Monthly Archives: June 2007

Hidden ports on Linux

If you ever had trouble with hidden ports on Linux (2.4 and 2.6), I may have figured out one of the possible causes today (and no, it is not a rootkit). To keep the story short: if you bind any … Continue reading

Posted in linux, rootkit | 4 Comments

Hammered by web attacks (KorWeblog)

Some of my web honeypots are being hammered by attacks against KorWeblog. If fact, even my real systems are received a lot of these too.. It looks like they are trying to exploit an old vulnerability (from 2005), which sounds … Continue reading

Posted in log analysis, webattacks | Leave a comment

Consistent logging – good separators

After posting my paper about Remote log injection, most of the feedback I received was regarding how “bad” these tools (e.g. DenyHosts, BlockHosts, etc) are and how bad the idea of log-based automatic response is. Some people even said that … Continue reading

Posted in CEE, log analysis | Leave a comment

OSSEC on Network security hacks

I was very pleased to find out that OSSEC was featured on hack 86 – Centrally Monitor the Security Posture of Your Servers (under chapter 8 – Logging) of the Network Security Hacks (2nd edition) book. I had the opportunity … Continue reading

Posted in ossec | Leave a comment

Remote log injection paper

I just finished an article about “Remote log injection”, that among other things, exposes some vulnerabilities on DenyHosts, Fail2ban and BlockHosts that can lead to arbitrarily injection of IP addresses in /etc/hosts.deny. To make it more “interesting” (i.e. worse), not … Continue reading

Posted in log analysis | 2 Comments

OSSEC Presentations at AusCERT/Confidence

During the month of May I went to AusCERT and Confidence to talk about OSSEC (i.e. Log analysis using OSSEC). On both presentations I mentioned LIDS (Log-Based intrusion detection), and provided an overview of the ossec architecture and how to … Continue reading

Posted in auscert, CONF2007, ossec | 2 Comments