GlasBlog

I’m by no means a C developer. I have never written a Zend extension before (there are actually some good starting points available) and I have only a rough idea whats happening in the PHP internals. So when the Advanced PHP Debugger (APD) failed to build on PHP –version >= 5.4 due to the new Zend Api (or engine) and after looking at the APD issues list, I decided to “extract” the renaming and overwriting feature of APD and pack it into something I called BFR – Better Function Replacer. I basically removed all unneeded functionality via an ugly “remove if build fails bring back” approach. It works and I would appreciate feedback.

I successfully finished the Cyber Fast Track project with the Honeynet Project. Details can be found in the blog post from the Honeynet Project or in the final document which you should read if you are interested in the new changes in Glastopf v3.

The annual workshop is happening again this year. This time in San Francisco with an even better public day than last year. If you are interested and not yet registered, make sure to check out the workshops web site. We will have one public day with talks from Honeynet Project members and invited guests and hands-on training on the second day with highlights like: malware reversing engineering, android reverse malware forensics and Cuckoo box.

Cyscon’s Thorsten Kraft informed me recently that his company is using Glastopf data to generate abuse tickets which lead to take downs of compromised websites. It’s great to hear that people actually using the data we collect and furthermore extracting actionable information which makes the internet a safer place.

In case anyone is also looking for the XML report for the Wepawet analysis:
http://wepawet.cs.ucsb.edu/view.php?hash=07e0a0fa8db4a9284f9c846b0e4b343c&t=1319285920&type=js&format=xml
Sadly this is nowhere documented and the feedback form is probably not checked very often.

ID: FeeLCoMz
SAFE: OFF
OS: Linux
UNAME: Linux Server 2.6.38-11-generic (*snip*)
SERVER: -
USER: root
UID: uid=0(root) gid=0(root) groups=0(root)
DIR: /var/www
PERM: [W]
HDD: Used: 13.52 GB Free: 34.18 GB Total: 47.7 GB
DISFUNC:
FeeLCoM

No, not really:

glaslos@eeepc:~/workspace/Glastopf/trunk/sandbox$
php apd_sandbox.php samples/feelcomz.txt

I was quite busy the last 6 months and not able to work on Glastopf at all. Which doesn’t mean I’m not doing related work.
Since one week, I got some free time and I’m finally able to work on Glastopf again. Main goal will be a revamp of the core. After this you will be able to use Glastopf in your tool (web server) with just a few lines of code:

import glastopf
 
response = glastopf.handle_request(data, self.addr)

I’ll also include a small web server so Glastopf will be still a stand-alone tool ;)
Glastopf will also benefit from my work on advanced dork lists and SQL injections from my internship during spring this year.
I have another 3 weeks for Glastopf before I’ll stay in Taiwan for 3 months. During those 3 months, I’ll be definitely able to continue my work.
I hope to release the next version in two weeks. Stay tuned!

The videos are online, I recommend to watch them if you want to get an idea, what we are working on.

The Honeynet Project just finished their application for this years Google Summer of Code:

23:00 UTC Friday March 11th was the first deadline for Google Summer of Code 2011, and the cut off point for organizations interesting in participating to complete their org application.

I’m very pleased to confirm that the Honeynet Project have once again applied. Whilst we now patiently wait for Google to announce which organizations will be selected to participate on March 18th, interested prospective students can start looking at our our initial GSoC 2011 project ideas and find more information about getting involved with the Honeynet Project and Google Summer of Code 2011 here – including contact details for email and IRC. Please feel free to get in touch if you have any questions or project ideas.

Fingers crossed we’ll be working on some great student projects once again this summer, and big thanks to Google for their continued support for FOSS (and hopefully honeynet R&D!) in 2011 ;-)

There was a issue reported when running GlastopfNG in a desktop environment a couple of months ago. The problem was the name of the log file used by the cleanLog reporting module: cleanLog.log. When starting up GlastopfNG, the module loader has tried to load the scripting engine for the cleanLog module based on the file extension. In the desktop environment case not *.rb (JRuby) but the *.log file extension. This obviously (there is no scripting module matching the log extension) cause trouble.
To solve the issue I had to change the log file name to logfile.log (the module loader checks the extension from the file called cleanLog.*) and adjust the config.xml accordingly.
I also release a fixed version: 1.2.2 available as usual here: http://dev.glastopf.org/projects/glastopfng/files (be careful Redmine sorts based on filename not date!).