OMENS v2.02 Beta
I've completed OMENS v2.02 Beta
I decided to call this version 2.0x instead of 1.2x because I have added, changed and removed
a TON of code. There are also a few really cool new features that I felt warranted the
2.0x moniker. So let's talk about that for a minute...
First and foremost, OMENS will now feed hostile file detection back into the log file detection.
Say What?
Here was my most recent epiphany... If a bad actor uploaded malware to your server, it's likely
that they are using that malware to establish persistence (ala WebShell), or using the server to
deliver malware. So if OMENS detectects a hostile file has been added to the server - It stands
to reason that someone will try to access that file. OMENS will now auto-create a log file
signature for any hostile file it detects to see if anybody accesses that file. Even if the
hostile file is deleted, OMENS will continue to scan for that file for 5 days. This
is to help defenders see who might be attempting to access the file (and block them if so
desired), even after it has been remediated.
I've also added the ability to parse the logfile and search by fields. OMENS now allows you
to name and define the fields in your logfiles and search for signatures by those fields. I
have created a very flexible parsing engine, so that signatures can be (auto) shared among
different log formats by using a common name. For instance:
Let's say that the SourceIP is in column 9 in one log and column 2 in another: By simply searching
in a defined column named "SrcIP", each server running OMENS can define the field "SrcIP" differently.
This allows an abstracted column search that can be shared by different servers that have different
log formats.
I've also expanded the VirusTotal integration to now search VirusTotal for hostile IP addresses.
This has been another epiphany: It turns out that many time a hostile IP address detected in
the log(s) can actually also be
found in the VirusTotal database. This gives OMENS users additional information regarding the
hostile IP addresses that are scanning or attacking them. I've said it before and I will say it
again: For free, open source intel, VirusTotal is a GREAT solution!
PLEASE BE AWARE THAT OMENS v2.02 IS
BETA SOFTWARE! I've made a lot of changes, and added a lot of code. Some of it meant changing
the way the core engine(s) function. If you need a stable release, please stay with OMENS V1.19.
But if you would like to try some of these cool new functions, give OMENS v2.02 a try. I will
updating it as I shake out any bugs.
ISSA-LA Sixth Annual Information Security Summit
I'll be speaking at the Sixth Annual Information Security Summit on May 16th. This one will be a lot of fun. I'll be speaking on "Evasions": How and why hostile actors can continue to bypass security defenses. This is a subject I have been very interested in for a long time, and I am really looking forward to sharing my findings.
OMENS v1.20 is also coming along very nicely. I'm not sure yet when I will release it, because it has been a pretty big chunk of modified code. I am doing a lot of testing on it in my copious amounts of spare time. Some of the new capability is pretty exciting: For instance, OMENS v1.20 will now check to see not only if there are detected hostile files in the Web Root, but also if anybody tried to access them: This could indicate the the web server is being used to host malware - or that someone has uploaded a WebShell and is now using it. This is a simple but powerful addition to OMENS detection capabilities.
OMENS v1.19
I've discovered that IIS will fall over dead (500 Error) if you have duplicate IPSecurity entries in the IIS configuration file(s). Since OMENS generates these entries as part of its IPS capability, I have added some new code to make sure no duplicates are generated by OMENS. I've also made a few other minor bugfixes to OMENS. You can download the latest version OMENS v1.19 here.
AppSec California 2014
Well I had an absolutley fantastic time speaking at AppSec California 2014 on the Anatomy of Webshells. It was so good to catch up with old friends and co-workers, and meet so many interesting people doing such amazing research!
If you are interested in this fascinating subject, my talk was only 20 minutes long - and you can see it here: https://www.youtube.com/watch?v=tVKucIWH0w0
OMENS v1.18
I've also made a few minor bugfixes to OMENS. You can download the latest version OMENS v1.18 here.
AppSec California 2014
I'm really excited about speaking this month at AppSec California 2014
I will be covering the Anatomy of Webshells but I won't have enough time to cover how these nasties often get onto web servers in the first place.
If you are interested in a breakdown of an actual attempt that my honeypot caught. Or if you are interested in my talk (or in Webshells in general) you might be interested in my latest blog post. It breaks down the actual attack, and it covers exactly how this common attack works.
Hope to see you there!
OMENS v1.17.VT Released
Update: 2 I've added a few more evasion detections, and run a bunch of testing. OMENS v1.17.VT3 looks pretty solid. Of course YMMV - But I am now calling OMENS v1.17.VT3. the latest version.
Update: 1 I've squashed a few bugs in v1.17.VT. Some were related to the new code - Some not. Anyway. The latest is v1.17.VT2. It's the same download file. Thanks for your feedback!
OMENS 1.17.VT is all about the evasions.
A few weeks ago I wrote a Blog Post about some of the many forms of white space evasions used by hostile actors. It's not a thorough treatise, but it is a pretty good introduction to some of the challenges of detecting hostile attacks that use white space evasions.
As I thought more and more about the problem, I started working on a new evasion detection engine for OMENS. OMENS v1.17.VT is my first go at it. There is still a lot more to do - but the new engine already works well for many forms of evasion.
The task of detecting evasions is an extremely complex one. I could spend an entire day talking about all the edge cases I ran in to. So please let me know if the engine misses something. I suspect that getting the engine just right will take a little time.
I've changed and added a lot of new code, so I need Beta Testers to help me make sure everything is stable. Please consider downloading and beta testing OMENS v1.17.VT . Of course the more stable version v1.16.VT will also remain available.
OMENS v1.16 + VirusTotal = OMENS v1.16.VT
I am REALLY excited to release OMENS version 1.16.VT
OMENS always was, and always will be a security tool that was built to both consume and share as many external intel sources as I can possibly fit into the code. I am especially interested in Open Source Indicators of Compromise, because my goal is for everyone to be able to protect their Windows web servers with OMENS, regardless of their security budget.
Since Day 1 - Agregating, using, and sharing hostile indicators has been part of OMENS DNA.
That's why I got so excited when I found out that VirusTotal had a free API. For those that may not know: VirusTotal is an amazing and free service that analyzes suspicious files against several dozen Anti Virus engines. This fits perfectly with the OMENS model.
The VirusTotal service is free and crowd-sourced, and the VirusTotal database can be queried using a simple JSON based API. It was surprisingly easy to integrate OMENS with VirusTotal. This is an extremely effective way to share intel both inside your organization and outside! This means that OMENS servers everywhere can share critical malware Indicators with each other, and with any other software that integrates with VirusTotal through their API.
Not only does their service work great... Not only is it free... And not only are they awesome people to work with... But on top of all of that, the VirusTotal API is an extremly effective way to for the security community to improve malware detection, and share malware Indicators.
One Important Note: OMENS WILL NOT UPLOAD YOUR FILES TO VirusTotal. OMENS will only scan to see if the MD5 signatures of new/changed files are ALREADY in the VirusTotal database. OMENS does not upload files due to the risk of accidentally uploading files that should not be shared. However, if you suspect a file might be malware, please consider uploading it to VirusTotal in order to expand their detection database, and help others.
OMENS v1.15 and OMENSApp v0.35 Released
This has been my Feature-Creep release.
It started out simply enough with a kind-of obscure set of of features, which turned into a huge amount of code that then required a lot of testing. But as they say "All's well that ends well". I am very proud of this release, and it advances some of the commitments I have made to making OMENS not only a scanning and monitoring tool - But an example of what can be done when you build intelligence sharing right into security tools.
For OMENS I wanted to solve the problem of mixing non-sharable intel with sharable intel. This is a reality. Some thing you just can't share. So OMENS can now flag EACH SIGNATURE as sharable or not. Along with that I wanted to give some signatures greater "Weight". So all signatures can now have a weight of 0-99. The special weight of "0" can also be used to tell OMENS that a signature is for reporting only and is not hostile. This can be used to monitor certain activity without flagging it as hostile: A VERY useful feature, I have found.
OMENSApp has also been enhanced. I am becoming more and more interested in what this program can do inside of the standard uses of web technology. Creating a reliable Honey Pot App is much harder than it appears. I have a lot of ideas on this one - but I am adding the most reliable and useful ideas first.
Two new features have been added to OMENSApp: Spoofing exact Script Names, and a Tracking Cookie. The new Script Name Spoofing allows you to create specific HTML replied for specific script names. For instance: If you want to emulate what Admin.php should look like to an attacker, you can create an Admin.php reply that is different from your Index.php reply. Using this feature you can create an entire Honey Pot system.
I have also added a Tracking Cookie to OMENSApp. This allows you to track an attacker using a uniquely generated cookie. As long as your attacker does not clear their cookies, this feature allows you to know if an attacker has changed their IP address to mask their activity. Like ALL CLIENT BASED tracking mechanisms this is not infallible. But it should be very useful in many cases.
OMENSApp v0.10 (HoneyApp) released
If you have seen my BsidesLV presentation, you've already heard me talk about NOT signatures.
There is probably a more official name for the concept, but that's what I am calling it for now.
The idea is this: There are certain things you should never see on your web server. For instance - if you are running a .ASP (Active Server Pages) web application, you should never, ever see a request for .PHP, .CFM (Cold Fusion) or .JSP (Java Server Pages).
OMENS can already check for these NOT Signatures in your web server logs by simply adding them to your OMENS log signature database. This tells OMENS to report and consider hostile, any URL in your web server log with that signature in it.
The idea is to get early warning of hostile actors that are probing your server, and to take necessary actions to prevent any further hostile action by that actor.
By getting visibility into actors that are probing one server for known vulnerabilities, you can then check other locations in your network that the same actor may also be probing.
That was a good start. But I could do more: Simply reporting that a NOT Signatures occured in the web server logs doesn't tell you if there was any POST data, or any Cookie data. I thought that knowing more details about these probes would give me even deeper insight into what the attacker is trying to do, or at least probe for.
Thats why I created OMENSApp. OMENSApp is simply a fake CGI Module that you can assign to process any File Type in your Windows web server. When a hostile actor requests that script type, OMENSApp logs the Time, IP Address, Cookies, GET, and POST data from the request and places the IP address on a list to be blocked (using the OMENScan IP Blocking mechanism). So if you don't have PHP on your web server, you can assign OMENSApp to process and log any PHP request. The PHP file doesn't even have to exist. OMENSApp will process ANY request for any PHP script.
OMENSApp is part of the OMENS v1.01 distribution. So when you Download and install OMENS v1.01 OMENSApp will be put in the Install Directory.
Please Note: Because this is the first BETA release of OMENSApp, you will need to install and run OMENSApp from the default install directories and database.
Viva BSides Las Vegas! Redux...
The BSides Las Vegas Security Conference has come and gone.
What a great experience.
Seriously. If you get the chance go to BSidesLV next year. Or if there is a BSides in your area, get involved. Meeting some of the people that I only knew from Twitter was a hoot. And making new friends, discussing the current state of security, and giving my talk were highlights that I will think about fondly for a long, long time.
I hear about, and have participated in, a couple of Internet communities. And the hacking community ranks as one of the most generous, helpful, and genuinely caring groups I have ever been associated with. My sincere gratitude goes out to the BSidesLV crew. I am not very outgoing, but many of the participants and staff made it easy for me to fit in.
I presented on, and released OMENS v1.00 at my talk. If you are interested: You can download My Presentation Slide Deck in PDF or if you have horrible insomnia you can Watch the presentation on Youtube.
A quick note about that: IronGeek recorded all of the BsidesLV presentations. He and his crew did an amazing job. Top notch! You can check out all the talks at his website.
Again. I'd like to thank the BSides organizers, staff, and the community for really making me feel at home. I am hoping I will get many more opportunities to speak.
Viva BSides Las Vegas!
The BSides Las Vegas Security Conference is almost upon us!
I'm very excited to be speaking on the current weaknesses in some of the common security tools we rely on today. And how OMENS can be used to help address those exposures.
Anthony M. Freed at Tripwire did an AMAZING interview with me about my presentation. If you want to get an idea of what I will be talking about check it out!
I'll also be releasing OMENS version v1.00 at my talk. And when the video of the presentation is available I will post a link to it, so you guys can have a good laugh!
See ya there!
New OMENS Videos
I'm working on some video tutorials for installing, configuring and running OMENS. Here's my first attempt at a video tutorial:
Installing OMENS
Welcome to my homestead on the Internet.
C'mon on in, pull up a seat, and stay a spell.
But, please remember - THIS IS MY PERSONAL web site. All the opinions I express here are mine alone. They do not represent the opinions of my employer(s), their customers, or partners. In fact, my opinions are often very different from those I work with. I might be wrong. I might change my mind... But this is how I see things as of this moment.
This is the place where I'd like to share my ideas, thoughts, and experiments in: Computer/Network Architecture, Computer/Network/Applications Security, Music, and Collaboration. I'm also fascinated by the convergence of technologies which are re-forming the way we work, play, and spend our money. And how the inevitable obsolescence of temporary physical transfer mediums is completely re-defining our world and our economy.
Incidentally, it is also dramatically changing crime, espionage, and activism. As well as the tools and skills needed to protect critical, valuable assets from criminals, spies, and hactivists!
For those technical folks among you - You will notice that much of this web site is written in plain old HTML and CSS. I generally shy away from things like WordPress, or CMS systems (although, I am using the most excellent mojoPortal for the OMENS Portal).
For most everything else I prefer plain old HTML and CSS. And the host you are reading this on is an actual physical server in my office. Typically, everything I write is in Windows Notepad, and every program I create (including my Web Applications) is written in C (in Windows Notepad). It's a rather archaic and time-consuming process. But I have a driving need to understand how everything works at it's basic, fundamental levels. So I usually pick the most basic technologies available to build everything I work on.
The benefit: When I build something - I have a deeper understandanding of how it works (and more importantly what doesn't work or is flawed). It's not a methodology that works for everybody. Actually, I'd guess it's really not a good idea for most people, but it's the way I like to work.
For me - This defines the hacker ethic. To tear apart technology and conform it to my needs. To do what is impossible by digging deep into the system to understand how it works, and to force it to work differently.
I've made a career out of this, and I have discovered something very important: "Impossible" is just permission to go do something that no else has done yet. I have found that if I can think of it - I can create it. If your programming language can't do what you want it to do, pick another one. And if no programming language will work, create your own. I admit, that it can be a long, meandering, and sometimes frustrating process. But I can honestly say I have never run in to a technical challenge that could not be solved - as long as I was willing to dedicate the time needed to tear it apart to really understand it, and then to make my own software tools, if necessary, to harness it.
Don't be governed by what others say is possible, or impossible. Rather, take your ideas and find a way to make them work. Think in new ways, and define your own terms. You'll be surprised what can be accomplished when you push beyond the temptation to give up. A whole other world opens up when you push past the threshold of giving up.
So this web site is the place where I'll post my thoughts, and my software. It is where I will write about computer security - My thoughts and perceptions; The computer security challenges I run in to; And how I try to mitigate or remediate them. It is where I will talk about my band, the music we make, and the places that we play. Hopefully it will be useful to someone - but even if it isn't, it will be a place that will keep some of my history for my kids when they are old enough to read a little about their dad and the stuff he thought was interesting.
Disclaimer:
The views and opinions expressed here and throughout this web site are my own. They do not reflect the views or opinions of my employer, their clients, customers, or partners. I do not speak for them and they do not speak for me. The opinions and views expressed here represent my opinions at the time of writing, and can change without notice or warning.