Posts Tagges "Tools"

Analyzing DNS Logs Using Splunk

 

Back in December of 2011 I wrote a post on the ThreatSim blog called “Fighting The Advanced Attacker: 9 Security Controls You Should Add To Your Network Right Now“. One of the controls we recommended that folks implement was to log all DNS queries and the client that requested it:

Log DNS queries and the client that requested it: It’s been said that DNS is the linchpin of the Internet. It’s arguably the most basic and under appreciated human-to-technology interface. It’s no different for malware. When you suspect that a device has been compromised on your network, it’s important to be able to see what the suspected device has been up to. The DNS logs of a compromised machine will quickly allow responders to identify other machines that may also be infected.

Telling people to log DNS requests is super easy. Logging DNS queries is pretty easy too. Understanding how to ingest, analyze, process the data is where you need to bring in some tools. We love Splunk (as do many of our customers).  Splunk is the perfect tool for the job of figuring out what your clients are up to and who they are talking to. You can also set up real-time alerts if Splunk sees a DNS lookup for a known bad domain name.

Let’s implement our recommendation in real life. Here is what we did:

Read More

Solving the PCI Level Puzzle with What Level am I?

 

Starting with my first ever foray into PCI compliance, I have consistently encountered many clients (and even more potential clients) who have struggled with understanding their PCI requirements. While this may seem like a relatively easy task based on the information provided by the card brands, it is my experience that to those who’ve never dealt with PCI before (and even those who deal with it on a casual basis), it can be a daunting task.

Flashback to a couple of months back: Trevor and I were discussing a prospective client with this exact issue when we came up with the idea of developing a website that asked simple questions and provided clear answers. Many discussions followed, a majority of which were with current and prospective PCI clients. We found that even seasoned PCI compliance professionals thought this was a “no-brainer.”

What Level am I?Today Stratum is happy to announce the culmination of all of our talking, skype-ing, and coding with the launch of www.whatlevelami.com – a site that aims to be a quick online tool aimed at helping visitors easily and quickly identify their PCI requirements. While the site doesn’t cover every potential entity involved in PCI, it covers PCI Merchants and Service Providers. We’ve tried to make the site as simple as possible, using JavaScript and CSS to do most of the work. We’ve even gone as far as providing definitions for terms unfamiliar to those outside PCI (they’re underlined…simply mouse-over them and the definition will appear).

We would love to hear your feedback on the site, and would of course appreciate you spreading the word about its existence. Enjoy!

Automate Nikto with doNikto

 

Nikto (http://cirt.net/nikto2)  is an Open Source web scanner that checks for several different types of vulnerabilities, including:

  • Over 6400 potentially dangerous files/CGIs
  • Outdated versions of over 1000 servers
  • Version specific problems for over 270 servers

Nikto was developed by a friend of mine, Chris Sullo (@chrissullo) and now is maintained by Sullo and David Lodge. Version 2.1.3 was released in February of this year after getting back from a lengthy tour of european pubs, or so I am told.

I personally still use Nikto on all of my assessments, as it provides a good supplement to other automated scanning tools. To help automate the process of scanning hundreds of web servers, I wrote a simple python script that takes a specially formatted host file (ip address or  hostname,port) and runs Nikto continuously against them. doNikto generates separate HTML output files for each line in the host file (Nikto_IP/Hostname_Port.html) in the current directory.

To get doNikto running on your system, simply make sure you have Python installed on your system. Snow Leopard and Ubuntu users, you’re good. Windows users, check out http://python.org. I recommend installing the latest release of Python 2 (currently 2.6.6).

Once you have Python installed, and of course Nikto, download doNikto.py here and install it in same directory as nikto.pl. You can invoke doNikto by simply typing;

python doNikto.py

or you can type:

chmod +x doNikto.py

and call it via

./doNikto.py

Once you have doNikto all setup, it is pretty straight forward to use:

Old-Trafford:nikto-2.1.3 jmorehouse$ ./doNikto.py
USAGE:
python donikto.py [Host File]
Host file should be in IP,Port format, with one host per line.
(e.g. 192.168.1.1,80)

So a sample host file would look something like:

192.168.1.1,80
some.webserver.com,443
forgotten.tomcatserver.org,8080

Finally, you can ctrl-break (ctrl+c) doNikto to skip hung servers and proceed to the next server in the host file.

That’s all there is. Pretty straightforward and something I find useful on a regular basis. Let me know if you have any issues or suggestions and enjoy!