Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Wireshark 1.2.0 released

Published: 2009-06-17
Last Updated: 2009-06-17 15:30:15 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Thanks to ISC reader Bob who told us that Wireshark updated one of our favourite tools. This is a new release branch of Wireshark and they have added many new features including a 64-bit Windows (x64) installer, Macintosh OS X support has been improved, GeoIP lookups has been added to name a few. This release also comes with WinPcap 4.1beta5 rather than the older stable 4.0.2.


Release announcement:

Release Notes and bug fixes:

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September

Keywords: Wireshark
0 comment(s)

Web server survival time research

Published: 2009-06-17
Last Updated: 2009-06-17 11:48:16 UTC
by Jason Lam (Version: 1)
2 comment(s)

Lately, I have been writing new labs for an update version of my DEV 422 Defending web app course. One of the labs is about log analysis, so naturally, I would want to get some really cool and neat logs for my students. As some of you may know, I help run the Web honeypot project so I have access to tons of logs but it would be much more interesting to see logs from real systems and real compromise.

I decided to setup my high interaction honeypot using a real system and lots of monitoring and limiting outbound control. My platform of choice? Windows 2000 fully unpatched box running IIS and having only port 80 exposed. I put that on a typical DSL connection and waited...

The wait was very long. At some point, I wondered if the box is even accessible so I got a few other handlers to check out accessibility for me and they have all proven that the W2K box works (fully unpatched too, unicode traversal is great for testing).

I waited and waited; 2 weeks passed by, nothing happened. My box was not compromised at all. There were a total of 8 scanning attempts but they look random and no one ever did anything harmful.

I suppose my actions raised more questions than answers,

- Does attackers stay away from the DSL ranges while scanning for web flaws? My other servers get much more scanning attempts.

- Are any bad guys scanning thru the whole Internet looking for infrastructure type of flaws anymore? Application flaws are so much more common.

Your thoughts are welcomed..... Write in to us via Email or leave us comments.

P.S. If you have cool web app compromise logs for donation, please write in via the contact form. Many thanks.

Jason Lam,

2 comment(s)

Useful browser addon - WOT

Published: 2009-06-17
Last Updated: 2009-06-17 01:11:21 UTC
by Jason Lam (Version: 1)
9 comment(s)

I have been playing around with the WOT browser add-on for couple weeks with good results. WOT stands for Web Of Trust, it is a community knowledge based system where information on websites are shared. After installing the add-on, the links from search engines are tagged with extra symbols showing whether the site's "reputation" level. Very simple to understand, red means potentially bad site and green means good site.

As you can imagine, lots of links to malicious sites flow through my mailbox every day, WOT toolbar was able to identify most of them (I only recall a few instances where it failed). On the other hand, some of the seemingly legit site seems to be tagged as dangerous but these are rare and I honestly didn't look too deeply as to whether they have real bad stuff or not. 

Overall, I would recommend it to average users as an extra layer of defense. Worthwhile to mention that it is available both in Firefox and IE. If you choose to use it, remember to contribute back to the project back by helping to rate sites as you visit them. Time to introduce my parents to this add-on.

9 comment(s)
Diary Archives