What is TIP? TIP stands for Tracking Intelligence Project. In my most beautiful dreams, TIP should be an information gathering
framework whose purpose is to autonomously collect Internet threat
trends. It’s entirely written in Python using Twisted and bound to the Django framework in order to abstract the underlying database and to easily build a web interface to the data.

TIP is made up of a few modules which are totally independent one from the other but with each one feeding the other ones. Its design is based on a core module which acts as a kind of scheduler which schedules what we can call “first level modules” at a precise time in future or in response to a particular event.

Honeypots have been actively used by the security community for over ten years now.  They are used for a variety of purposes, but now a days primarily for information gathering.   When honeypots first were being used they generated a great deal of discussion about the legal issues.  However, through the years this debate has died down, most organizations feeling these issues are minor.  I just wanted to share an update on these thoughts.

This week I completed an important step which is to integrate a parser in Honeybrid. There are now two new files in the source code:

• rules.l which defines the different tokens to analyze,

• rules.y which defines the configuration language and the different subroutines to call when a specific combination of tokens is detected.

Flex and Bison compile these two files and generate rules.c and rules.h which are then used by honeybrid to parse its configuration. The great advantages of having a parser are to have a flexible configuration file and to better handle configuration errors with a short volume of code.

UPDATE: the log data is posted here.  A notification group about new log sharing is here.

This WASL 2009 workshop reminded me that I always used to bitch that some academic researchers use antediluvian data sets for their research (Lincoln labs 1998 set used in 2008 “security research”  makes me want to just curse and kick people in the balls, then laugh, then cry, then cry more…).

However, why are they doing it? Don’t they realize that testing their “innovative intrusion detection” or “neural network-based log analysis” on such prehistoric data will not render it relevant to today’s threats? And will only ensure ensuing hilarity :-)

This phenomenon is first observed when I tried the NtReadFile test last week, sometimes when the postNtReadFile is called, the handle value, buffer address and buffer size got from the stack is quite different from values got in preNtReadFile. I didn’t pay much attention to this problem that time, but, when I tried to debug the NtSecureConnectPort API with WinDBG today, this phenomenon appeared again. So I did a further study on it.

I know I said that I would post a screenshot a week ago, but it’s been a little busy, but here’s an older attached image. One of the reasons there was a delay is that the code that I was using was based on one of the wxPython demo programs, hence the RunDemo title bar. I’m in the process of revamping that code into something that’s a little more standalone.

This is supposed to be the first Qebek blog, but unfortunately, it cannot pass the check of mod_security (even today), so I posted here.

Hi folks,

It took me a long time to work on the data model, the back-end, to setup all my framework
(Tapestry+hibernate+Spring+ACEGI+Maven) but it’s done right now.

So I will post once a week I guess about new features I added.

I’d like to speak a bit about how my webapp works. The main goal is to separate every layer of my web.
e.g front-end/business/back-end :

Layers model

This week, you I added

Hello all!

In Last night we had released the newest version of PicViz suite (that contains all PicViz tools). Specifically for the GUI, now we can brush the lines dynamically and apply zoom in graph. To allow line brush has been necessary reimplement some important classes of PyQt used in the GUI. It wasn’t easy. But now it works, despite of we must continually improve the line (event) selection.

Get it!

The code is like this:

class unknown_obj(object):

    def __call__(self, *arg): return unknown_obj()

    def __getitem__(self, key): return unknown_obj()

    def __getattr__(self, name): return unknown_obj()

The three methods are: __call__ for function calls (*arg means arg is the argument list), __getitem__ for the visit to members using ‘[]’, such as a[3] and 3 is the key, __getattr__ just like we mentioned, for any visit to members using ‘.’. So almost every kind of codes is legal to an object like this. For example: