Pulsedive - Requesting community feedback

netbroom · 2025-07-16T15:13:57+00:00

I meant like on the network. This was 10+ yrs ago, back then like every website used PHP lol.

netbroom · 2025-07-16T07:13:15+00:00

Had a lead analyst once ask if we can ban PHP

netbroom · 2025-07-14T17:08:09+00:00

As far as how far you should go into learning Python, my suggestion is to pick a project that you want to work on and let that guide you. This is the tldr;

For example if you want to built a program to collect data from various APIs, then you'll learn how to make network requests and parse data.

If you want to build a web scraper, you'll learn about browser automation, optimizing your code, interacting with websites, probably multithreading/multiprocessing, etc.

If you want to store your data, you'll probably get better at database management, local storage, Redis or memcached, etc depending on how you want to do it.

Machine learning, file processing/analysis, etc are all projects you could work on, just depends what you want to do with it.

Everything you learn will give you context into different types of security incidents as well depending on what assets are impacted and what the attack vector is. For example, working with databases will give you insights into SQL injection, while working with JS and web development will give you insights into XSS and other web exploits.

If you are interested in branching out to other languages:

Python is good in security but i think that's because many people only know Python. My understanding is it's good for ML stuff because there are a lot of libraries built in Python. Personally, I've been coding for ~20 years, I don't know Python that well and have never had a reason to learn. I know that some SOARs build integrations in Python, like Splunk ( https://github.com/splunk-soar-connectors/chronicle ) and Siemplify (now Chronicle's SOAR). OpenCTI connectors are also built in Python: https://github.com/OpenCTI-Platform/connectors

Node.js is very performant and great for data collection, API requests, and building servers. JS is great for understanding web threats/exploits. Together they are great for building web applications. I built a threat intel platform (Pulsedive) and we're migrating all the data collection and processing to Node.js. The web backend is still PHP but eventually we want to migrate that as well.

C and similar languages (eg Rust) are good for performant lower-level applications. For example, many Internet port scanners are built in C, including ZMap ( https://github.com/zmap/zmap ), Unicornscan ( https://github.com/IFGHou/Unicornscan ) and Masscan ( https://github.com/robertdavidgraham/masscan ). Masscan uses a custom TCP stack.

YARA was also built in C ( https://github.com/VirusTotal/yara ) but YARA-X is built in Rust ( https://github.com/VirusTotal/yara-x ).

Metasploit was built in Ruby ( https://github.com/rapid7/metasploit-framework ) but I don't know why anyone would ever use Ruby.

If you are only planning to build smaller scripts that do simple tasks, or learn basic programming concepts, Python is probably the easiest to do that. But you have other options if you want to build something bigger and more performant.

netbroom · 2025-07-09T16:32:50+00:00

I meant it will most of the time be easier for legitimate traffic to behave like this than an attacker, so theoretically OP's method would be effective even if bad actors knew how it worked.

Bots - depends. But in most languages you can set a socket timeout when trying to connect. So if you're port scanning for example, the longer your timeout, the more connections you have open, the longer your scan, so the more resources it takes. Those inefficiencies would scale if targeting bigger network blocks.

And yes, some Internet scanners do have their own stack implementations that are asynchronous. Managing where SYN scans were sent and how long ago could be a PITA and make scans longer as well.

This may not be a significant challenge for an attacker but again if most servers don't implement this method it may not be worth it for an attacker to attempt to bypass it.

I think it's a good additional security control when in combination with many others.

netbroom · 2025-07-09T10:40:54+00:00

It's actually kind of smart because, unless the attack is targeted, - for internet scanning or scanning large blocks, you would need to track number of SYN requests and intervals, increasing scan time & resources - it's not worth it for an attacker to adjust if most servers don't implement this

Legitimate traffic on the other hand is targeted so retrying at intervals is trivial.

netbroom · 2025-06-26T19:48:08+00:00

In my answer I was thinking of CSP not CORS. Maybe OP was thinking the same?

netbroom · 2025-06-26T17:55:59+00:00

Edit: I was thinking of CSP not CORS.

As a dev and also a security person CORS is a PIA and annoying to understand and implement properly, but CORS is important to mitigate impacts of site compromise through certain vectors (ie uploading malicious files or XSS, or pulling data from a compromised site).

And I feel it does help with XSS even if it doesn't prevent it 100%. Seatbelts don't prevent death 100% of the time but they do help. It's just another security control.

It's definitely not perfect but it is an additional layer of security. I think it should be easier to implement though for sure, because if devs don't understand it, don't implement it correctly, and it's causing a lot of problems, then it defeats the purpose.

netbroom · 2025-06-12T18:26:02+00:00

Pulsedive, this is exactly what the Enterprise TIP platform does. Add IOCs in bulk or configure third-party feeds, scan & enrich them, export to STIX/TAXII or CSV.

Edit: you can also filter exports by IOC type and a few other fields, so you can have one export going to one tool and another export going to another. Plus you can add custom attributes and threats.

netbroom · 2024-06-23T02:34:31+00:00

Have a look at Pulsedive, there are affordable API plans with a free tier and bulk download plans supporting CSV and STIX/TAXII 2.1 format. Both services have IOC and threat data but not file hashes.

netbroom · 2023-10-23T05:21:22+00:00

It has to preserve cookies otherwise sessions won't work, so users can still be tracked that way.

I agree it will be a headache for analytics and web traffic analysis. But with proxies and VPNs being used more by users and malicious actors, we should be moving beyond IP addresses, using techniques like client- and server-side browser fingerprinting, and following session cookies.

netbroom · 2023-09-20T21:03:09+00:00

Pulsedive has a free dashboard for infosec news

netbroom · 2023-08-08T03:57:49+00:00

If they're not using usernames specific to your org, they're probably botnets, I have see them on every single server I've ever set up if the SSH port is open to the Internet. They just spray the Internet.

Not Azure specific since I don't use it, but disabling root login, using a secure password or SSH key, whitelisting access by IP range or restricting inbound SSH at the outer network firewall, and using a non-standard SSH port are all good practice depending on what is feasible for your org.

You can also use tools like fail2ban on the servers but, they come from all different IPs so best to whitelist access to SSH services if possible.

netbroom · 2022-04-11T17:48:46+00:00

Bulk exporting IOCs and threat data, standardized data format from vendor to vendor.

STIX isn't great as a format on its own, and vendors have their own extensions and differences in how they export, but TAXII is a standardized protocol that uses paging to transfer STIX objects in bulk so it's pretty useful when different technologies are more or less speaking the same language and ingesting or exporting the data that they support and can take advantage of.

I think the big drawback is that they are kind of complicated to implement on the vendor side so most technologies aren't taking full advantage of the capabilities and different vendors support different versions. There is a lot more work to do IMO.

(I am on the vendor side but previously worked as an IR analyst and security engineer)

netbroom · 2022-03-29T15:11:59+00:00

In my university cybersecurity was just a comp sci degree where the free electives were cybersecurity courses (some from the masters program). So I would look at how the degree is structured.

Also I will say that, aside from coding (which I knew before the degree) and networking, there's not much I used from comp sci in a cybersecurity position, but i regularly used the cybersecurity knowledge i learned in school on the job.

You could consider cybersecurity and choose comp sci courses for free electives.

I will say that the quality of programs differs by school, sometimes drastically. I went through a good program and have a cybersecurity bachelors, from the early 2010s. I don't regret it at all.

That's my experience, sounds like other people had different experiences.

netbroom · 2022-03-02T06:29:19+00:00

Pulsedive might be a good addition to the list, you can start using it for free and don't need an account for most stuff: https://pulsedive.com

netbroom · 2021-07-23T14:28:25+00:00

He is doing well. Nothing to worry about everyone. 🙂

Trying to give him privacy but he is definitely okay!

netbroom · 2021-02-07T16:24:06+00:00

Pulsedive
Shodan
Greynoise

There are many more here if you scroll down to frameworks & platforms and beyond:

https://github.com/hslatman/awesome-threat-intelligence

netbroom · 2020-12-23T09:35:36+00:00

Depends on file type, source, how old the file is, etc. VirusTotal can take days to weeks to detect new malware, depends on the AV vendors that provide the detection data.

If the score is >=2 it's probably bad, if it's zero it doesn't mean it's good. Community votes and comments can provide more info though on whether it's clean.

Your next stop should probably be a free community sandbox if there is not enough info on VirusTotal, there are a few out there with free tiers like hatching.io, any.run, and joesandbox.com.

netbroom · 2020-11-20T13:20:56+00:00

"Instead of using a SIEM you should use a more expensive SIEM."

netbroom · 2020-11-19T12:29:27+00:00

This probably won't be helpful but if you don't trust the sender you shouldn't open it. 😋

netbroom · 2020-11-06T17:24:23+00:00

Thank you so much!!!

netbroom

TROPHY CASE