Categories

Archives

Google Image Searches Leading To FakeAV Sites

We have seen several pages created on extremely cheap name registrar/hosting services (the likes of co.cc and cz.cc primarily) that have images of specific things along with lots of related text about that specific image surrounding it in order to increase it within the Google Images search rankings. While this in and of its self is [...]

September 3rd, 2010 | Tags: | Category: IDS | Leave a comment

Bredolab Infections And The Compromised Sites That Redirect Clients To The Drive Bys

The bredolab infections we commonly see use compromised websites to redirect clients going to legitimate websites . This is in contrast to the SEO exploit sites that rely almost exclusively on malvertising for driving people to them. The amount of people driven to the bredolab boxes are not nearly as high as you might imagine [...]

August 13th, 2010 | Category: IDS | Leave a comment

Who Needs SSL? Evading IDS With Apache mod_gzip and Chunked Encoding

After getting a bit frustrated a little while ago while attempting to write a signature for some hidden iframe’s that were redirecting clients to drive by sites, I started digging around a bit more and even posted over on the Snort-Users mailing list and found out something a little terrifying from the guys over at SourceFire. Snort [...]

August 12th, 2010 | Category: IDS, Malvertising | 2 comments

Massive Advertising Server Compromise/Socially Engineered By The RBN

We have identified several major websites (buy.com, cnbc.com, digg.com, evite.com and msn.com just to name a few) using the advertising services of malicious servers that are using Acrobat PDF and Java exploits to force the download and installation of fake antivirus software. Analysis from SysAdMini @ www.malwaredomainlist.com has informed us the sites are all using the [...]

March 2nd, 2010 | Category: IDS, Malvertising | One comment

Patching Daemonlogger To Create YYYY-MM-DD Logging Subdirectories

We use Daemonlogger as a pcap logger of choice with the Sguil implementation with the securixlive NSMnow projects management scripts. The NSMnow scripts were stopping and restarting the packet capturing every 15 minutes, which causes a great deal of problems when you are trying to investigate and you are missing portions of TCP streams. So we swapped [...]

September 25th, 2009 | Tags: | Category: IDS | Leave a comment

Graphing snort.stats with gnuplot

So we have been trying to create some visual graphs for all of our Snort instances so we can easily tell when traffic/processor/alert spikes are occurring. This lead us to the very useful snort.stats file. However, if you are compiling Snort (or using someone elses packages) you need to ensure that it was compiled/configured with [...]

August 11th, 2009 | Tags: | Category: IDS | Leave a comment

Snort IP Blacklisting Version 2 Patch and Unified Output

After playing around with Mr. Roesch’s IP blacklisting patch for Snort, we had noticed that the output wasn’t going to help us as much as we wanted. The problem we were facing was that we use unified output from Snort which is later processed by Barnyard before being placed into the alerts database. When Snort [...]

August 11th, 2009 | Tags: , , , , , , | Category: IDS | Leave a comment