Month: September 2007

For the last few weeks many articles and news stories were published about the Chinese hacking USA government computers. The reality is that the Chinese have been hacking the US, Russian, Australian (,etc) computers for years, but they are not the only to blame, since the US, Russia and all other countries have been doing the same for a long time.

Why this is news stories now? Richard Bejtlich pointed that it might be for political reasons, but why would a country let the enemy know that they succeeded? Even worse, why would the US air force publish in their own site that the Chinese is the leader in cyber warfare?

That might be a reason… one of the things that I learned from history is that governments use “desinformation warfare” to achieve their goals. My take is that the US gov (and intelligence agencies) setup some honeypots with fake information for the Chinese to hack. The Chinese were successful and now the US gov wants the Chinese to believe that they hacked real information… What’s the best way to make them believe so? Yes, tell the whole world about it..

*Yes, this is not news anymore, but I am still catching up on my reads.
**Sorry for off-topic, back to ossec from now on 🙂

1. Get the marketing team together for a clever name.
2. Copy and paste Microsoft’s IIS W3C log format
3. Write a press release and tell the world about it

I am not joking, but eIQnetworks released their Open Source Event Logging Standard which fits exactly on my description above. First, they call it “Open Source”. Do they know what open source means? Which OSI approved license did they use? Second, why require a registration to download it? What are they going to do with the information provided? Is it open or not? Lastly, their format is a ugly copy and paste of the Microsoft one. Look at their proposed header:

#Software: eIQ Open Log Format (OLF)
#Version: 1.1
#Date: 02-18-2007 12:14:25 300
#Fields: date time gmt-offset internalIP externalIP virtualdevice..

Look at Microsoft’s:

#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2006-10-09 02:11:51
#Fields: date time c-ip cs-username s-sitename s-computername

I will refrain from commenting further, but you can take a look at it: Open Log Format.

Update 1:Anton Chuvakin and Raffael Marty reviewed their “standard”: chuvakin.blogspot and raffy.ch.

I have a few honeypots out there just collecting information about web attacks and they have been great to help me improve OSSEC and how it parses web/proxy logs. Since I couldn’t find any public resource dedicated to store this kind of information, I decided to create one at the OSSEC wiki to keep track of them. It is all manual right now, but I plan to automate a lot of work to keep the page current.

I have a few entries with sites storing php/perl bots, common attack patterns, copies of the tools used, etc. If you want to help out keeping it updated, let me know. If you want to share your logs (from real servers or honeypots), it would be great too..

More info: Web attacks links