Threat Hunting With Python Part 4: Examining Microsoft SQL Based Historian Traffic

This is the fourth part of a series I originally posted on the Dragos Blog. Working in the ICS information security space affords the opportunity to visit some cool critical infrastructure sites. From massive refineries that turn raw crude into diesel and gas to wind farms that harness the power of nature to generate electricity, it … Continue reading Threat Hunting With Python Part 4: Examining Microsoft SQL Based Historian Traffic →

Threat Hunting with Python and Bro IDS Part 3: Taming SMB

This is the third part of a series I originally posted on the Dragos Blog. 2017 was a busy year for attackers. Between the WannaCry/Petya/Bad Rabbit ransomware, GOP hacks, Game of Thrones/HBO hacks, Equifax breach and the TRISIS malware that targeted industrial control safety systems in the Middle East, many new proven attack scenarios developed that … Continue reading Threat Hunting with Python and Bro IDS Part 3: Taming SMB →

Simplifying Bro IDS Log Parsing with ParseBroLogs

This week I pushed a Python package to pip to simplify parsing logs from the Bro Intrusion Detection System. This package works on both Python 2 and Python 3. You can use the following command to install the utility in your environment: pip install parsebrologs Additional examples and the source code are available on Github. Motivation: … Continue reading Simplifying Bro IDS Log Parsing with ParseBroLogs →

Threat Hunting with Python Part 2: Detecting Nmap Behavior with Bro HTTP Logs

This is the second part of a series I originally posted on the Dragos Blog. Prologue: Begin the Hunt In the last edition of this series, we detected Nmap scans by looking for URI indicators associated with Nmap. This week we are going to move away from URI based indicators and focus on Nmap's behavior … Continue reading Threat Hunting with Python Part 2: Detecting Nmap Behavior with Bro HTTP Logs →