Posted by Ralf Hildebrandt on 12 June 2013 | 0 Comments
Tags:
tshark,
securityartwork,
packet,
capture,
malware analysis
“Instant Traffic Analysis with Tshark How-to” is a short book of just about 70 pages, but it’s packed with goodies for everyday use.
| Read the full post
Posted by Ralf Hildebrandt on 28 September 2012 | 0 Comments
Tags:
Packt,
free,
giveaway,
rules
Packt has just published its 1000th book. You are invited to join them in celebrating this milestone with a gift:
| Read the full post
Posted by Ralf Hildebrandt on 11 September 2012 | 0 Comments
Tags:
trojan,
virus,
targeted
Heute hatten wir unsere erste gezielte Trojanisierung (bzw. ein Versuch davon). Eine Mail kam via mail.com bei uns an. Absender mit deutschem Namen, Mail kam via mailtracking.com - d.h. alle URLs waren so umgeschrieben, daß das bloße Lesen der Mail dem Absender bestätigt, daß ein Lesen stattgefunden hat. Im Text eine Krankheitsgeschichte, im Anhang ein Medical_Reports.zip. Im Inneren des ZIP Archivs war dann ein selbstextrahierende Exe, mit einem *.docx (leer, 0 Byte) und einem Trojaner (72kb). Der Trojaner wurde von virustotal.com mit einem von 42 Scannern erkannt...
| Read the full post
Posted by Ralf Hildebrandt on 8 May 2012 | 0 Comments
Tags:
btrfs,
squid
After almost 2 years I decided it was time to try btrfs yet another time on our squid proxies.
| Read the full post
Posted by Ralf Hildebrandt on 4 May 2012 | 0 Comments
Tags:
spamhaus,
fail
A major fuckup on part of spamhaus: http://www.spamhaus.org/sbl/query/SBL138067
The evidence section listed "inetnum: 95.218.0.0 - 95.219.255.255", yet spamhaus listed 93.218.0.0/15 (first octet 93 instead of 95)!
| Read the full post
Posted by Ralf Hildebrandt on 4 May 2012 | 0 Comments
Tags:
clamav,
fail,
squid,
bofh
Recently a colleague and I wanted to submit a few FP to the ClamAV project. So we went to
http://cgi.clamav.net/sendfp.cgi just to find an "Under Maintenance"-page. So we tried a few days later, just to find the same page.
So I asked on the clamav-users mailinglist and found out that the page was in fact working. Just not for us. Oh well. So I asked their admin to look into their varnish logs. He wouldn't do that.
Today, I dug deeper and found this:
Their server doesn't like the "X-Forwarded-For: unknown" header!(see
http://www.squid-cache.org/Doc/config/forwarded_for/)
On our squids it was set to:
forwarded_for offwhich results in a
X-Forwarded-For: unknownheader - and a subsequent error page from varnish. Setting it to "delete", "on" or "truncate" makes the page
http://cgi.clamav.net/sendfp.cgi work
again.
Only "off" causes the page to fail.
| Read the full post
Posted by Ralf Hildebrandt on 3 May 2012 | 0 Comments
Tags:
aol,
sucks,
wtf,
captcha
Today, we quite a lot of mail piling up for AOL, because of this:
| Read the full post
Posted by Ralf Hildebrandt on 8 December 2011 | 0 Comments
Tags:
Cisco,
sux,
DKIM,
Postfix
site which was using Postfix and a CISCO ASA with "smtp protocol
fixup" enabled.
I was able to work around the delivery problems by stripping the DKIM
headers on outgoing mails (as so often).
Some interesting info got out:
I've also discussed these results with local Cisco support and they
confirmed it's a known bug (not published) with DKIM and smtp inspection
engine in latest IOS versions.
This should be fixed in some newer IOS version (8.4(10)) which is not
public yet (latest is 8.4(2)).
Over the last few days I discussed SMTP delivery problems with a czech site which was using Postfix and a CISCO ASA with "smtp protocol fixup" enabled.
| Read the full post
Posted by Ralf Hildebrandt on 20 June 2011 | 0 Comments
Tags:
Cisco,
sux,
DKIM,
Postfix
CISCOS's firewalls, predominantly the PIX and ASA have a feature called "smtp protocol fixup".
| Read the full post