Personal blog of Alex Muratov

Smart Connector “Filter Out” issue

ArcSightArcSight Smart Connectors has a very useful feature: it is possible to set up a filter to filter out unwanted events and don’t send them to a destination (ESM ArcSight, Logger, etc). It works very well at the ESM ArcSight – you just need to open connector’s properties, select the “Filter” tab and create a filter that will match unwanted events. See an example below. A Smart Connector re-reads configuration on regular basis and will apply a new filter within next 5 minutes.

Connector filter ESM

Things are completely different when you have Connector Appliance or there are Smart Connectors are managed via a Connector Appliance. HP/ArcSight defines some special syntax to create filter sentences. For example:

deviceVendor EQ "Unix" and deviceEventId EQ "1001"

But there is a problem, it does not work. The Smart Connector updates configuration and … nothing happens. Events are still coming out to a destination like there is no any defined filter. What happens? It appears that the ESM ArcSight updates connector’s configuration properly but the Connector Appliances does the same thing incorrectly.

Posted in ArcSight, SIEM | Tagged , , , | Leave a comment

Python SUDS, WSDL, HTTPS proxy and SOAP authentication.

pythonToday I would like to share a recipe how to utilize WSDL (SOAP) in a Python SUDS script behind the HTTPS proxy. It may be useful for getting some commercial feeds on a server sitting behind the corporate firewall.

First of all, I find out the Python SUDS are very convenient. You can download it here or just install it via yum (or apt-get):

yum install python-suds

It is compatible even with older Python 2.4 (too bad that it does not have ElementTree).

OK, but now the issue – SUDS ignores env setting for proxy, whenever you try to connect to a WSDL service, it simply time outs. Furthermore all attempts to explicitly specify proxy settings fail:

Depending how you specify the proxy settings, the SUDS either time outs or returns really weird error about EOF in communication. The reason is simple – by default the urllib2 is not compatible with HTTPS proxy. It is able to utilize a HTTP proxy, but not a HTTPS proxy. Too bad!

Finally I find out the following solution:

1. Implement a “opener” for SSL proxy:

urrlib2 opener for SSL proxy (CONNECT method) (Python recipe)

2. Utilize this opener properly:

3. Add credentials to the WSDL client object:

The last step depends on particular WSDL service specification for credentials, please consult the Web API service document.

Posted in Python | Tagged , , , | Leave a comment

Logger and CIFS share on a Windows 2008 R2 Server

ArcSightHere is a workaround for the issue with mounting a CIFS share (Windows 2008 R2 Server) at a Logger.
I followed usual procedure to configure a remote file system at a Logger.
All required parameters for CIFS share were specified:


Surprisingly it did not work:


I carefully checked parameters, login credentials – everything was correct. Furthermore, the same share was successfully mounted from another Linux box.

The next step was getting access to the Logger (via SSH) and checking logs:

Well, “logon failure”… It is weird, since credentials are correct!

What I found later, the CIFS kernel component has some security settings are located in the file /proc/fs/cifs/SecurityFlags

By default a Logger has this flag is set to 0x7:

This flag is the root cause of the problem – it is not compatible with Windows 2008 R2 Server. I had to change this flag to 0x81:

Now try again to mount the CIFS share:





Posted in ArcSight, Linux | Tagged , , | 1 Comment

RedKit Java exploit – under the hood

VirusHere I put some technical details about RedKit Java exploit.
I will use real sample of captured network traffic. The analysis was done using the following tools: CuckooBox 0.6, Java Decompiler GUI, Wireshark.

Don’t follow any URLs in this post! They may still contain the malware.

OK, now step 1: a victim visits an infected web page at

Browser loads a pretty simple web page with a Flash video to entertain a victim while malware is loading.

Here is the network capture:


It looks like nothing is wrong, but … it contains an injected iframe that redirects browser to another host:


Posted in Malware | Leave a comment

Facebook hacked

Mauritania hacker (AnonGhost) hacked Facebook. Cool!

Posted in Uncategorized | Tagged | Leave a comment

ESM ArcSight plugin – correct device time

Recently I find out a situation when some device puts time stamps using the GMT time zone. It could be easily fixed by changing connector settings. But here is a problem again – settings are global, so it will fix time stamps for this device and will broke time stamps for all other device. The only solution that I found – create a small plugin that is looking for particular deviceVendor value and fix the time accordingly. See the code below:

Posted in ArcSight, SIEM | Tagged , , , | 2 Comments

ESM ArcSight plugins – how to


I attended many sessions at the “HP Protect 2012” conference last September and one of them – the “Plug it in!” by Doron Keller (HP/ArcSight) was very interesting for me. As a former software developer, I always like any possibilities of enriching features of an existing product by writing few lines of code. Furthermore I was looking for such feature because sometimes ESM rules are not powerful enough to do some calculations over a set of fields. I remember that in the ESM 4.x there were possibility to put a Java script code for rule’s variables but I never figured out how to do it, since the documentation never explained how to do it properly. But now I was demonstrated that it is relatively simple to create a piece of Java code and do it inside of the ESM Manager. Performance!

The presentation explained a lot of details and also “Protect 724” also has few threads about ESM plugins. Surprisingly creation of a simple “Hello World” took some efforts to figure out all required steps. So I decided to create this tutorial to simplify the first step in creating a new ESM ArcSight plugin.

Step 1 – setup the development environment

Download the Eclipse Choose the version that allows plugin-development: for example the “Eclipse IDE for JEE Developers”. The version “Eclipse IDE for Java developers” won’t work.

One of the suggested step is creating a target platform for plugin projects, though I find out that it does not solve all issues.

Create a platform target.

Run the Eclipse IDE and open the menu item Windows -> Preferences, then choose “Plug-in Development -> Target Platform”.

Press the “Add..” button and select a new target:

Choose a new name:

Now add “content” by pressing the “Add..” button:

Press “Next” and see the next dialog:

Press the “Browse…” button and locate the “arcsight-dm” folder in the ESM Manager folders structure:

See the updated dialog and press “Finish”:

Now the target is created:

Review and press the “Finish” button, you will see the new target platform in the list:

Press check-mark at the “ESM 5.0.2” to make it active and press “OK” to close the dialog.

Posted in ArcSight, SIEM | Tagged , , , | Leave a comment

ESM ArcSight – how to convert events for Replay (Test Alert) agent

The “Replay” (also known as Test Alert) agent at the ESM ArcSight – is a very powerful tool for developing and debugging rules. You don’t need to wait until a real (and probably rare!) event will be received by the ESM Manager only to check that the rule produced incorrect result.
Of course a test ESM ArcSight server is required.


    1. Export events from the ESM Console:
      1. select events at an Active Channel, right click and press “Export”;
      2. choose a destination folder and click on the radio button “Selected rows only” because the option “All in channel” take forever!
    2. Copy the CSV file to the ESM ArcSight connector server, to the folder:
      <path to the connector>/current/replayagent
    3. make it writable: chmod 666 myevents.csv
    4. Convert the CSV file to the EVENTS replay file – this is the most tricky part because of the way how the script handles parameters


../bin/arcsight agent csvconvert -S /usr/local/arcsight/Replay/current/replayagent/myevents.csv -D

The command “arcsight agent csvconvert” expects at least two parameters:

-S full_path_to_source_file
-D local_path_to_destination_file

now you see the difference. If everything is correct, the following output will be produced:

Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre

Using agent Component

Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre

ArcSight csvconvert starting…

[Fri Nov 02 15:05:12 EDT 2012] [INFO ] Initializing Agent Framework
Processing line 2
Processing line 3
Processing line 4
Processing line 5

Recorded in replayagent/ 5 messages out of 5
[Fri Nov 02 15:05:13 EDT 2012] [INFO ] Shutting Down Agent Framework

Shutting down Agent Modules now...
Shutting down Connector System Health...done.
Shutting down Persistance [genericupgrade_.genericupgrade_]...done.
Shutting down Agent Stats...done.
Shutting down Command File Listener...done.
Shutting down M1 id manager...done.
Agent shutdown completed.
[Fri Nov 02 15:05:13 EDT 2012] [INFO ] Shutting Down Agent Framework

Now go to the folder “bin” and start the agent:

./arcsight agents

Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre

ArcSight Connectors starting...
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] ArcSight Home: /usr/local/arcsight/Replay/current
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM name: Java HotSpot(TM) Server VM
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM path: /usr/local/arcsight/Replay/current/jre
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM vendor: Sun Microsystems Inc.
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM version: 20.1-b02
[Fri Nov 02 15:28:47 EDT 2012] [INFO ] Agent [TestAlert] started.

If everything OK (including the X-11), you will see the agent window:

Then click the tab “Replay”, it will show the list of available “events” files:

Click on the check mark and enable it:

Select desired speed and click on the button “Continue” to start feeding the ESM Manager:

That’s it! Now you can locate the Replay connector at the list of connectors and create a live active channel to see that the ESM Manager receives replayed events.

Posted in SIEM | Tagged , , , | Leave a comment

BitCoin malware

Last weekend a friend of mine told me about some issue with her new laptop: suddenly IE’s home page was set to Desjardins ( Well, nothing wrong, it is a legitimate web site except one thing that she was not able to change it! I agreed to take a look and asked to run the “Hijack This”. Immediately I found something suspicious:

Running processes:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O4 - HKCU\..\Run: [Intel] C:\Users\...\AppData\Roaming\BF002E.exe
O4 - HKCU\..\Run: [HotKeysCmds] C:\Users\...\AppData\Local\Temp\CF4F.EXE
O4 - HKCU\..\Run: [xivwxuaggnirrpeecys] C:\Users\...\AppData\Roaming\xivwxuaggnirrpeecys.exe
O4 - HKCU\..\Run: [Emarco] C:\Users\...\AppData\Roaming\Ehopty\uwfo.exe

First of all I’m very suspicious about any EXEs are residing in the “AppData” folder. Also it is really suspicious when well-known web hosts like and are redirected to unknown host, and it is very suspicious when the browser opens the instead of the

I checked the “AppData/Rouming” folder, it contained mentioned EXE files and also their numerous copies. My next step was to remove malicious registry keys and reboot the laptop. It did the magic – IE’s home page was changed with easiness and the was not redirected to Suspicious files were submitted to the No surprise – McAfee/Symantec did not detect trojans (the laptop had OEM version of McAfee) but some less popular antiviruses had heuristic hits. Results:


Last two files “ufwo.exe” and “3FDE.exe” have dynamic names – each of them starts malware re-create the same files with different names.

I was curious and tested the “xivwxuaggnirrpeecys.exe” using the VMWare (Windows XP). The Wireshark quickly revealed that the trojan has yet another purpose – using an infected computer to mine BitCoins and send results to the host

Right, the trojan not only steals user’s passwords but also it turns the victim to a cell of a virtual super-computer for BitCoin mining.

Posted in Malware | Tagged | Leave a comment

Now I have a patent 8,001,082

Today I suddenly revealed that last year USPTO approved the patent application that was filed a long time ago.

The patent “System and method of data security in synchronizing data with a wireless device” was filed when I used to work for the “PDA Defense” project. The company “Good technology, Inc” is current assignee. I don’t know was it supposed to let me know or not about approval, but anyway now I am an official inventor 🙂


Here is the link: Patent 8,001,082


Update: here is another one, “Method and system for protecting data within portable electronic devices”, 7,159,120


Posted in Smartphones | Tagged , | Leave a comment




Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.


February 2018
« Oct    
%d bloggers like this: