Hi folks! I’m happy cause the work on Picviz Projetct goes well. Another feature was finish, and was determined on our Porposal we are work to improve the Picviz interface.
Item 2 from our Proposal, that is ready:
2 - Addition features to apply zoom/focus effect in some aspect from graphic;
The density of lines in the PCP can be reduced
dramatically using a focusing tool. Through the implementation of this
Hi everyone,
I just wanted to share few things with you about my project.
I’m still very excited to work on my project and if anyone is intersted in what I’ve done, here is a short tutorial I created to setup the project quickly.
If some kind people would like to test it to give me their feedback. It could be the best way for me to improve it.
Last saturday I’ve finally released a new Glastopf version. There are some new features and many changes under the hood.
New implemented features:
LFI (Locale File Inclusion) handler: He is back! I have lost him somehow during coding and now he has his own handler. I am looking forward to get some data for attack method comparison. Furthermore he is one possible first layer for RCE (Remote Code Execution) attacks. So I am also curious if I’m catching some of those attacks.
When using hooking technology to intercept system calls, there are two different places to collect information: before the original function is called (precall) and after the original function returns (postcall). For example, in Sebek Win32 client, when callback function OnZwReadFile is called, it first calls the original function s_fnZwReadFile, after the original function returns, it checks whether the original call succeeds, if does, it then calls the data collection function LogIfStdHandle:
TCP was built to allow 2 hosts to exchange a stream of packets reliably. Honeybrid must add a third host to this operation when it decides to investigate further a connection. The keys for this process to work are: 1) a replay process that gets the high interaction honeypot to the same state than the low interaction honeypot; and 2) a forwarding process that translates not only IP addresses but also TCP sequence and acknowledgement numbers. Here is how things work in detail:
Sebek Windows client has two keystroke sources, one is read or write std stream, the other is csrss port. In the callback function of NtReadFile and NtWriteFile, Sebek will check if the given file handle match one of the three standard stream handles. if matches, it then logs the given data of keystrokes:
__asm {
mov EAX, FS:[18h]
mov [pTIB], EAX
}
if(FileHandle == pTIB->pPEB->ProcessParameters->StandardOutput ||
FileHandle == pTIB->pPEB->ProcessParameters->StandardInput ||
FileHandle == pTIB->pPEB->ProcessParameters->StandardError)
{ //log data }
One project mentored by the Honeynet Project during GSoC aims at improving nebula, an automated intrusion signature generator. There are two critical components in the signature generator: A clustering engine that groups similar attacks into classes, and a signature assembler that extracts common features and selects some of them for the actual signature.
The first work package’s goal is to improve the overall signature quality. This can be achieved by tuning the core components, i.e. the clustering and the signature assembler. Further, nebula looses all states upon restart in its current version. The second goal is to make nebula state-aware and add the ability to save and load states.
The first version of the parser is essentially finished. The main goal for the basic version of the parser is to take Sebek data and create two groups of data: one group is comprised of a data structure that holds an event’s information, things like the timestamp, event type, what service the event was connected to, etc. The second group is simply a list of each unique event, basically what types of events happened, what ports were used, services used by the events, things of that nature. The more interesting challenge was to somehow create a way for users to group events that they want to group together, so if a user wants to lump certain tools together (say vulnerability scanners, so nmap and nessus together) then a user can do so. So there is GUI component to this that allows a user to do this, it dumps all the unique events into one window, and the user can drag and drop them into the other, push the return button (which I should probably change the label on…) and it will create a text file of groupings.
One difference in Qebek from other existing virtualization based honeypot monitoring tool is that I want to ‘hook’ the function of system service instead of the dispatcher, more precisely, the ‘sysenter’ or ‘int 2e’ instruction. This is similar to the difference between SSDT (System Service Descriptor Table) hook and kernel inline hook. However, doing it this way must face a problem: how to get the function address? One way is get it directly from SSDT. Under Windows, since SDT (Service Descriptor Table) can be referenced by the exported symbol ‘KeServiceDescriptorTable’, this is a very simple task. So the problem for me is how to get the SDT address in QEMU without any ‘symbol’.
Hello all!
Currently I’m very busy in hard work on PicViz gsoc tasks, nevertheless I still taking arbitrary tickets (tasks that I not proposed for gsoc) of this tool. Some bit but very useful features were done.
For first picviz-gui has a set of rows that shows data about plotted events and have a slider for hide events. I got a ticket that required connection about these, i.e., when user moves the slider Picviz should hide the rows (data) that makes reference about event. And now this is done!