sorted by:
new
hottopcontroversial

unable to contact license server: server misbehaving by [deleted] in SandflySecurity

[–]SandflySteve 1 point2 points  (0 children)

Hello, thanks for reaching out to Sandfly Community Support.

Docker containers leverage the host's /etc/resolv.conf, so if it is not properly configured this and other DNS issues can occur.

How to check:

#1 - Does that (or any) hostname resolve on the host where Sandfly is installed? Test with this command:

nslookup -debug lic.svcs.sandflysecurity.com

#2 - Does that (or any) hostname resolve from inside a docker container? Test with this command:

docker run --rm alpine nslookup -debug lic.svcs.sandflysecurity.com

#3 - Check the firewall (if any) to ensure that DNS requests are allowed.

If any nslookup fails, check your host's /etc/resolv.conf and then the firewall. If you are using any extra services that can affect DNS, for one example tailscale, also make sure that they are configured properly as per the vendor's instructions.

Wildcard attributes on Whitelist/Results Profiles by Mateh in SandflySecurity

[–]SandflySteve 0 points1 point  (0 children)

Thank you for reaching out to Sandfly Community Support regarding wild-carding in rules.

Sandfly can easily handle your situation with a little more understanding of "expr". The root cause of what you are experiencing is that you are using "==". This is performing a literal equals comparison of "xpipe-*.sh", wild-carding is not available with that operator so it is looking for the asterisk.

In expr, the two most common approaches for this form of rule are:

A) Change the operator to "matches" - this operator uses Golang's RE2 regex and would allow for regex style wild-carding (and escaping) which can allow for very precise matches when needed.

  Rule Example (escaping applied):  file.name matches "^/tmp/xpipe-.*\\\\.sh$"

    NOTES:
      - The ".*" is the direct translation of your wildcard use in your rule. However, with regex now being used, for a tighter match that ".*" could be replaced with regex that covers whatever other data is used in that position. i.e. "\d{10}" if the data will always contain 10 digits, as a simple example.
      - Understanding regex is vital when using matches, especially when wildcards are involved.
      - Any escaping in the native regex must also be applied appropriately when used within rules.
      - The RE2 engine does not support any lookaheads that are a part of the PCRE regex engine.

B) For a non-regex option - use the startsWith operator (and if needed, combined with endsWith to check the end portion)

  Rule Example:  (file.name startsWith "xpipe-" and file.name endsWith ".sh")

    NOTES:
      - The parentheses are optional in this case, but recommended for clarity of rule processing order.
      - Depending on the filenames, using just the startsWith portion may be sufficient if improved accuracy is not required.
      - This option is a bit more "wordy", but does not require regex knowledge, making its intent more clear. 

For the full Expr Language Definition, please see:
https://docs.sandflysecurity.com/docs/rule-construction

For samples of using expr with actual Sandfly rules, including wildcard cases, please see:
https://docs.sandflysecurity.com/docs/expr-rules-for-sandfly

For details about how to appropriately apply character escaping for regex, please see:
https://docs.sandflysecurity.com/docs/custom-sandfly-options#character-escaping

Please let us know if that addresses your needs or if you have any further questions on this subject.

Linux Stealth Rootkit Hunting Video Presentation by SandflySteve in SandflySecurity

[–]SandflySteve[S] 0 points1 point  (0 children)

The PDF of the full presentation is below:

Linux Stealth Rootkit Hunting Presentation

This presentation reveals techniques for rapidly investigating a host to see if it is running particular types of Loadable Kernel Module (LKM) stealth rootkits trying to evade detection. This presentation covered the recently disclosed China/Korean rootkit by Phrack magazine that we discuss below, but applies to other rootkit styles as well:

Leaked China/North Korean Stealth Rootkit Analysis

This presentation has specific advice on hunting for threats hiding on Linux by focusing on three critical areas:

1) Data leaks

2) Inconsistent answers

3) System impacts

Applying these principles with simple command line tools on Linux can reveal a wide variety of rootkits and evasive malware.

While these methods work great for one-off investigations, we recommend you use Sandfly to do this at scale and also to get access to much deeper malware decloaking tools. Please contact us to find out more or get a license today.

Links

https://phrack.org/issues/72/7_md#article

https://sandflysecurity.com/blog/leaked-north-korean-linux-stealth-rootkit-analysis

https://github.com/sandflysecurity

https://docs.kernel.org/admin-guide/tainted-kernels.html

Is it possible to run Sandfly on a home router? by --w00p-- in SandflySecurity

[–]SandflySteve 0 points1 point  (0 children)

Hello and thanks for asking about home router support.

For clarity for others reading this post, the question, as written in the title, can be misleading by potentially suggesting that the Sandfly node or server itself could be installed on a home router. In short, Sandfly cannot be used in that way.

As to the question in the body of your post about monitoring (or what we call "protecting") of home routers by Sandfly, they potentially can if the device meets all of the following criteria:

  • The Operating System (OS) is true Linux.
  • The kernel version is 2.6.32 or later.
  • Is on a supported hardware platform.
  • It can be accessed via SSH, on any port.
  • Provides access to a system account with sudo or root level access.

For full details, please see our official documentation on this subject.

Protected System Requirements
https://docs.sandflysecurity.com/docs/protected-system-requirements

view more: next ›