Category: SANS Full Feed

Staring long enough at honeypot logs, I am sure you will come across one or the other “oddity.” Something that at first does not make any sense, but then, in some way, does make sense. After looking at the Next.js issue yesterday, I looked through our logs for other odd headers I may spot. I…

Read More

Walking my dog earlier, I came across the sign on the right. Having just looked at yet another middleware/HTTP header issue (the Next.js problem that became public this weekend) [1], I figured I should write something about HTTP headers. We all know HTTP headers. But it appears some do not know them well enough.  Let’s…

Read More

Our API (https://isc.sans.edu/api) continues to be quite popular. One query we see a lot is lookups for individual IP addresses. Running many queries as you go through a log may cause you to get locked out by our rate limit. To help with that, we now offer additional “summary feeds” that include all data recently…

Read More

In September, Cisco published an advisory noting two vulnerabilities [1]: CVE-2024-20439: Cisco Smart Licensing Utility Static Credential Vulnerability CVE-2024-20440: Cisco Smart Licensing Utility Information Disclosure Vulnerability These two vulnerabilities are somewhat connected. The first one is one of the many backdoors Cisco likes to equip its products with. A simple fixed password that can be…

Read More

One of my hunting rules triggered some suspicious Python code, and, diving deeper, I found an interesting example of DLL side-loading. This technique involves placing a malicious DLL with the same name and export structure as a legitimate DLL in a location the application checks first, causing the application to load the malicious DLL instead of…

Read More