Collaborate Disseminate
Attackers commonly rely on backdoors to easily gain reentry and maintain control over a website. They also use PHP functions to further deepen the level of their backdoors.
A good example of this is the shell_exec function which allows plain shell com… Continue reading Cronjob Backdoors
I published the following diary on isc.sans.edu: “New Waves of Scans Detected by an Old Rule“: Who remembers the famous ShellShock (CVE-2014-6271)? This bug affected the bash shell in 2014 and was critical due to the facts that it was easy to exploit and that bash is a widespread shell
[The post [SANS ISC] New Waves of Scans Detected by an Old Rule has been first published on /dev/random]
Continue reading [SANS ISC] New Waves of Scans Detected by an Old Rule
Last week I attended my first OSSEC conference. I first blogged about OSSEC in 2007, and wrote other posts about it in the following years.OSSEC is a host-based intrusion detection and log analysis system with correlation and active response features. … Continue reading Thoughts on OSSEC Con 2019
I’m in Washington, waiting for my flight back to Belgium. I just attended the 2019 edition of the OSSEC Conference, well more precisely, close to Washington in Herndon, VA. This was my first one and I’ve been honoured to be invited to speak at the event. OSSEC is a very
[The post OSSEC Conference 2019 Wrap-Up has been first published on /dev/random]
Welcome to the seventh post of a series on understanding the Payment Card Industry Data Security Standard–PCI DSS. We want to show how PCI DSS affects anyone going through the compliance process using the PCI SAQ’s (Self Assessment Questio… Continue reading PCI for SMB: Requirement 10 & 11 – Regularly Monitor and Test Networks
I currently have a setup with OSSEC and AIDE running on our servers.
We are currently receiving a daily alert for each agent when AIDE runs and changes audit.log.
I want to make an exception for that, but I still want to … Continue reading How do I create exceptions on Wazuh (OSSEC)?
I have too many alerts in ossec.Please guide me how to change rule or how to do for i have too many alerts in ossec.
I published the following diary on isc.sans.edu: “Tracking Unexpected DNS Changes”: DNS is a key element of the Internet and, regularly, we read new bad stories. One of the last one was the Department of Homeland Security warning about recent DNS hijacking attacks. Indeed, when you want to visit the website ‘isc.sans.org’, you
[The post [SANS ISC] Tracking Unexpected DNS Changes has been first published on /dev/random]
I recently installed Sysmon, which logs events to OSSEC and currently monitors several endpoints. I have been trying to whitelist benign processes such as Windows services. Many of these processes run with commandline argumen… Continue reading Windows process documentation for tuning Sysmon
I published the following diary on isc.sans.edu: “Using OSSEC Active-Response as a DFIR Framework”: In most of our networks, endpoints are often the weakest link because there are more difficult to control (example: laptops are travelling, used at home, etc).They can also be located in different locations even countries for
[The post [SANS ISC] Using OSSEC Active-Response as a DFIR Framework has been first published on /dev/random]
Continue reading [SANS ISC] Using OSSEC Active-Response as a DFIR Framework