Author Archives: danielcid

New blog location

I won’t be using this blog anymore. For new content, go to Thanks!

Posted in dcid | Tagged | Leave a comment DNS and Content modified

If you visit you will notice a pretty new design and a new home for it. The server was officially moved to a Trend server and is now being managed by Vic Hargrave ( and the Trend team. If … Continue reading

Posted in ossec | Leave a comment

Faking (all) user agents

If you are going to fake a user agent, do it right :) Seeing some web scanners faking all possible browsers out there in one single request: Firefox/3.6 Chrome/9 Firefox/3.0 Opera/9.99? Safari and more.. This is the actual log (searching … Continue reading

Posted in log analysis, webattacks | Tagged , , | Leave a comment

OSSEC rule for the PHP-CGI vulnerability

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those: <rule id=”31110″ level=”6″> <if_sid>31100</if_sid> <url>?-d|?-s|?-a|?-b|?-w</url> <description>PHP CGI-bin vulnerability attempt.</description> <group>attack,</group> </rule>   It looks for the possibly dangerous … Continue reading

Posted in ossec, webattacks | Tagged , , | Leave a comment

Database Logging (PostgreSQL and MySQL)

Nobody cares about database logging, but I really recommend enabling them to see what is happening behind the scenes (specially for web applications). To enable on PostgreSQL (and be compatible with OSSEC): # Adding the timestamp, hostname and database. log_line_prefix … Continue reading

Posted in log analysis, ossec | Tagged , , , | Leave a comment

Alexa toolbar and https (not best friends)

For some reason (don’t ask my why), I decided to install the Alexa toolbar for Chrome to try it out. It works well for what it does, and I didn’t see anything wrong with it besides the expected privacy violation … Continue reading

Posted in alexa | Tagged , | Leave a comment

Good passwords: It is not about their size or complexity

Every time I read a password recommendation or policy, I get frustrated. It is always about their length and complexity, and they miss the real issue with passwords and how they get compromised. So I wrote this small (non technical) … Continue reading

Posted in dcid | Tagged , | 1 Comment

Back into blogging?

This blog has been neglected a bit lately. Too much going on and not enough time to post here. Anyway, I pushed some of my old papers/texts here:, including a few that I thought had disappeared (specially log analysis … Continue reading

Posted in Uncategorized | Tagged | 1 Comment

3WoO: Alerting on DNS (IP Address) changes

If you keep your DNS outside and you can’t monitor the zone files directly, a nice way to make sure the integrity of your DNS is intact is by checking remotely that it hasn’t been changed. With OSSEC, you can … Continue reading

Posted in ossec, v27 | Tagged , | 1 Comment

Detecting outdated (web) applications with OSSEC

For the last few days I started working (again) on the system auditing module for OSSEC and one thing that can make it more useful is to detect outdated applications (specially web apps). Things like WordPress, Joomla, Wikis and others … Continue reading

Posted in log analysis, v27, webattacks | Tagged , | 9 Comments