Monday, October 24, 2016

Maltrail and Sysv Integration

For those that are on systems without systemd, I've finally got a startup script that appears to work with maltrail.  Follow the instructions for initial setup using systemd in this blog first.  Here's the init script:

#!/bin/sh
# Start/stop/restart maltrail:

. /lib/lsb/init-functions

maltrail_start() {
  cd /opt/maltrail
  /usr/bin/screen -dm /usr/bin/sudo -u maltrail /usr/bin/python /opt/maltrail/server.py &
  /usr/bin/screen -dm /usr/bin/python /opt/maltrail/sensor.py &
}

maltrail_stop() {
  echo "Stopping maltrail..."
  pid=`ps -ef | grep -i 'SCREEN -dm /usr/bin/sudo -u maltrail /usr/bin/[p]ython /opt/maltrail/server.py' | awk '{ print $2 }'`
  echo $pid
  kill $pid
  sleep 2
  pid=`ps -ef | grep -i 'SCREEN -dm /usr/bin/[p]ython /opt/maltrail/sensor.py' | awk '{ print $2 }'`
  echo $pid
  kill $pid
  sleep 2
  echo "Server killed."
}

maltrail_restart() {
  maltrail_stop
  sleep 5
  maltrail_start
}

case "$1" in
'start')
 maltrail_start
  ;;
'stop')
  maltrail_stop
  ;;
'restart')
  maltrail_restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac

put this script in /etc/init.d/ then execute:

sudo update-rc.d maltrail defaults

You should be able to see that maltrail is started after rebooting.
Posted by at No comments:

Friday, September 16, 2016

Bro and Elasticsearch Integration

First, fix dots in ES 2.4:

 Fix dots in field names

 Next install Bro ElasticSearch plugin:

 Bro ElasticSearch Plugin

 with a couple caveats of  you'll need to cd to bro-2.4.1/aux/plugins/elasticsearch before the ./configure && make && make install, and the default plugin dir to install in is bro-install-dir/lib/bro/plugins/.


The below script to use for mappings will set all strings to not analyzed, and ip source and destinations to field type of IP:
curl -XPUT "http://localhost:9200/_template/bro_template" -d'
{
  "template": "bro-*",
    "order": 1,
    "mappings": {
      "_default_": {
      "dynamic_templates": [
        {
          "strings": { 
            "match_mapping_type": "string",
            "mapping": {
              "type": "string",
              "index": "not_analyzed"
                }
              }
            }
          ]
        },
        "bro_ts": {
          "properties": {
            "ts": {
              "type": "date",
              "format": "epoch_millis"
            }
          }
        },  
        "bro_orig_h": {
            "properties": {
            "id.orig_h": {
              "type": "ip"
            }
          }
        },
        "bro_resp_h": {
            "properties": {
              "id.resp_h": {
                "type": "ip"
              }
            }
        },
        "bro_assigned_ip": {
            "properties": {
              "assigned_ip": {
                "type": "ip"
              }
            }
        }
    }
}'
Posted by at No comments:

Thursday, September 8, 2016

Maltrail Setup and Systemd Integration

Having run this app for a while now I figured this was long overdue...tested on Ubuntu 14-16:
git clone https://github.com/stamparm/maltrail.git

 sudo mv maltrail /opt/

 add to /etc/passwd:
maltrail:x:10000:10000::/opt/maltrail:/bin/false

 add to /etc/group:
maltrail:x:10000:maltrail

 edit your /opt/maltrail/maltrail.conf (interface, creds, etc...)

 sudo chown -R maltrail:maltrail /opt/maltrail

 create the two files below:

 /lib/systemd/system/maltrail-server.service:

[Unit]
Description=Maltrail server

 [Service]
User=maltrail
Group=maltrail
WorkingDirectory=/opt/maltrail
ExecStart=/usr/bin/nohup /usr/bin/python /opt/maltrail/server.py & disowm
[Install]
WantedBy=multi-user.target


 /lib/systemd/system/maltrail-sensor.service:

[Unit]
Description=Maltrail sensor

 [Service]
WorkingDirectory=/opt/maltrail
ExecStart=/usr/bin/python /opt/maltrail/sensor.py
[Install]
WantedBy=multi-user.target


 then run:
sudo systemctl enable maltrail-server
sudo systemctl enable maltrail-sensor
lastly run:
sudo systemctl start maltrail-server
sudo systemctl start maltrail-sensor
updating:
sudo systemctl stop maltrail-server
sudo systemctl stop maltrail-sensor
cd /opt/maltrail
sudo cp maltrail.conf maltrail.conf.mine
sudo rm maltrail.conf
sudo git pull

 copy local changes from maltrail.conf.mine to the new maltrail.conf

 sudo chown -R maltrail:maltrail /opt/maltrail
sudo systemctl start maltrail-server

sudo systemctl start maltrail-sensor
Posted by at 3 comments:

Thursday, August 18, 2016

The Sad State of Foxit Reader

The tl;dr is:  Foxit Reader, tracks your usage and sends it to their servers (in China!!), installs a service that you can’t uninstall without uninstalling Foxit Reader, and is not proxy aware.  There is currently no way to disable any of the cloud based functionality, or user tracking.  Long version below:

 After installation, you can see the Foxit Reader Service installed (left), but no option to uninstall the service (right), whereas previous versions you could:

If you disable the service as shown above, Foxit will give you the below prompt EVERY TIME you open a pdf or start the application:








Foxit Reader sending your IP and MAC address to Foxit's servers

Logging data sent to Foxit's servers

 The below shows a list of User Agent's found in the FoxitConnectedPDFService.exe memory:




Lastly, the Detected field shows the protections Foxit has put in place on the exe:
Posted by at 3 comments:

Wednesday, June 29, 2016

Boleto Malspam Leads to Symmi

Boleto Malspam Leads to Symmi

It starts with an email

The pdf button goes to a servint.net link, which in turn goes to dropbox.com

 We're left with BOLETO-29-06-2016.PDF.zip, which extracts to BOLETO-29-06-2016.jar.  Decompiling the jar file we see several interesting bits


 the key and most of the crypto routine were pulled from avajava.com tutorials.  After decrypting the files we're left with two 64 bit files, and two 32 bit files

c4cb4fdf6369dd1342d2666171866ce5 is apparently calc.exe (?), the rest are packed with VMProtect.  VT Links:

https://www.virustotal.com/en/file/2db1aa1eed26fd3805c121ed42af2a35f93af22932462f4919b190b1cf5464dc/analysis/
https://www.virustotal.com/en/file/700ee0e9c1e9dc18114ae2798847824577e587813c72b413127fb70b9cb042dd/analysis/
https://www.virustotal.com/en/file/e483eceb5da9383b75ffd974d815b987bbf96ffebcd39500e7d3354c39a6a044/analysis/1467252940/
https://www.virustotal.com/en/file/41a936a4a13d430415abf37bbbf29451865585e41281657bbf95545b1bbc1653/analysis/1467253137/
https://www.virustotal.com/en/file/a75ba0ab78cf494d7505b2f4b4e6a452f5909b1c68bb619be01daf22ee0c6d19/analysis/1467253329/

Posted by at No comments:

Friday, February 5, 2016

A Concise List of Windows 10 Network Activity on Boot

So this is just a list of what sysmon sees on boot.  This is Windows 10 Pro with all the security settings set to as much strict as allowed.  This was a fresh install, updated, no applications installed, with no user interaction.  Interesting that Procmon running on Windows 10 doesn't show any of this activity.  CSV is below...read from bottom up.

Type,Date,Time,Domain\User,Computer,Process proto dst ip
Information,2/5/2016,12:02:16 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:02:14 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:57 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:45 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:42 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:38 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:35 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:33 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 191.232.139.170
Information,2/5/2016,12:01:04 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 191.232.139.170
Information,2/5/2016,12:00:53 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:00:50 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:00:38 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 134.170.179.87
Information,2/5/2016,12:00:37 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 131.253.61.66
Information,2/5/2016,12:00:36 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 134.170.179.87
Information,2/5/2016,12:00:35 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.61.66
Information,2/5/2016,12:00:31 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 239.255.255.250
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 127.0.0.1
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 239.255.255.250
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 64.4.54.253
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 23.196.87.75
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.200.101
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.255.140
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.200.101
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 23.196.87.75
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.255.140
Information,2/5/2016,12:00:29 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\CompatTelRunner.exe tcp 64.4.54.253
Information,2/5/2016,12:00:28 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 107.20.234.199
Information,2/5/2016,12:00:14 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:59:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.158
Information,2/5/2016,11:59:25 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 65.55.113.11
Information,2/5/2016,11:59:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:19 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.165
Information,2/5/2016,11:59:17 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.252
Information,2/5/2016,11:59:16 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.103
Information,2/5/2016,11:59:13 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.158
Information,2/5/2016,11:58:57 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:58:56 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 111.221.29.222
Information,2/5/2016,11:58:54 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:58:52 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:50 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:50 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.137.132
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.137.132
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 64.129.104.150
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 64.129.104.150
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.113.163
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.225.172.125
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.113.163
Information,2/5/2016,11:58:23 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 198.41.215.184
Information,2/5/2016,11:58:23 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.52.108.252
Information,2/5/2016,11:58:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 198.41.215.184
Information,2/5/2016,11:58:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 72.21.91.8
Information,2/5/2016,11:58:21 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.252
Information,2/5/2016,11:58:20 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 72.21.91.8
Information,2/5/2016,11:58:20 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.52.108.103
Information,2/5/2016,11:58:19 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 72.21.91.8
Information,2/5/2016,11:58:18 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.103
Information,2/5/2016,11:58:12 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe tcp 204.79.197.200
Information,2/5/2016,11:58:11 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\SppExtComObj.Exe tcp 10.0.5.34
Information,2/5/2016,11:58:11 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\SppExtComObj.Exe tcp 10.0.5.34
Information,2/5/2016,11:57:56 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.55.113.11
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp e000:fc:0:0:0:0:0:0
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp ff02:0:0:0:0:0:1:3
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 65.55.113.11
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 10.10.0.25
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp a0a:19:0:0:0:0:0:0
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp ff02:0:0:0:0:0:1:2
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 10.0.2.15
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 10.0.2.255

And matching IP to name for a unique list:
107.20.234.199    version.hybrid.api.here.com
111.221.29.222    tsfe.trafficshaping.dsp.mp.microsoft.com
131.253.40.84    platform.maps.glbdns2.microsoft.com
131.253.61.66    login.live.com.nsatc.net
134.170.179.87    device.auth.xboxlive.com
172.225.172.125    store-images.microsoft.com
172.225.172.182    go.microsoft.com.edgekey.net
172.226.113.163    store-images.s-microsoft.com
172.226.137.132    sci1-1.am.microsoft.com
172.231.200.101    t0.ssl.ak.dynamic.tiles.virtualearth.net
172.231.255.140    t0.ssl.ak.tiles.virtualearth.net
191.232.139.170    tsfe.trafficshaping.dsp.mp.microsoft.com
198.41.215.184    ocsp.msocsp.com
204.79.197.200    tse4.mm.bing.net
23.196.87.75    ssl2.tiles.virtualearth.net.edgekey.net
64.129.104.150    static.btrd.net
64.129.104.158    ctldl.windowsupdate.nsatc.net
64.129.104.165    ctldl.windowsupdate.nsatc.net
64.4.54.253        settings-win.data.microsoft.com
64.4.54.36        licensing.mp.microsoft.com
65.52.108.103    arc.msn.com
65.52.108.252    rpt.msn.com
65.55.113.11    dmd.metaservices.microsoft.com
72.21.91.8        cdn.optimizely.com 
Posted by at No comments:
Subscribe to: Posts (Atom)