Wednesday, November 20, 2013

Google's tool for analyzing email headers

I periodically have the need to dig through email headers to figure out when the email originated.  Email headers aren't rocket science (essentially a LIFO stack), but they make my eyes wiggle.  Today, I stumbled across Google's tool for deciphering these logs...and it's pretty cool.

https://toolbox.googleapps.com/apps/messageheader/analyzeheader

This tool takes a header like this:
Delivered-To: f00bar@gmail.com
Received: by 10.182.148.167 with SMTP id tt7csp107427obb;
        Wed, 20 Nov 2013 14:09:06 -0800 (PST)
X-Received: by 10.15.81.129 with SMTP id x1mr49625eey.55.1384985344849;
        Wed, 20 Nov 2013 14:09:04 -0800 (PST)
Return-Path: <noreply@malwr.com>
Received: from malwr.com ([46.244.22.3])
        by mx.google.com with ESMTP id w6si12230921eeg.336.2013.11.20.14.09.04
        for <f00bar@gmail.com>;
        Wed, 20 Nov 2013 14:09:04 -0800 (PST)
Received-SPF: neutral (google.com: 46.244.22.3 is neither permitted nor denied by best guess record for domain of noreply@malwr.com) client-ip=46.244.22.3;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 46.244.22.3 is neither permitted nor denied by best guess record for domain of noreply@malwr.com) smtp.mail=noreply@malwr.com
Received: from cuckoo.shadowserver.org (localhost [127.0.0.1])
by malwr.com (Postfix) with ESMTP id EC56417818CD
for <f00bar@gmail.com>; Wed, 20 Nov 2013 14:09:02 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Malwr - Analysis completed!
From: noreply@malwr.com
To: f00bar@gmail.com
Date: Wed, 20 Nov 2013 22:09:02 -0000
Message-ID: <20131120220902.24101.27746@cuckoo.shadowserver.org>


And makes it easier to look at, like this:


Thursday, November 14, 2013

Making Sure Logs Don't Get Out of Control


Sometimes, you need a little script to make sure your logs aren't getting too crazy. Enjoy!

#! /bin/bash

###################################################################
#
# Author: Matthew Myrick
# Date Created: 20120330
# Date Modified: 20120330
# Purpose: This scripts is used to remove old data when the
#       disk is over 97% full
#
# Dependencies: CRON
#
####################################################################

#CHECK TO SEE DISK USE PERCENTAGE
perc="`df -h /Promise | tail --lines 1 | awk '{print $5}' | cut -d '%' -f 1`"

#COMPARE VALUE TO OUR LIMIT
if [ "$perc" -gt "97" ]; then
 /usr/bin/find /Promise -maxdepth 1 -type d -printf "%T@ %p \n" | sort -n -k 1,1 | awk '{print $2}' | head -1 | xargs rm -rf
fi

Wednesday, October 30, 2013

FireEye Script To Manage YARA Across An Enterprise



FireEye has been a huge help to cyber security analysts over the years. However, nothing is perfect...and the lack of an API is a huge shortcoming (which I hear they are working on). To compensate for this shortcoming, I've written a bash script that will distribute a file of properly formatted Yara rules (you can also do the same thing for Snort rules) to FireEye devices (even with their latest enforcement of the  rails authenticity token). Enjoy!


Monday, October 28, 2013

XOR From the Unix CLI


Every once in while (depending upon how hard you look) I'm faced with something that looks like an executable, but not quite. A very common tactic used by cyber criminals to evade IDS and analysts is to XOR executables (and sometimes data) so that they don't look suspicious. There are no shortage of ways to XOR, but I thought I'd share an easy method using perl, borrowed from Daniel Wesemann (https://isc.sans.edu/forums/diary/Exploit+cocktail+Struts+Java+Windows+going+after+3-month+old+vulnerabilities/16913).

In the example below he uses  "cat" and "perl" to perform a single byte XOR (0x77) on a file called "data.hex" and then redirects that to a file called "data.exe". 

cat data.hex | perl -pe 's/(..)/chr(hex($1)^0x77)/ge' > data.exe

Wednesday, January 16, 2013

The Basics of Linux Screen


Screen is an awesome utility that offers the ability to detach a long running process (or program, shell-script, irc window, etc.) from a session and then attach it back at a later time.  Below are the basics:

To get started, enter:
      screen

To see your existing screen sessions, enter:
      screen -list

To detach an attached screen, enter:  
      screen -D

To re-attach to a detached screen, enter:
      screen -r 

Monday, January 14, 2013

Java 0day is upon us and no patch in Sight!

And... the Java 0day is here. Actually, I am way late. So late that there is a patch. But careful, its not really a patch. Its just a configuration setting :p So no matter what you do, I encourage you to think about this one very, very, seriously.