February 1, 2012 | Alberto Ortega

Detecting malware domains by syntax heuristics

An important challenge we face when feeding our Open Source IP Reputation System is to differentiate between real threats and false positives. However, nothing in the universe is black or white. Each IP in the database has a reliability value from 1 to 10. That’s because in some special scenarios, an IP can be good and bad at the same…

January 19, 2012 | Conrad Constantine

New Garage Tool: ClearCutter

I’ve just finished committing the first alpha release of ClearCutter to the Alienvault-Garage repository on GoogleCode. It’s a tool born of necessity, for anyone whose spent a good amount of time on those ‘SIEM pre-processing’ tasks, neck-deep in sed, grep,awk, uniq. Clearcutter (because it ‘clears a forest of logs’) is my work-in-progress combination tool for all those…

Get the latest security news in your inbox.

Subscribe via Email

January 12, 2012 | Jaime Blasco

Sykipot variant hijacks DOD and Windows smart cards

Defenses of any sort, virtual or physical, are a means of forcing your attacker to attack you on your terms, not theirs. As we build more elaborate defenses within information security, we force our attacker’s hand. For instance, in many cases, implementing multi-factor authentication systems just forces the attacker to go after that system directly to achieve their…

December 20, 2011 | Jaime Blasco

Are the Sykipot’s authors obsessed with next generation US drones?

For several weeks there has been a great deal of talk about the “undeclared global cyber war”. There have been accusations that China is stealing almost anything they choose and that they have a “shopping list” that gives priority to key industries like: Clean energy industry Biotechnology Semiconductors Information technology Aerospace technology Medical technology This month, Lockheed Martin raised the…

December 12, 2011 | Jaime Blasco

Another Sykipot sample likely targeting US federal agencies

Last week Adobe issued an advisory on a zero-day vulnerability  (CVE-2011-2462) that has been being used in targeted attacks, probably defense contractors. The payload used is Sykipot, a know malware that has connections with several targeted attacks/0days during the past. During the analysis of this attack, I’ve found a new sample with a fresh command and control…

December 6, 2011 | Conrad Constantine

Easy entry to SIEM Correlation Rules with Policy Validation

“We’d love to do log correlation, but we just don’t know where to start!” If I had a dollar for every time I’ve heard this expressed, I’d ... have enough to buy everyone in the company a round of drinks.. Start with what you know For most organizations, the amount of…

December 6, 2011 | Conrad Constantine

SIEM for ITIL-Mature Incident Response (Part 2)

In between firefighting the crisis of the week, we hope you have time to read the latest in my series on the path to using SIEM as the foundation for building an Incident Response team that adds value to the enterprise outside of crisis times. Once I started on this document series it become obvious that it wasn’t going…

November 28, 2011 | Conrad Constantine

SIEM for ITIL-Mature Incident Response (Part 1)

Incident Response is a field stuck in perpetual-firefighting mode, when it exists at all as a formalized unit. Yet as major breaches continue to happen, Incident Response proves to be possibly the most essential part of any Enterprise Security Program; in the words of Bruce Schneier: “You can’t defend. You can’t prevent. The only thing you can do…

November 23, 2011 | Conrad Constantine

8 Years of OSSIM

We love data visualization, it’s true, and Information Security is always in need of new ways to adapt visualization techniques to mining through event data. This is a particular visualization engine I’ve been looking at lately to adapt for replaying complex timelines (e.g. replays of Breach evidence)… but out of the box, it does…

November 11, 2011 | Dominique Karg

Bubba Xyzzy is born!

Hey all, we’d like to introduce you to our new little Alien mascot. You’ve seen him for about a month here on the Labs page but he’ll be much more predominant around Alienvault in the near future. No worries, he’ll never become annoying like “Clippy” (“I see you are trying to do a security analysis. Would…

November 3, 2011 | Jaime Blasco

Massively collecting CRL and OCSP information

As part of the IP reputation project we are writing a small engine to avoid false positives and whitelisting some common ips/networks. Usually when you execute a binary on a sandbox and the executable file has been signed, you receive a lot connections to the servers hosting the Certificate Revocation Lists (CRL) and the Online Certificate Status Protocol (OCSP). …

October 18, 2011 | Dominique Karg

3.1 coming soon

Big news on the release front. Some features didn’t make it into 3.0 due to QA but now this has been solved and we wanted to roll out a minor release (which is not so minor if you look at the Changelog…) with this data, before heading towards 4.0 (IPv6 support, huge improvements on the multitenancy/multicustomer side and big performance…

Watch a Demo ›
Get Price Free Trial