AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Attacks: Wireless Intrusion Detection Systems Testing Tool

January 7th, 2010 | Posted by jaime.blasco in Attacks - (1 Comments)

To celebrate the New Year I want to share with you a simple but useful tool I wrote some time ago.

The script generates wireless packets to emulate wireless attackswith the intention of testing wireless intrusion detection systems.

At this moment it supports the following attacks:

To run the tool you need Scapy.

You can use the tool to test that your Ossim wireless sensor with Kismet works as you expect:

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , , , ,

Snort: Rule to detect Modbus device fingerprinting

April 21st, 2009 | Posted by jaime.blasco in Alienvault OSSIM | Scada Security | Snort - (Comments Off)

I’ve just published a snort rule to detect Scada Modbus Device fingerprinting tools like modscan:

alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; content:"|00 00 00 00 00 02|"; depth:6; threshold: type both, track by_src, count 100, seconds 10; 
classtype:bad-unknown; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; sid:2009286; rev:1;)

You can find it at Emerging Threats

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , , ,

April 1st, Conficker day

March 31st, 2009 | Posted by jaime.blasco in Alienvault OSSIM | Attacks | Exploits | Malware - (Comments Off)

Tomorrow Conficker will activate a P2P system to coordinate to other infected machines over TCP and UDP, we’ve published a directive to detect the P2P behaviour.

Donwload Directive

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , , ,

Ossim: Shellcode Detection and Analysis

March 10th, 2009 | Posted by jaime.blasco in Alienvault OSSIM | Exploits - (Comments Off)

I’m glad to announce a new feature we have added to forensic console. We use libemu to make shellcode detection and analysis to help on forensic analysis and reduce false positives, an example:

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , , ,

New Directives

February 3rd, 2009 | Posted by jaime.blasco in Alienvault OSSIM - (1 Comments)

I’ve just update the public CVS with some new directives as part of the effort we are doing to improve the upcoming installer:

Attacks:

  • Possible Successful Attack: Reverse Shell Access to the System
  • Possible POP3 Bruteforce against SRC_IP
  • Possible FTP Bruteforce against SRC_IP
  • Command execution against webserver on DST_IP
  • File /etc/passwd access on DST_IP
  • Possible SQL injection attempt against DST_IP
  • Possible attack against DST_IP (Symantec Remote Management RTVScan Exploit)
  • Possible sa account bruteforce against SRC_IP (SQL Server)
  • Possible VNC bruteforce against SRC_IP
  • Possible attack against DST_IP (Microsoft Server Service related attack)
  • Too many Cisco Firewall dropped events with destination DST_IP

    • Worms:

  • Possible Worm Infection against DST_IP
  • Possible Worm Infection against DST_IP via DCOM RPC vulnerability
  • Possible Worm Infection against DST_IP via Kill-Bill ASN1 vulnerability
  • Possible Worm Infection against DST_IP via Lsasrv.dll RPC vulnerability
  • Possible Worm Infection against DST_IP via WINS vulnerability
  • Possible attack against DST_IP (Microsoft Server Service related attack)
  • Possible worm scanning behavior on port DST_PORT

    • Misc:

  • Username gathering at SMTP server DST_IP

    • jaime.blasco

    At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

    More Posts - Website

    Follow Me:
    TwitterLinkedIn

    , , ,