Wednesday, February 1, 2012

BRO IDS Log Parsers gems

Recently I have been playing with Security Onion ( for some network monitoring stuff at home. If you haven't seen Security Onion before its kinda like Backtrack for the Blue Team. Its preloaded with tons of tools for doing network forensics and monitoring. If you have any interest in this kind of stuff I recommend checking it out!

One of the tools preloaded on Security Onion is the new 2.0 release of BRO IDS. After getting BRO setup I was looking for a way to take the awesome log files it creates and make them a little more useful for me. At the same time I wanted to work on my ruby-fu, so I decided to create some ruby gems to parse the BRO logs.

As of today I have the first two done. With the gems you can easily parse the DNS and HTTP logs to pull out just the info you want. After the Jump I will include 2 sample scripts I use to pull some of the info I want.

The Gems:
For more info on Security Onion Visit:
For more info on BRO IDS:
Irongeek did a great video on SO:

Monday, September 19, 2011

Updated Peach Tutorial

A friend of the Corelan Team, Pyoor, has written some excellent documentation on Peach. I think this is some of the best, most complete documentation I have seen yet on file fuzzing with Peach.

Make sure you check it out :

Sunday, June 5, 2011

Updated Pastenum

I updated pastenum today and added some instructions on how to install it in Backtrack 5. Find that and more over at


Thursday, March 24, 2011

Pastenum – Pastebin/pastie enumeration tool

When conducting a pen-test, the process typically starts with the reconnaissance phase, the process of gathering information about your target(s) system, organization or person.
Today, we want to present a tool that can be added to your reconnaissance toolkit.
Text dump sites such as pastebin and allow users to dump large amounts of text for sharing and storage.
As these sites become more popular the amount of sensitive information being posted will inevitably increase.
Pastenum is designed to help you find that information and bring it into one easy to read location.
The hope is it will allow internal security teams to run simple queries about their companies and determine if they have sensitive information residing in one of these text dumps. It will also help pen-testers with the recon phase by allowing them to enumerate more data faster.
In order to do so, it uses a series of search queries for keywords, provided by the pentester.  Since it queries public sources (and not the target network itself), this should be stealth to the target.

Hacker Trail Mix - Appalachian Institute of Digital Evidence

I gave a talk at AIDE winter meeting February 18th. The talk was ment to be many rapid fire topics being covered in a short amount of time. Below is a list of the stuff I can remember talking about:

Pastenum (Preview)
DNS Zone Transfers

Friday, January 7, 2011

Simple File Format Fuzzing

Originally Posted: SUNDAY, JULY 11, 2010 AT 1:20PM

A member of the Corelan forums, CodeZer0, ask for a short tutorial on file fuzzing. In particular he wanted to know how we would find the bug from CorelanCoders first Exploit Development tutorial in EASY RM to MP3.

Fuzzing with Peach - Running the Fuzz - Part 3

Originally Posted: FRIDAY, JUNE 11, 2010 AT 8:15PM

Now that you have peach installed and a peach pit written its time to fuzz something. I'm sure you can guess what I have been fuzzing (look in the exploit section). With Peach I have found 2 different Denial Of Service bugs in solarwinds free tftp server in 2 weeks. This highlights the importance of internal application fuzzing before a product is released. If they had used my basic pit they would have found both bugs prior to release.