Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: GitHub InfoSec Threepeat: HELK, ptf, and VulnWhisperer - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
GitHub InfoSec Threepeat: HELK, ptf, and VulnWhisperer

There are numerous and exciting information security-related projects on GitHub; one can dive quickly down the rabbit hole, never to be seen again, in an effort to identify the best of breed for use in their security practices. In the last three days, three separate projects have hit my radar screen via social media that I thought readers might find intriguing and likely beneficial. I'm listing the projects in alphabetic order, not order of preference, each project represents a unique discipline and opportunity. 

The first project is for hunters. HELK  is a Hunting ELK (Elasticsearch, Logstash, Kibana) stack with advanced analytic capabilities, currently in beta. This project hits themes near and dear to me, and will definitely receive toolsmith attention in the near term. From @Cyb3rWard0g, HELK aims to: 

  • Provide a free hunting platform to the community and share the basics of Threat Hunting.
  • Make sense of a large amount of event logs and add more context to suspicious events during hunting.
  • Expedite the time it takes to deploy an ELK stack.
  • Improve the testing of hunting use cases in an easier and more affordable way.
  • Enable Data Science via Apache Spark, GraphFrames & Jupyter Notebooks

Second up, for your consideration, is the just released version 1.17 of ptf, the pentester's framework from Dave Kennedy's @TrustedSec.

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.

PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES).

The 1.17 release includes:

  • multiple fixes for aftercommands and escaping
  • add Joomslav
  • update masscan
  • add Robot-Detect

Third on our list is VulnWhisper, also slotted for future toolsmith attention; it's already caught many an eye and cause some excitement, particularly in light of Spectre/Meltdown vulnerabilities. VulnWhisperer is a vulnerability data and report aggregator. Austin Taylor's VulnWhisperer will pull all the reports and create a file with a unique filename which is then fed into logstash. Logstash extracts data from the filename and tags all of the information inside the report (see logstash_vulnwhisp.conf file). Data is then shipped to elasticsearch to be indexed. VulnWhisperer includes support for:

  •  Nessus (v6 & v7)
  •  Qualys Web Applications
  •  Qualys Vulnerability Management (in progress)
  •  OpenVAS
  •  Nexpose
  •  Insight VM
  •  NMAP
  •  More to come

This is a great triple threat of GitHub offerings for your review and consideration, I know they're slated for me to do much more exploration.

Feel free to comment with some of your favorite GitHub information security projects. 

Cheers.

Russ McRee | @holisticinfosec

Russ McRee

171 Posts
ISC Handler
Thanks for this, it's really useful. I specifically can't wait to look at HELK which could be responded with "What the HELK?" when using. My only negative experience of Logstash was storage management and capacity for diligent digging.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!