Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Critical Cisco ASA IKEv2/v2 Vulnerability. Active Scanning Detected

Published: 2016-02-10
Last Updated: 2016-02-10 20:44:37 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Cisco released an advisory revealing a critical vulnerability in Cisco's ASA software. Devices are vulnerable if they are configured to terminate IKEv1 or IKEv2 VPN sessions. (CVE-2016-1287)

The vulnerability can lead to a complete compromise of the system. A single UDP packet may suffice to exploit the vulnerability, but no details about the nature of the vulnerability have been made public yet, but it is recommended to patch SOON. The exploit would likely arrive over UDP port 500 or possibly 4500.

We are seeing a LARGE INCREASE in port 500/UDP traffic (see and select TCP Ratio for the left Y axis. earlier spikes affecting this port were mostly TCP)

To test if your device is vulnerable, check the running crypto maps:

ciscoasa# show running-config crypto map | include interface

A product is vulnerable if a crypto map is returned.

There is no workaround, but Cisco has released patched firmware for affected devices.


Johannes B. Ullrich, Ph.D.

0 comment(s)

Beta Testers Wanted: Use a Raspberry Pi as a DShield Sensor

Published: 2016-02-10
Last Updated: 2016-02-10 15:31:34 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

I am currently working on an easy way to turn a Raspberry Pi into a DShield sensor. If you would like to, you can try the current "beta version" of the software. Feedback is very much appreciated. To get started:

  • Install Raspbian Jessie on your Pi
  • change the default password (VERY IMPORTANT!!!)
  • claim the entire SD card for Raspbian (by default, you only use 4GB, and space may be tight). the easiest way to do this is to run sudo raspi-config and select "expand roofs"
  • you will need the e-mail address, the numeric userid and the "authkey" for your ISC/DShield account. You can retrieve it here:
  • Download the software from github: git clone
  • run the install script sudo dshield/bin/
  • enjoy (hopefully... and please let me know what works/doesn't work, if possible by entering an "issue" with github ) .

Important: The install script will move the SSH server to port 12222. So the next time you connect after a reboot, you will need to connect to that port (ssh -p 12222 pi@[your pi IP]) . The reason we do this is to keep port 22 free for an ssh honeypot.

In order to make the Raspberry Pi a useful sensor, you need to expose it to network traffic. For example, you could use your router's "DMZ" feature to expose the system. Other Raspbian versions may work, and if you do have one, by all means test it and let me know how it goes.


Johannes B. Ullrich, Ph.D.

2 comment(s)
ISC Stormcast For Wednesday, February 10th 2016

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Adobe Patch Tuesday - February 2016
1 day ago by Johannes (1 comment)

Microsoft February 2016 Patch Tuesday
1 day ago by Johannes (2 comments)

Out-of Order Java Update
1 day ago by Johannes (3 comments)

More Malicious JavaScript Obfuscation
2 days ago by Xme (2 comments)

DDOS is down, but still a concern for ISPs
3 days ago by Rick (1 comment)

More updates to kippo-log2db
3 days ago by Jim (0 comments)

A trip through the spam filters: more malspam with zip attachments containing .js files
3 days ago by Brad (4 comments)

Fake Adobe Flash Update OS X Malware
6 days ago by Johannes (6 comments)

EMET 5.5 Released
1 week ago by Xme (2 comments)

Automating Vulnerability Scans
1 week ago by Xme (2 comments)

View All Diaries →

Latest Discussions

Incident Response within the SOC
created 1 day ago by (0 replies)

New to Internet Security: Need advice
created 2 days ago by bb2j (3 replies)

Examples of data returned via successful SQL injection
created 1 week ago by GuyMontag (1 reply)

Newbie to Honeypot's
created 2 weeks ago by ZiggyRI (0 replies)

Manually cleaning web-browsers
created 2 weeks ago by Teemu (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

December 2015 Microsoft Patch Tuesday
2 months ago by Johannes (19 comments)

A recent example of wire transfer fraud
1 month ago by Brad (13 comments)

Infocon Yellow: Juniper Backdoor (CVE-2015-7755 and CVE-2015-7756)
1 month ago by Johannes (4 comments)

Fake Adobe Flash Update OS X Malware
6 days ago by Johannes (6 comments)

Virtual Bitlocker Containers
1 month ago by Xme (10 comments)