Tracing your TCP IPv4 connections with eBPF and BCC from the Linux kernel JIT-VM to Splunk

Starting with Linux Kernel 4.1, an interesting feature got merged: eBPF. For anyone playing with network, BPF should sound familiar: it is a filtering system available to user-space tools such as tcpdump or wireshark to filter and display only the wanted (filtered) packets. The e in eBPF means extended, to bring that out of just Network traffic and allowing to trace from the Kernel various things, syscall capture, kprobes, tracepoints etc.

eBPF will run a piece of C code compiled in bytecode which uses the Just-In-Time Compiler to the BPF interpreter. In short, eBPF uses the virtual machine which interprets code into the Linux Kernel. In the current git tree, BPF offers 89 instructions called from the bytecode buffer making …

» Continue reading

When entropy meets Shannon

This is the third post on URL analysis, please have a look at the two other posts for more context about what can be done with Splunk to analyze URLs:

You will find in this article information on how one can detect DNS tunnels. While you can find lots of very useful apps on Splunkbase to help you analyze DNS data, it is always good for curious individuals to discover some techniques being used underneath.

A lot of captive portals are bypassed everyday by anyone able to run a DNS request, if someone can run on their machine the following command:

$ host splunk.com
splunk.com has address 54.69.58.243
...

Without being authenticated …

» Continue reading

Hunting that evil typosquatter

We are continuing our URL investigations, S1 episode 2. If you missed the first episode, you can go and read the blog post Splunking 1 million URLs first.

One of the well known security problems is typo squatting. What would happen if someone registers www.yahoo.om? Knowing this is one of the most popular website, there is a high chance a small percentage would type this instead of the legitimate www.yahoo.com

.om is the ccTLD for the country of Oman

I encourage you to read a thorough analysis on this problem from Endgame “What does Oman, the House of Cards, and Typosquatting Have in Common? The .om Domain and the Dangers of Typosquatting”. They even published a list …

» Continue reading

Splunking 1 million URLs

Do you love URLs? I do! This is a great way to have insight about behaviors, catch malware, and help to classify what is going on in a network.

I also have a secret: I collect them. The more I have the happiest I am! So what’s best than Splunk to analyze them?

This is the first post of a bunch on what one can do with URLs and Splunk. Please share in comments war stories, or anything you are doing with Splunk and URLs so I can enrich the upcoming posts.

First, you need to grab the Alexa list, which contains top 1 million URLs in a CSV you can download.

We add the new data source …

» Continue reading