Threat Level: green Handler on Duty: John Bambenek

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-08-09 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

name-services.com DoS

Published: 2007-08-09
Last Updated: 2007-08-10 01:02:07 UTC
by Jim Clausing (Version: 1)
0 comment(s)

We've received a couple of reports from readers that name-services.com may be under a denial of service attack resulting in DNS being unavailable for a number of domains that host their DNS there.   More info as it becomes available.

 

Update: (2007-08-10 01:00 UTC) They seem to be back up now.

Keywords:
0 comment(s)

SANSFIRE 2007 wrap up, part 1

Published: 2007-08-09
Last Updated: 2007-08-09 21:05:20 UTC
by Jim Clausing (Version: 1)
0 comment(s)

It has now been a week since I got home from SANSFIRE.  Since we here at the Internet Storm Center are the hosts of this conference, this is the one that usually has the largest contingent of handlers present.  After mostly getting caught up on work at the day job, on behalf of all the handers, I'd like to thank all of you who attended our panel discussion and the talks by Tom and Ed, William and Robert, Adrien, Lorna, Don, and Johannes.  Copies of the slides from some of the talks will be available here shortly, we'll put up another story with the links when they are ready to go.  As we stated during the panel discussion, we can't do what we do without all of you submitting your firewall logs to Dshield and sending us your questions, observations, malware, and most importantly packets.    We hope to see many of you again at future SANS conferences and, in particular, at next year's SANSFIRE.

 a motley crew

Keywords:
0 comment(s)

Interesting new tool

Published: 2007-08-09
Last Updated: 2007-08-09 20:41:46 UTC
by Jim Clausing (Version: 3)
0 comment(s)

No, I don't have a witty title in a dead language, but as many of you are aware, I'm constantly on the lookout for useful tools, so I was intrigued when I came across an announcement yesterday that Mandiant had released a free tool aimed at incident handlers, called Red Curtain.  The purpose of the tool is to highlight which files may be suspicious and require a closer look by investigators.  The tool scores files based on some interesting characteristics including entropy (how random the file is, which may be an indication of encryption), indications of packing, specific signatures of compilers and packers, digital signatures, etc.  It certainly isn't foolproof, but is aimed at narrowing the investigator's initial job and would correctly flag anything written by Tom "if Latin isn't your thing, next time I'll try Sanskrit (shouldn't that be the official language of SANS anyway)" Liston.   It sounds like a decent idea.  Has anyone out there tried it, yet?  If so, let us know what you think.

 

Update:  As several readers have pointed out.  The MD5 and SHA1 hashes of the zip file don't match what is on the Mandiant page, but the MD5 and SHA1 of the .exe inside the zip does match.  I've notified Mandiant, but not gotten a response yet.

 

Update 2: The Mandiant folks have responded that the software got repackaged messing up the MD5 and SHA1 of the zip file, the page will be corrected shortly

Keywords:
0 comment(s)
Diary Archives