27 Jul 2015
As part of my task as Technical Lead of a honeypot project I collect logs from the honeypots that are forwarded to our Splunk setup. Part of
those logs are md5 hashes of all malware caught with the honeypots. As we are gradually switching to a Modern Honey Network setup, I
noticed that their Splunk implementation adds a link to each event containing an md5 hash. This link points to VirusTotal (VT) scan results. However, it would be much more interesting to have actual VT scan results directly in Splunk so you can search for new or ‘clean’ malware. In this post I explain how to add scan results from VirusTotal to your Splunk events. Note that this solution doesn’t scale well so if you are running a large enterprise Splunk you might want to consider getting a VirusTotal API key which allows more requests per minute instead of the free one which allows for up to 4 requests per any given 60sec window.
8 Jun 2015
The other day I overheard some people talking about their favourite tools on their job as security professionals. Besides the question of which tool being “the best” is a ridiculous one (each tool is good for something), they reached consensus that Python was the most awesome tool they had in their arsenal. One of them even stated that Python was awesome in his day-job where he had to parse many logs.
26 May 2015
I used to rent multiple VPS’s on which I host various services like for example this blog. Whenever I don’t have access to a console session on the VPS, I tend to only create an encrypted container and install all config files in there. However, on some VPS’s I have console access, so it is much more convenient to use full-disk encryption. However using full-disk encryption in a Virtual Machine is of course completely broken if you cannot trust the hypervisor. At least that’s what I learned in school.
Curious as we are, let’s see if we can break the encryption of a VM running in a quemu virtualisation software on my own host.
7 Apr 2015
As part of one of my Arduino Pro Mini projects I bought an ESP8266. The ESP8266 is a $3 System-on-a-Chip which provides WiFi connectivity to a serial port, made in China. The first version features a 6pin header which is not very common and not breadboard friendly. Since that, they updated the chip a lot and also included more flash memory, and they changed the chip layout. Since the default firmware version (v0.6) is actually half-chinese and not very API friendly, I will make an attempt to explain how to upgrade the firmware in this post because I found it to be not very straightforward and had to read many blog posts to get it to work in the end.
20 Dec 2014
When fuzzing an application, Python is a very handy language since it allows for fast customisation of fuzzing parameters. Furthermore there exist many frameworks for interfacing with for example the network (think Scapy) or other external programs. The disadvantage of using Python for fuzzing is that it is generally slower than using a native language like C. The reason for that is that C is compiled in native code while Python (even Python byte-code) needs an interpreter to execute. In this blog post I demonstrate a method for speeding up fuzzing when using Python, without losing much of the benefits of the language.