS
Gamesec 2010 CFP - Conference on Decision and Game Theory for Security
PlumberCOn CFP
HITB Dubai Agenda
EC2ND 2010 CFP
Noticias
Stay Safe – PodCast
Law Enforcement Appliance Subverts SSL
Cisco's Backdoor For Hackers
PCI Council And Passwords: Do As We Say, Not As We Do
U.S. enables Chinese hacking of Google
YSTS Schedule Highlights
Para ouvi-lo: http://www.naopod.com.br
Happy Hacking
Rodrigo Montoro(Sp0oKeR)
terça-feira, 23 de março de 2010
Treinamento OSSEC e Snort Temporeal Eventos
Caros,
Eu e o Marcos Aurélio ministraremos 2 treinamentos em parceria com a temporeal eventos , serão treinamentos de 1 dia realizados aos sabados :
OSSEC HIDS no dia 17 de Abril
Objetivo: O objetivo do Ossec Tutorial Mão na Massa Tempo Real Eventos é demonstrar como o OSSEC HIDS pode trabalhar para fornecer um grau de segurança apronfundado realizando integração com ativos de TI. Será abordado como a partir de analises de logs podemos obter informações que podem ajudar a prevenir futuros ataques ou interromper ataques em tempo real. Apresentar o que é e como funciona o sistema de detecção de rootkits, checagem de integridade do sistema de arquivos e resposta ativa. Explicação básica sobre utilização de decoders , regras e envio de alertas.
O Tutorial Ossec detalhará os diferentes tipos de instalação, entender os pré-requisitos para uma instalação bem sucedida de um sistema HIDS, como trabalhar com o correlacionamento de eventos dentro do OSSEC, como criar seus próprios correlacionamentos, como obter informações sobre eventos gerados pelo OSSEC através do OSSEC WUI.
Mais informações: http://www.temporealeventos.com.br/?area=175
Snort IDS no dia 08 de Maio de 2010
Objetivo: O Tutorial Mão na Massa Snort tem o objetivo de demonstrar o funcionamento do snort da seguinte maneira: como instalar, como gerenciar através de interface gráfica, como manter o sistema atualizado e como realizar testes periódicos. Será abirdado também o básico sobre escrita de assinaturas.
O Tutorial Snort Mão na Massa contemplará os ataques mais comuns e como funcionam, de maneira a gerar discussão sobre melhorias de performance, atualizacões e relatórios gráficos de ataques, tendências de problemas com invasão na sua rede, entre outros.
Mais informações: http://www.temporealeventos.com.br/?area=87
Nos vemos por lá =)
Rodrigo Montoro(Sp0oKeR)
Eu e o Marcos Aurélio ministraremos 2 treinamentos em parceria com a temporeal eventos , serão treinamentos de 1 dia realizados aos sabados :
OSSEC HIDS no dia 17 de Abril
Objetivo: O objetivo do Ossec Tutorial Mão na Massa Tempo Real Eventos é demonstrar como o OSSEC HIDS pode trabalhar para fornecer um grau de segurança apronfundado realizando integração com ativos de TI. Será abordado como a partir de analises de logs podemos obter informações que podem ajudar a prevenir futuros ataques ou interromper ataques em tempo real. Apresentar o que é e como funciona o sistema de detecção de rootkits, checagem de integridade do sistema de arquivos e resposta ativa. Explicação básica sobre utilização de decoders , regras e envio de alertas.
O Tutorial Ossec detalhará os diferentes tipos de instalação, entender os pré-requisitos para uma instalação bem sucedida de um sistema HIDS, como trabalhar com o correlacionamento de eventos dentro do OSSEC, como criar seus próprios correlacionamentos, como obter informações sobre eventos gerados pelo OSSEC através do OSSEC WUI.
Mais informações: http://www.temporealeventos.com.br/?area=175
Snort IDS no dia 08 de Maio de 2010
Objetivo: O Tutorial Mão na Massa Snort tem o objetivo de demonstrar o funcionamento do snort da seguinte maneira: como instalar, como gerenciar através de interface gráfica, como manter o sistema atualizado e como realizar testes periódicos. Será abirdado também o básico sobre escrita de assinaturas.
O Tutorial Snort Mão na Massa contemplará os ataques mais comuns e como funcionam, de maneira a gerar discussão sobre melhorias de performance, atualizacões e relatórios gráficos de ataques, tendências de problemas com invasão na sua rede, entre outros.
Mais informações: http://www.temporealeventos.com.br/?area=87
Nos vemos por lá =)
Rodrigo Montoro(Sp0oKeR)
Assinar:
Postagens (Atom)