Internet Storm Center
Sign In
Sign Up
Participate: Learn more about our honeypot network
https://isc.sans.edu/tools/honeypot/
Handler on Duty:
Jim Clausing
Threat Level:
green
Date
Author
Title
LOG REVIEW
2021-02-13
Guy Bruneau
Using Logstash to Parse IPtables Firewall Logs
LOG
2023-01-21/a>
Guy Bruneau
DShield Sensor JSON Log to Elasticsearch
2023-01-08/a>
Guy Bruneau
DShield Sensor JSON Log Analysis
2022-12-21/a>
Guy Bruneau
DShield Sensor Setup in Azure
2022-07-20/a>
Xavier Mertens
Malicious Python Script Behaving Like a Rubber Ducky
2022-04-25/a>
Xavier Mertens
Simple PDF Linking to Malicious Content
2022-04-05/a>
Johannes Ullrich
WebLogic Crypto Miner Malware Disabling Alibaba Cloud Monitoring Tools
2022-02-23/a>
Johannes Ullrich
The Rise and Fall of log4shell
2022-01-29/a>
Guy Bruneau
SIEM In this Decade, Are They Better than the Last?
2022-01-17/a>
Johannes Ullrich
Log4Shell Attacks Getting "Smarter"
2021-12-29/a>
Russ McRee
Log4j 2 Security Vulnerabilities Update Guide
2021-12-23/a>
Johannes Ullrich
log4shell and cloud provider internal meta data services (IMDS)
2021-12-23/a>
Johannes Ullrich
Defending Cloud IMDS Against log4shell (and more)
2021-12-14/a>
Johannes Ullrich
Log4j: Getting ready for the long haul (CVE-2021-44228)
2021-12-11/a>
Johannes Ullrich
Log4j / Log4Shell Followup: What we see and how to defend (and how to access our data)
2021-12-10/a>
Bojan Zdrnja
RCE in log4j, Log4Shell, or how things can get bad quickly
2021-10-11/a>
Johannes Ullrich
Things that go "Bump" in the Night: Non HTTP Requests Hitting Web Servers
2021-10-09/a>
Guy Bruneau
Scanning for Previous Oracle WebLogic Vulnerabilities
2021-09-11/a>
Guy Bruneau
Shipping to Elasticsearch Microsoft DNS Logs
2021-06-11/a>
Xavier Mertens
Keeping an Eye on Dangerous Python Modules
2021-04-10/a>
Guy Bruneau
Building an IDS Sensor with Suricata & Zeek with Logs to ELK
2021-03-18/a>
Xavier Mertens
Simple Python Keylogger
2021-03-12/a>
Guy Bruneau
Microsoft DHCP Logs Shipped to ELK
2021-02-13/a>
Guy Bruneau
Using Logstash to Parse IPtables Firewall Logs
2021-01-30/a>
Guy Bruneau
PacketSifter as Network Parsing and Telemetry Tool
2020-11-07/a>
Guy Bruneau
Cryptojacking Targeting WebLogic TCP/7001
2020-10-29/a>
Johannes Ullrich
PATCH NOW: CVE-2020-14882 Weblogic Actively Exploited Against Honeypots
2020-10-01/a>
Daniel Wesemann
Making sense of Azure AD (AAD) activity logs
2020-08-14/a>
Jan Kopriva
Definition of 'overkill' - using 130 MB executable to hide 24 kB malware
2020-07-27/a>
Johannes Ullrich
In Memory of Donald Smith
2020-07-23/a>
Xavier Mertens
Simple Blocklisting with MISP & pfSense
2020-02-12/a>
Rob VandenBrink
March Patch Tuesday is Coming - the LDAP Changes will Change Your Life!
2020-01-25/a>
Guy Bruneau
Is Threat Hunting the new Fad?
2020-01-12/a>
Guy Bruneau
ELK Dashboard and Logstash parser for tcp-honeypot Logs
2019-12-07/a>
Guy Bruneau
Integrating Pi-hole Logs in ELK with Logstash
2019-10-30/a>
Xavier Mertens
Keep an Eye on Remote Access to Mailboxes
2019-09-17/a>
Rob VandenBrink
Investigating Gaps in your Windows Event Logs
2019-06-19/a>
Johannes Ullrich
Critical Actively Exploited WebLogic Flaw Patched CVE-2019-2729
2019-06-06/a>
Xavier Mertens
Keep an Eye on Your WMI Logs
2019-05-19/a>
Guy Bruneau
Is Metadata Only Approach, Good Enough for Network Traffic Analysis?
2019-04-28/a>
Johannes Ullrich
Update about Weblogic CVE-2019-2725 (Exploits Used in the Wild, Patch Status)
2019-04-25/a>
Rob VandenBrink
Unpatched Vulnerability Alert - WebLogic Zero Day
2019-02-21/a>
Xavier Mertens
Simple Powershell Keyloggers are Back
2019-02-18/a>
Didier Stevens
Know What You Are Logging
2019-02-07/a>
Xavier Mertens
Phishing Kit with JavaScript Keylogger
2018-07-20/a>
Kevin Liston
Weblogic Exploit Code Made Public (CVE-2018-2893)
2018-07-17/a>
Xavier Mertens
Searching for Geographically Improbable Login Attempts
2018-06-21/a>
Xavier Mertens
Are Your Hunting Rules Still Working?
2018-06-19/a>
Xavier Mertens
PowerShell: ScriptBlock Logging... Or Not?
2018-06-06/a>
Xavier Mertens
Converting PCAP Web Traffic to Apache Log
2018-05-03/a>
Renato Marinho
WebLogic Exploited in the Wild (Again)
2018-01-07/a>
Guy Bruneau
SSH Scans by Clients Types
2017-09-29/a>
Lorna Hutcheson
Good Analysis = Understanding(tools + logs + normal)
2017-07-09/a>
Russ McRee
Adversary hunting with SOF-ELK
2017-04-20/a>
Xavier Mertens
DNS Query Length... Because Size Does Matter
2016-12-27/a>
Guy Bruneau
Using daemonlogger as a Software Tap
2016-08-29/a>
Russ McRee
Recommended Reading: Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs
2016-06-01/a>
Xavier Mertens
Docker Containers Logging
2015-07-31/a>
Russ McRee
Tech tip: Invoke a system command in R
2015-07-31/a>
Russ McRee
Tech tip follow-up: Using the data Invoked with R's system command
2015-06-01/a>
Tom Webb
Submit Dshield ASA Logs
2015-05-20/a>
Brad Duncan
Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS
2015-04-23/a>
Bojan Zdrnja
When automation does not help
2015-03-11/a>
Rob VandenBrink
Syslog Skeet Shooting - Targetting Real Problems in Event Logs
2014-09-27/a>
Guy Bruneau
What has Bash and Heartbleed Taught Us?
2014-09-22/a>
Johannes Ullrich
Fake LogMeIn Certificate Update with Bad AV Detection Rate
2014-08-15/a>
Tom Webb
AppLocker Event Logs with OSSEC 2.8
2014-08-05/a>
Johannes Ullrich
Synolocker: Why OFFLINE Backups are important
2014-04-21/a>
Daniel Wesemann
Finding the bleeders
2014-04-04/a>
Rob VandenBrink
Dealing with Disaster - A Short Malware Incident Response
2014-04-01/a>
Johannes Ullrich
cmd.so Synology Scanner Also Found on Routers
2014-03-31/a>
Johannes Ullrich
More Device Malware: This is why your DVR attacked my Synology Disk Station (and now with Bitcoin Miner!)
2014-03-28/a>
Johannes Ullrich
War of the Bots: When DVRs attack NASs
2014-03-26/a>
Johannes Ullrich
Let's Finally "Nail" This Port 5000 Traffic - Synology owners needed.
2014-03-13/a>
Daniel Wesemann
Web server logs containing RS=^ ?
2014-02-14/a>
Chris Mohan
Scanning activity for /siemens/bootstrapping/JnlpBrowser/Development/
2014-02-09/a>
Basil Alawi S.Taher
Mandiant Highlighter 2
2014-01-27/a>
Basil Alawi S.Taher
Log Parsing with Mandiant Highlighter (1)
2014-01-14/a>
Chris Mohan
Spamming and scanning botnets - is there something I can do to block them from my site?
2014-01-04/a>
Tom Webb
Monitoring Windows Networks Using Syslog (Part One)
2013-12-03/a>
Rob VandenBrink
Even in the Quietest Moments ...
2013-11-16/a>
Guy Bruneau
Sagan as a Log Normalizer
2013-10-10/a>
Mark Hofman
CSAM Some more unusual scans
2013-09-24/a>
Tom Webb
IDS, NSM, and Log Management with Security Onion 12.04.3
2013-09-11/a>
Alex Stanford
Getting Started with Rsyslog Filters
2013-09-02/a>
Guy Bruneau
Snort IDS Sensor with Sguil New ISO Released
2013-08-21/a>
Alex Stanford
Psst. Your Browser Knows All Your Secrets.
2013-02-28/a>
Daniel Wesemann
Parsing Windows Eventlogs in Powershell
2013-02-27/a>
Adam Swanger
Guest Diary: Dylan Johnson - There's value in them there logs!
2013-02-22/a>
Chris Mohan
PHP 5.4.12 and PHP 5.3.22 released http://www.php.net/ChangeLog-5.php
2013-02-17/a>
Guy Bruneau
HP ArcSight Connector Appliance and Logger Vulnerabilities
2013-02-06/a>
Johannes Ullrich
Are you losing system logging information (and don't know it)?
2012-12-02/a>
Guy Bruneau
Collecting Logs from Security Devices at Home
2012-07-13/a>
Russ McRee
2 for 1: SANSFIRE & MSRA presentations
2012-07-11/a>
Rick Wanner
Excellent Security Education Resources
2012-05-02/a>
Bojan Zdrnja
Monitoring VMWare logs
2012-04-08/a>
Chris Mohan
Blog Log: More noise or a rich source of intelligence?
2011-11-19/a>
Kevin Liston
Monitoring your Log Monitoring Process
2011-06-21/a>
Chris Mohan
Australian government security audit report shows tough love to agencies
2011-06-20/a>
Chris Mohan
Log files - are you reviewing yours?
2011-05-17/a>
Johannes Ullrich
A Couple Days of Logs: Looking for the Russian Business Network
2011-03-29/a>
Daniel Wesemann
Making sense of RSA ACE server audit logs
2011-03-11/a>
Guy Bruneau
Snort IDS Sensor with Sguil Framework ISO
2011-01-24/a>
Rob VandenBrink
Where have all the COM Ports Gone? - How enumerating COM ports led to me finding a “misplaced” Microsoft tool
2010-12-24/a>
Daniel Wesemann
A question of class
2010-09-28/a>
Daniel Wesemann
Supporting the economy (in Russia and Ukraine)
2010-07-24/a>
Manuel Humberto Santander Pelaez
Transmiting logon information unsecured in the network
2010-04-06/a>
Daniel Wesemann
Application Logs
2010-03-10/a>
Rob VandenBrink
What's My Firewall Telling Me? (Part 4)
2010-03-05/a>
Kyle Haugsness
What is your firewall log telling you - responses
2010-02-23/a>
Mark Hofman
What is your firewall telling you and what is TCP249?
2010-02-06/a>
Guy Bruneau
Oracle WebLogic Server Security Alert
2010-01-29/a>
Johannes Ullrich
Analyzing isc.sans.org weblogs, part 2, RFI attacks
2010-01-20/a>
Johannes Ullrich
Weathering the Storm Part 1: An analysis of our SANS ISC weblogs http://appsecstreetfighter.com
2009-10-26/a>
Johannes Ullrich
Web honeypot Update
2009-10-26/a>
Johannes Ullrich
Today: ISC Login bugfix day. If you have issues logging in using OpenID, please email a copy of your OpenID URL to jullrich\at\sans.edu
2009-04-16/a>
Adrien de Beaupre
Strange Windows Event Log entry
2009-04-09/a>
Johannes Ullrich
Conficker update with payload
2009-03-26/a>
Mark Hofman
Webhoneypot fun
2009-01-09/a>
Johannes Ullrich
SANS Log Management Survey
2008-11-05/a>
donald smith
If you missed President Elect Obamas speech have some malware instead
2008-08-19/a>
Johannes Ullrich
A morning stroll through my web logs
2008-08-05/a>
Daniel Wesemann
Watching those DNS logs
2006-10-02/a>
Jim Clausing
Reader's tip of the day: ratios vs. raw counts
2006-09-18/a>
Jim Clausing
Log analysis follow up
2006-09-09/a>
Jim Clausing
Log Analysis tips?
2006-09-09/a>
Jim Clausing
A few preliminary log analysis thoughts
REVIEW
2021-02-13/a>
Guy Bruneau
Using Logstash to Parse IPtables Firewall Logs
2016-11-25/a>
Xavier Mertens
Free Software Quick Security Checklist
2012-02-07/a>
Jim Clausing
Book Review: Practical Packet Analysis, 2nd ed
2009-03-10/a>
Swa Frantzen
TinyURL and security
2009-02-25/a>
Andre Ludwig
Preview/Iphone/Linux pdf issues
2008-03-30/a>
Mark Hofman
Mail Anyone?
Homepage
Diaries
Podcasts
Jobs
Data
TCP/UDP Port Activity
Port Trends
SSH/Telnet Scanning Activity
Weblogs
Threat Feeds Activity
Threat Feeds Map
Useful InfoSec Links
Presentations & Papers
Research Papers
API
Tools
DShield Sensor
DNS Looking Glass
Honeypot (RPi/AWS)
InfoSec Glossary
Forums
Auditing
Diary Discussions
Forensics
General Discussions
Industry News
Network Security
Penetration Testing
Software Security
Contact Us
Contact Us
About Us
Handlers
Slack Channel
Mastodon
Twitter
Follow updates by subscribing to the handler's
diary RSS feed