This topic is not brand new, there exists plenty of solutions to forward Windows event logs to Logstash (OSSEC, Snare or NXlog amongst many others). They perform a decent job to collect events on running systems but they need to deploy extra piece of software on the target operating systems. For a specific
Search Results for: ossec
Tracking SSL Issues with the SSL Labs API
The SSL and TLS protocols have been on the front of the stage for months. Besides many vulnerabilities disclosed in the OpenSSL library, the deployment of SSL and TLS is not always easy. They are weak cyphers (like RC4), weak signatures, certificates issues (self-signed, expiration or fake ones). Other useful features are mis-understood
Analysis of WordPress Login Attempts
Waiting for the new year party, this is a last quick post in 2014! It’s not the first time that I see a peak of rogue authentication requests against some of the WordPress websites. But for a while, there is a constant flood of IP addresses trying to bruteforce the WordPress login
Detecting Suspicious Devices On-The-Fly
Just a link to my guest diary posted today on isc.sans.edu. I briefly introduced a method to perform permanent vulnerability scanning of newly detected hosts. The solution is based on OSSEC, ArpWatch and Nmap. The article is here.
KISS… Your Logs Too!
If there is a gold principle in IT, that’s the one called “KISS“: “Keep It Simple and Stupid“. It says that systems will work best if they are kept simple rather than complex. Simplicity must be a key goal during the design phase. This sounds logical: Keep in mind that
Tracking your Github Security Events
A few days ago, I wrote a blog post about a Python script that I use with the new Amazon CloudTrail feature to grab logs from my Amazon cloud services. Because we use more and more cloud services in our digital life, the same principle should apply to all our
Malicious DNS Traffic: Detection is Good, Proactivity is Better
It looks that our beloved DNS protocol is again the center of interest for some security $VENDORS. For a while, I see more and more the expression “DNS Firewall” used in papers or presentations. It’s not a new buzz… The DNS protocol is well-known to be a excellent vector of
Howto: Distributed Splunk Architecture
Implementing a good log management solution is not an easy task! If your organisation decides (should I add “finally“?) to deploy “tools” to manage your huge amount of logs, it’s a very good step forward but it must be properly addressed. Devices and applications have plenty of ways to generate
MySQL Attacks Self-Detection
I’m currently attending the Hashdays security conference in Lucerne (Switzerland). Yesterday I attended a first round of talks (the management session). Amongst all the interesting presentations, Alexander Kornbrust got my attention with his topic: “Self-Defending Databases“. Alexander explained how databases can be configured to detect suspicious queries and prevent attacks. Great
RSSIL 2012 Quick Wrap-Up
A quick wrap-up of my visit yesterday to the 7th edition of the RSSIL (“Rencontres Solutions Securité et Informatique Libre“) in Maubeuge (north of France). This is a very small event compared to major organizations like the BlackHat, HITB & co but it’s very well organized by a team of