echoCTF on MENA ISC 2017

Hackathon HallWe’re back from another successful echoCTF based Hackathon that took place in Riyadh (KSA) for the MENA ISC 2017, which was organized by our partners at VirtuPort.

This was the largest and most dazzling implementation of echoCTF we’ve performed so far. Fourteen teams with more than 60 participants in total, competed for the prizes. echoCTF included 60 target servers in total, of which 20 targets were PLCs embedded on a model city in order to provide smart functionality for the city infrastructure and visualization of impacts when such infrastructure is successfully attacked.

Monitoring pf logs with Gource

tcpdump pflog0 through GourceEver wanted to see your OpenBSD pf(4) logs in a cinematic way?

This post will demonstrate the use of Gource (software version control visualization tool) as a means to visualize our pf firewall logs.

The examples in this post were carried out on OpenBSD piping output from pflog(4) to a Linux workstation with OpenGL extensions support.

Using OpenBGPD to distribute pf table updates to your servers

OpenBGP+PFOne of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time.

This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems.

The following post outlines one a method of distributing such lists using OpenBGP to deliver them into your pf tables.

Using syslog and Echofish to detect persistent threats on your networks

Echofish logoHave you checked your server logs lately? Did you see those "odd" requests from arbitrary IPs that appear to perform a single request and "vanish"? Have you ever wondered how many of those are actually random? Do they return ? How often?

No matter which service you expose to the internet (http, ssh, smtp, imap), you are certain to notice protocol-aware requests (e.g. valid HTTP get request) from random IP addresses hitting your public services.

The following blog post focuses around answering these questions and the ways we utilize the Abuser module of Echofish to identify persistent attackers on our services, that would otherwise stay unnoticed.

Using OpenBSD and vxlan to overlay remote lans

Have you ever wanted to "merge" two or more remote lans between your virtualized hosts? The following blog post will outline the steps required to configure VXLAN tunneling between two hosts.

Pages