Personal blog of Alex Muratov

Splunk “Loading…” issue – quick fix

Sometimes you can start experiencing the following issue: after successful login to Splunk, instead of a dashboard(s) it shows only short message “Loading…” and it is never ending. No menu is available, you can click on apps selector, but nothing happens. Restarting Splunk does not fix the issue, logs contain no errors. The resolution is pretty simple, because it is not Splunk, but your browser.

Clear browser cache, restart it and login again – the issue has gone.


Google Chrome:

Posted in Splunk | Leave a comment

Adobe Flash Player – true zero-day vulnerability CVE-2015-7645

Flash_Player_0-Day_VulnerabilityAdobe still keeps a tradition to publish information about new zero-day vulnerabilities affecting their Flash Player (now

What is really interesting – there is no patch yet, and this vulnerability has been exploited in the wild! So it is yet another good reason to disable Flash player in your browser (if you did not disable it already).

Security Advisory: APSA15-05

Details about know exploitation (spear phishing targets Ministries of Foreign Affairs) as part of Operation Pawn Storm:
New zero-day exploit hits fully patched Adobe Flash


Trend Micro analyzed the vulnerability and made a PoC code. Again it is poor technique how Flash compiler handles language semantics and allows to bypass internal security controls:
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques

In my opinion described technique exploits some fundamentals weaknesses of Active Script and will not be easy to fix the root cause.

Posted in Hacking, Malware | Leave a comment

All aboard! Time to check-in on “Insight”

If you missed your chance to get a boarding pass to “Orion” mission, you have another chance: NASA is preparing “Insight” and this flight is heading to Mars the next year.

Your name will be put to a chip on “Insight”. Hurry! Registration will be closed on Sep 8th.


Posted in Space | Leave a comment

Deface pages at Pastebin is favorite place for software programmers. They share code snippets, and by default a submitted “pastie” is publicly available. By some reason hackers also like to share HTML codes of defacement pages they use for compromised site. I wrote a script that scans Pastebin on regular basis, detects HTML code and renders it.

Below you can see some found samples of defacement pages. Not sure were they actually used or not 🙂

Posted in Hacking | Tagged , , | Leave a comment

Phishing, funny stuff

Recently I got yet another phishing email that invited me to do something urgently with my RBC account.


Oh, nice! I have to install a security certificate in order to continue use RBC online banking. Too complex to be true, right? I checked the attachment and it was not a security certificate as was promised. Actually it was an HTML file that simply redirects a victim to a phishing site.

Nothing special, a phishing page was hosted at some Norwegian porno-site. Apparently it was hacked and phishing pages/scripts were injected. What was actually interesting – hacker forgot to disable directory view and all files were visible. Surprisingly there was “.htaccess” file. I opened it and enjoyed long list of IP addresses with funny comments:



It indicates that the hacker has a pretty long list of “offenders” – security companies, ad bots, crawlers, etc. Unfortunately the owner of the legitimate site quickly find out (or another party informed about) injected phishing pages and deleted all of them so I did not have a chance to dig further.

Posted in Uncategorized | Leave a comment

Snorby & Snort is up and running

Finally I setup my home IDS: Snort & Snorby on top.
The goal: to see what is going on in my Internet traffic, is there anything interesting.
Also Snort output will be collected by home Splunk instance.
The screenshot below shows only test events, nothing serious 🙂

I used this guide: Home IDS with Snort And Snorby
It is pretty detailed though it has some typos and omission. Step-by-step does not give you a working environment since one important thing is not mentioned:
Barnyard and Snorby have to use the same database! I am thinking to produce a better guide, will see.


Posted in IDS, SIEM | Leave a comment

Did you get your boarding pass to the “Orion” mission?

orion boarding pass

Send your name to Mars

Posted in Space | Tagged , , | Leave a comment

Smart Connector “Filter Out” issue

ArcSightArcSight Smart Connectors has a very useful feature: it is possible to set up a filter to filter out unwanted events and don’t send them to a destination (ESM ArcSight, Logger, etc). It works very well at the ESM ArcSight – you just need to open connector’s properties, select the “Filter” tab and create a filter that will match unwanted events. See an example below. A Smart Connector re-reads configuration on regular basis and will apply a new filter within next 5 minutes.

Connector filter ESM

Things are completely different when you have Connector Appliance or there are Smart Connectors are managed via a Connector Appliance. HP/ArcSight defines some special syntax to create filter sentences. For example:

deviceVendor EQ "Unix" and deviceEventId EQ "1001"

But there is a problem, it does not work. The Smart Connector updates configuration and … nothing happens. Events are still coming out to a destination like there is no any defined filter. What happens? It appears that the ESM ArcSight updates connector’s configuration properly but the Connector Appliances does the same thing incorrectly.

Posted in ArcSight, SIEM | Tagged , , , | Leave a comment

Python SUDS, WSDL, HTTPS proxy and SOAP authentication.

pythonToday I would like to share a recipe how to utilize WSDL (SOAP) in a Python SUDS script behind the HTTPS proxy. It may be useful for getting some commercial feeds on a server sitting behind the corporate firewall.

First of all, I find out the Python SUDS are very convenient. You can download it here or just install it via yum (or apt-get):

yum install python-suds

It is compatible even with older Python 2.4 (too bad that it does not have ElementTree).

OK, but now the issue – SUDS ignores env setting for proxy, whenever you try to connect to a WSDL service, it simply time outs. Furthermore all attempts to explicitly specify proxy settings fail:

Depending how you specify the proxy settings, the SUDS either time outs or returns really weird error about EOF in communication. The reason is simple – by default the urllib2 is not compatible with HTTPS proxy. It is able to utilize a HTTP proxy, but not a HTTPS proxy. Too bad!

Finally I find out the following solution:

1. Implement a “opener” for SSL proxy:

urrlib2 opener for SSL proxy (CONNECT method) (Python recipe)

2. Utilize this opener properly:

3. Add credentials to the WSDL client object:

The last step depends on particular WSDL service specification for credentials, please consult the Web API service document.

Posted in Python | Tagged , , , | Leave a comment

Logger and CIFS share on a Windows 2008 R2 Server

ArcSightHere is a workaround for the issue with mounting a CIFS share (Windows 2008 R2 Server) at a Logger.
I followed usual procedure to configure a remote file system at a Logger.
All required parameters for CIFS share were specified:


Surprisingly it did not work:


I carefully checked parameters, login credentials – everything was correct. Furthermore, the same share was successfully mounted from another Linux box.

The next step was getting access to the Logger (via SSH) and checking logs:

Well, “logon failure”… It is weird, since credentials are correct!

What I found later, the CIFS kernel component has some security settings are located in the file /proc/fs/cifs/SecurityFlags

By default a Logger has this flag is set to 0x7:

This flag is the root cause of the problem – it is not compatible with Windows 2008 R2 Server. I had to change this flag to 0x81:

Now try again to mount the CIFS share:





Posted in ArcSight, Linux | Tagged , , | Leave a comment




Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.


October 2016
« Jan    
%d bloggers like this: