GlasBlog

In case anyone is also looking for the XML report for the Wepawet analysis:
http://wepawet.cs.ucsb.edu/view.php?hash=07e0a0fa8db4a9284f9c846b0e4b343c&t=1319285920&type=js&format=xml
Sadly this is nowhere documented and the feedback form is probably not checked very often.

ID: FeeLCoMz
SAFE: OFF
OS: Linux
UNAME: Linux Server 2.6.38-11-generic (*snip*)
SERVER: -
USER: root
UID: uid=0(root) gid=0(root) groups=0(root)
DIR: /var/www
PERM: [W]
HDD: Used: 13.52 GB Free: 34.18 GB Total: 47.7 GB
DISFUNC:
FeeLCoM

No, not really:

glaslos@eeepc:~/workspace/Glastopf/trunk/sandbox$
php apd_sandbox.php samples/feelcomz.txt

I was quite busy the last 6 months and not able to work on Glastopf at all. Which doesn’t mean I’m not doing related work.
Since one week, I got some free time and I’m finally able to work on Glastopf again. Main goal will be a revamp of the core. After this you will be able to use Glastopf in your tool (web server) with just a few lines of code:

import glastopf
 
response = glastopf.handle_request(data, self.addr)

I’ll also include a small web server so Glastopf will be still a stand-alone tool ;)
Glastopf will also benefit from my work on advanced dork lists and SQL injections from my internship during spring this year.
I have another 3 weeks for Glastopf before I’ll stay in Taiwan for 3 months. During those 3 months, I’ll be definitely able to continue my work.
I hope to release the next version in two weeks. Stay tuned!

The videos are online, I recommend to watch them if you want to get an idea, what we are working on.

The Honeynet Project just finished their application for this years Google Summer of Code:

23:00 UTC Friday March 11th was the first deadline for Google Summer of Code 2011, and the cut off point for organizations interesting in participating to complete their org application.

I’m very pleased to confirm that the Honeynet Project have once again applied. Whilst we now patiently wait for Google to announce which organizations will be selected to participate on March 18th, interested prospective students can start looking at our our initial GSoC 2011 project ideas and find more information about getting involved with the Honeynet Project and Google Summer of Code 2011 here – including contact details for email and IRC. Please feel free to get in touch if you have any questions or project ideas.

Fingers crossed we’ll be working on some great student projects once again this summer, and big thanks to Google for their continued support for FOSS (and hopefully honeynet R&D!) in 2011 ;-)

There was a issue reported when running GlastopfNG in a desktop environment a couple of months ago. The problem was the name of the log file used by the cleanLog reporting module: cleanLog.log. When starting up GlastopfNG, the module loader has tried to load the scripting engine for the cleanLog module based on the file extension. In the desktop environment case not *.rb (JRuby) but the *.log file extension. This obviously (there is no scripting module matching the log extension) cause trouble.
To solve the issue I had to change the log file name to logfile.log (the module loader checks the extension from the file called cleanLog.*) and adjust the config.xml accordingly.
I also release a fixed version: 1.2.2 available as usual here: http://dev.glastopf.org/projects/glastopfng/files (be careful Redmine sorts based on filename not date!).

The Honeynet Project announces their application for GSoC’11.

Has it really been another year already? Having really enjoyed our experience as a successful mentoring organization in Google Summer of Code 2009 and Google Summer of Code 2010, The Honeynet Project is very pleased to announce that we will once again be applying to be accepted this year as a potential mentoring organization for Google Summer of Code 2011 (note the changed URL for GSoC 2011).

The first GSoC 2011 deadline is Friday March 11th, which is the deadline for interested organizations to submit their org application. Currently we are reviewing our GSoC 2011 project ideas internally and prospective students will soon be able to see our list of proposed project ideas here. If we are accepted this year by Google, as usual all of our GSoC 2011 information will be available at /gsoc on our main public website.

To provide some background, you can find a copy of a recent presentation by our Chief Research Officer David Watson on our achievements during GSoC 2009 and GSoC 2010 here. This hopefully provides a quick introduction to the Honeynet Project and a summary of our collective activities in recent GSoCs.

For more GSoC 2011 information, student enquiries and GSoC mailing list information, see our /gsoc site.

Fingers crossed for lots of interesting student projects and another productive summer…

The Honeynet Project has release a new forensic challenge. The plot? As usual:

A Linux server was possibly compromised and a forensic analysis is required in order to understand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.

Are you up to the challenge? All details are here

Here are the questions that need your answers:
weiterlesen »

Here is another tool release from The Honeynet Project: CuckooBox by Claudio Guarnieri. Cuckoo is a binary analysis sandbox, designed and developed with the general purpose of automating the analysis of malware. Read more about the tool here, grab the tool here but please read detailed setup guide here (make sure to read it!). BTW, this tool is really well-documented, so make use of it before deploying it.

Cuckoo is a lightweight solution that performs automated dynamic analysis of provided Windows binaries. It is able to return comprehensive reports on key API calls and network activity. Current features are:

• Retrieve files from remote URLs and analyze them.
• Trace relevant API calls for behavioral analysis.
• Recursively monitor newly spawned processes.
• Dump generated network traffic.
• Run concurrent analysis on multiple machines.
• Support custom analysis package based on AutoIt3 scripting.
• Intercept downloaded and deleted files.
• Take screenshots during runtime.

Please try the tool and send the feedback to the author or sign up for a mailing list devoted to this tool here.

Connecting to SQLite is more or less the same as with MySQL. Load the sqlite.jar at runtime and use the JDBC driver. There are some wrapper available. SQLJet is an “independent pure Java implementation” of the SQLite database concept. It does not support SQL queries but a lower level API. I don’t took SQLJet because I planned to recycle my MySQL code. Another possibility is Christian Werner’s javasqlite. It’s the most up to date one I found, SQLite 3.7.4 on 2011-1-6 but it needs a DLL/shared library with the native JNI part so no choice for a platform independent project if you don’t want to force the user to build and install something. Last but not least, there is zentus’s SQLiteJDBC. It’s not the most up to date one, but it runs easily with the recycled code from the MySQL module. (I’m using version v057 from Max Zinal available here: Native SQLite-JDBC for SQLite version 3.6.23.1 but v056 from the zentus homepage works too).