Comments for Trojaned Binaries

Comment on Who Needs SSL? Evading IDS With Apache mod_gzip and Chunked Encoding by Eoin Miller

Eoin Miller — Wed, 08 Sep 2010 16:10:30 +0000

I think that once you enable the http_inspect preprocessor and configure it to break stuff out into the various buffers (http_client_body, http_header, http_uri etc) that you have to qualify content:”foo” matches with those specific keywords in order to inspect them for matches. If you don’t qualify the content:”foo” then it looks everywhere except the buffers that were created (this is more or less, in the testing I have done this is not a 100% thing with Snort at least).

Comment on Who Needs SSL? Evading IDS With Apache mod_gzip and Chunked Encoding by Victor Julien

Victor Julien — Fri, 27 Aug 2010 13:38:29 +0000

If I understand the issue correctly what is going on is the following (in Suricata). The “content” keyword without modifiers is matched against the raw packet data (either in the packet or in the reassembled stream). If you use the http_client_body content modifier, the normalized (unzipped etc) client body will be inspected. There is no http_server_body in the Snort rule syntax however, so basically it seems impossible to match on the normalized server body.

So I think the right thing to do would be adding a http_server_body keyword. Ideally both Snort and Suricata would implement such a keyword to prevent rule syntax divergence.

Comment on Massive Advertising Server Compromise/Socially Engineered By The RBN by Alex Gordon

Alex Gordon — Sat, 03 Apr 2010 07:46:36 +0000

Вы не ошиблись, все верно... We have identified several major websites (buy.com, cnbc.com, digg.com, evite.com and msn.....

Comment on Configuring Napatech Cards to Perform Hashed Load Balanced Streaming by jmc

jmc — Sat, 05 Dec 2009 21:28:41 +0000

Great posts about the Napatech cards! Would love to read more about your experience with these, the kind of performance you get, on what kind of hardware…
If you also use them to capture full content data what kind of disk setup to you use to be able to keep up and provide enough IO while monitoring high bandwith links.

Comment on jSguil by Tweets that mention jSquil « Trojaned Binaries -- Topsy.com

Tweets that mention jSquil « Trojaned Binaries -- Topsy.com — Tue, 01 Dec 2009 14:33:17 +0000

[...] This post was mentioned on Twitter by Doug Burks, Richard Bejtlich. Richard Bejtlich said: Glad to see yet another Sguil client in development, this by Eoin Miller http://bit.ly/8xxKdS [...]

Comment on VSS Monitoring Stream Capable Load Balancing Taps by Mark McHarry - VSS Monitoring PR

Mark McHarry - VSS Monitoring PR — Thu, 12 Nov 2009 20:46:50 +0000

With a couple exceptions, all of VSS 10-Gigabit and 1-Gigabit distributed taps support load balancing. The link you provided in your post lists them: http://www.vssmonitoring.com/products/d_taps.asp

More information is in our Load Balancing whitepaper, available from: csupport@vssmonitoring.com

You can also sign up for our RSS feed: http://www.vssmonitoring.com/rss.xml

Comment on High Speed IDS Traffic Splitting With Stream Capable Cards and Daemonlogger by Eoin Miller

Eoin Miller — Thu, 08 Oct 2009 06:39:01 +0000

Well apparently VSS Monitoring makes stream capable cards and I wrote up a little bit about it here:
http://trojanedbinaries.com/blog/?p=100

Best thing is, these taps also support doing layer 2-4 filtering as well.

Comment on High Speed IDS Traffic Splitting With Stream Capable Cards and Daemonlogger by Eoin Miller

Eoin Miller — Tue, 06 Oct 2009 16:41:39 +0000

Very true, but the Gigamon taps don’t balance based on load from what I have read/had pitched to us by their resellers. You can “split” the traffic based on net/port/whatever other layer 4 BPF stuff you want:
http://www.gigamon.com/pr_10G_to_1G_112006.php

Another alternative (which isn’t quite as flexible as the Gigamons but is cheaper) is the NetOptics Director series taps. You can split traffic in the same manner, but the hardware is cheaper:
http://www.netoptics.com/products/product_family_details.asp?cid=9&pid=210

At least from the pricing I have seen, a simple dumb tap combined with a stream capable card and a 4U box would come out cheaper than a comparable Gigamon solution. Additionally the proposed stream based card solution distributes based on load and not on port/address/net but you could also do it that way if you wanted using the filtering features on the card.

Comment on High Speed IDS Traffic Splitting With Stream Capable Cards and Daemonlogger by Richard Bejtlich

Richard Bejtlich — Mon, 05 Oct 2009 20:29:00 +0000

Or you could buy a http://www.gigamon.com/