Personal blog of Alex Muratov

Splunk certified Architect

Got my Splunk Architect (I) certification. The lab took 12 hours from the beginning to the end. Now looking for the II level!

Posted in Splunk | Leave a comment

Splunk certified

Some news: just got my Splunk certifications: “Splunk Certified Power User” (Cert-135865) and “Splunk Certified Admin” (Cert-136075)


Now looking for the “Splunk Certified Architect”!

Posted in Splunk | Tagged | Leave a comment

Splunk “Loading…” issue – quick fix

Sometimes you can start experiencing the following issue: after successful login to Splunk, instead of a dashboard(s) it shows only short message “Loading…” and it is never ending. No menu is available, you can click on apps selector, but nothing happens. Restarting Splunk does not fix the issue, logs contain no errors. The resolution is pretty simple, because it is not Splunk, but your browser.

Clear browser cache, restart it and login again – the issue has gone.


Google Chrome:

Posted in Splunk | Leave a comment

Adobe Flash Player – true zero-day vulnerability CVE-2015-7645

Flash_Player_0-Day_VulnerabilityAdobe still keeps a tradition to publish information about new zero-day vulnerabilities affecting their Flash Player (now

What is really interesting – there is no patch yet, and this vulnerability has been exploited in the wild! So it is yet another good reason to disable Flash player in your browser (if you did not disable it already).

Security Advisory: APSA15-05

Details about know exploitation (spear phishing targets Ministries of Foreign Affairs) as part of Operation Pawn Storm:
New zero-day exploit hits fully patched Adobe Flash


Trend Micro analyzed the vulnerability and made a PoC code. Again it is poor technique how Flash compiler handles language semantics and allows to bypass internal security controls:
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques

In my opinion described technique exploits some fundamentals weaknesses of Active Script and will not be easy to fix the root cause.

Posted in Hacking, Malware | Leave a comment

All aboard! Time to check-in on “Insight”

If you missed your chance to get a boarding pass to “Orion” mission, you have another chance: NASA is preparing “Insight” and this flight is heading to Mars the next year.

Your name will be put to a chip on “Insight”. Hurry! Registration will be closed on Sep 8th.


Posted in Space | Leave a comment

Deface pages at Pastebin is favorite place for software programmers. They share code snippets, and by default a submitted “pastie” is publicly available. By some reason hackers also like to share HTML codes of defacement pages they use for compromised site. I wrote a script that scans Pastebin on regular basis, detects HTML code and renders it.

Below you can see some found samples of defacement pages. Not sure were they actually used or not 🙂

Posted in Hacking | Tagged , , | Leave a comment

Phishing, funny stuff

Recently I got yet another phishing email that invited me to do something urgently with my RBC account.


Oh, nice! I have to install a security certificate in order to continue use RBC online banking. Too complex to be true, right? I checked the attachment and it was not a security certificate as was promised. Actually it was an HTML file that simply redirects a victim to a phishing site.

Nothing special, a phishing page was hosted at some Norwegian porno-site. Apparently it was hacked and phishing pages/scripts were injected. What was actually interesting – hacker forgot to disable directory view and all files were visible. Surprisingly there was “.htaccess” file. I opened it and enjoyed long list of IP addresses with funny comments:



It indicates that the hacker has a pretty long list of “offenders” – security companies, ad bots, crawlers, etc. Unfortunately the owner of the legitimate site quickly find out (or another party informed about) injected phishing pages and deleted all of them so I did not have a chance to dig further.

Posted in Uncategorized | Leave a comment

Snorby & Snort is up and running

Finally I setup my home IDS: Snort & Snorby on top.
The goal: to see what is going on in my Internet traffic, is there anything interesting.
Also Snort output will be collected by home Splunk instance.
The screenshot below shows only test events, nothing serious 🙂

I used this guide: Home IDS with Snort And Snorby
It is pretty detailed though it has some typos and omission. Step-by-step does not give you a working environment since one important thing is not mentioned:
Barnyard and Snorby have to use the same database! I am thinking to produce a better guide, will see.


Posted in IDS, SIEM | Leave a comment

Did you get your boarding pass to the “Orion” mission?

orion boarding pass

Send your name to Mars

Posted in Space | Tagged , , | Leave a comment

Smart Connector “Filter Out” issue

ArcSightArcSight Smart Connectors has a very useful feature: it is possible to set up a filter to filter out unwanted events and don’t send them to a destination (ESM ArcSight, Logger, etc). It works very well at the ESM ArcSight – you just need to open connector’s properties, select the “Filter” tab and create a filter that will match unwanted events. See an example below. A Smart Connector re-reads configuration on regular basis and will apply a new filter within next 5 minutes.

Connector filter ESM

Things are completely different when you have Connector Appliance or there are Smart Connectors are managed via a Connector Appliance. HP/ArcSight defines some special syntax to create filter sentences. For example:

deviceVendor EQ "Unix" and deviceEventId EQ "1001"

But there is a problem, it does not work. The Smart Connector updates configuration and … nothing happens. Events are still coming out to a destination like there is no any defined filter. What happens? It appears that the ESM ArcSight updates connector’s configuration properly but the Connector Appliances does the same thing incorrectly.

Posted in ArcSight, SIEM | Tagged , , , | Leave a comment




Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.


September 2017
« Aug    
%d bloggers like this: